And a more general question: what is the (OSRF's) update policy for Jenkins
The advice I was given as a Jenkins maintainer is to do the best I can to stay on the latest Jenkins LTS but be very conservative with plugin updates. With the rationale being that LTS releases are quite well vetted before being chosen but plugin release quality is left entirely up to the plugin authors and use-case specific testing needs to be done each release to make sure the plugin still works for you (us).
Jenkins itself should be upgraded to 2.80.x immediately due to vulnerabilities discovered in the just deployed version (2.60.3).
I think you should be fine bumping that to the latest LTS release for your deployment. I try to keep the production configuration in sync with what's actually deployed on build.ros.org . In fact, it might be worth a PR to delete the explicit version requirement from the example configuration since we already request the LTS release via the config key above it. (source link)
ros-infrastructure/buildfarm_deployment/modules/profile/manifests/jenkins/rosplugins.pp 'pins' plugins to very specific versions, so my question is: are there any known issues with updating them that prompted the pinning of plugins in rosplugins.pp?
The initial reason for the version pinning is that the Jenkins puppet module cannot automatically fetch dependencies for plugins due to lack of dependency data for all but the latest release of a plugin. So each plugin and its transitive dependencies must be listed in a puppet manifest with the version desired. The upstream puppet-jenkins issue is https://github.com/jenkinsci/puppet-j...
To keep puppet runs deterministic and save manual labor, particularly in light of the advice to update plugins cautiously, I wrote a little script that polls the live Jenkins server for the currently installed plugins and generates that rosplugins.pp manifest. That script lives in the buildfarm_deployment repo.
To my knowledge at the moment, there is only one plugin that explicitly should not be upgraded at the moment and its the GitHub Pull Request Builder Plugin. There's also an issue with the current version of the plugin but the update contains a worse bug. The issue tracking that is https://github.com/ros-infrastructure...
If you or any other community buildfarm maintainer decide to update plugins ahead of build.ros.org I would be very grateful to learn whether the upgrade was successful or not via an issue or pull request on the buildfarm deployment repository.
I do of course understand that I'm the only one responsible for the security and maintenance of my deployments. This question is more about what the underlying motivation is for the way the deployment scripts are currently setup, and the rationale for installing outdated Jenkins versions.