Upgrade to Gradle 7.3

[cbeams]

This PR successfully upgrades the build from Gradle 6.6.1 to 7.3, but with a number of caveats that need to be worked out:

• Our Gradle Witness plugin fork needs to be updated such that it no longer depends on the now-removed compile configuration. The witness plugin has been disabled in the meantime, and it should be re-enabled when fixed.
• There is quite a bit of duplication now in repeated implementation dependency declarations, now that transitive compile declarations are no longer supported. This may be fine in the end (the explicitness is a good thing), but it's worth considering if we want to tidy them up in some way.
• The pricenode should be run and thoroughly tested, as its underlying Spring Boot dependency went through a major upgrade from 1.5.10-RELEASE => 2.5.6. As part of this upgrade, the /getVersion endpoint has been removed entirely. @bisq-network/pricenode-operators, is this endpoint something you actually use, or is it fine to remove?

Background: the reason I set out on this upgrade was part of the process of getting Bisq to build on an M1 Mac. That still appears impossible due to a bug in JFoenix's progress meter. See cbeams@3f4fba9 for details. In the meantime, building on an M1 Mac does work so long as you pass -x :desktop:test. Actually running the app, e.g. with ./gradlew :desktop:run, however, does not and will not work until that bug is fixed. In any case, it will be easier to get Bisq building on M1 with this PR merged.

[cbeams]

Could one of the @bisq-network/pricenode-operators volunteer to build and run and test this PR? I'd like to get a sanity check that everything is OK with the big Spring Boot upgrade underneath.

[cbeams]

Update: the Gradle Witness plugin has been removed entirely in favor of using Gradle's built-in dependency verification. See commit 6f8197b for details.

[cbeams]

@ripcurlx, could you do the following on your Windows VM?

• check out this branch
• run ./gradlew --write-verification-metadata sha256 build
• commit and push the changes back to this branch

This will (a) ensure the changes in this PR build on windows as expected, and (b) will update the new gradle/verification-metadata.xml file to include entries for any windows-specific artifacts.

[cbeams]

Update: @Emzy has agreed to take the pricenode through its paces tomorrow.

[cbeams]

Update: following the previous two commits, Bisq can now be built under JDK 16 and 17. Previously, it could only be built up to JDK 15.

Ideally, we should update our GitHub workflow to support building under all the JDKs we want to support. Currently we only build under JDK 11.

[cbeams]

I believe this PR is now ready to go, at least I intend to make no further changes to it.

What's needed now is testing. As mentioned above, @Emzy will test out the pricenode tomorrow.

I have been unable to build and test out the desktop myself because I'm running on an M1 machine. I'll reach out to a few people directly to see if they'd be willing to just build and run this PR to sanity check it.

[Emzy]

Not starting after build.

Reproduce:
As stated in the README I used this script to install a fresh pricenode on Ubuntu 20.04.3 LTS:
https://github.com/bisq-network/bisq/blob/master/pricenode/install_pricenode_debian.sh

After that worked I checked out this PR and started as bisq user:

./gradlew clean
./gradlew :pricenode:installDist  -x test

As root:

service bisq-pricenode restart

Error in LOG is:

Nov 14 11:50:33 ubuntu-4gb-fsn1-1 bisq-pricenode[23825]: Error: Could not find or load main class 2
Nov 14 11:50:33 ubuntu-4gb-fsn1-1 bisq-pricenode[23825]: Caused by: java.lang.ClassNotFoundException: 2

Starting manuel als user bisq:

bisq@ubuntu-4gb-fsn1-1:~$ /bisq/bisq/bisq-pricenode 2
Error: Could not find or load main class 2
Caused by: java.lang.ClassNotFoundException: 2

[ripcurlx]

• ./gradlew --write-verification-metadata sha256 build

@ripcurlx, could you do the following on your Windows VM?

• check out this branch
• run ./gradlew --write-verification-metadata sha256 build
• commit and push the changes back to this branch

This will (a) ensure the changes in this PR build on windows as expected, and (b) will update the new gradle/verification-metadata.xml file to include entries for any windows-specific artifacts.

How shall I handle changed lib versions? Only commit the artifact entries with newer versions I guess (e.g. com.google.api.grpc, com.faster.xml.jackson,...)?

[cbeams]

can you paste the diff here? I'll review and apply it as a patch on my side.

[ripcurlx]

can you paste the diff here? I'll review and apply it as a patch on my side.

Pasted the patch above ☝️

[cbeams]

can you also paste the output of ./gradlew --version?

[ripcurlx]

------------------------------------------------------------
Gradle 6.6.1
------------------------------------------------------------

Build time:   2020-08-25 16:29:12 UTC
Revision:     f2d1fb54a951d8b11d25748e4711bec8d128d7e3

Kotlin:       1.3.72
Groovy:       2.5.12
Ant:          Apache Ant(TM) version 1.10.8 compiled on May 10 2020
JVM:          11.0.11 (Oracle Corporation 11.0.11+9-LTS-194)
OS:           Windows 10 10.0 amd64

[cbeams]

Also, @ripcurlx, with those changes to the verification metadata file in place, are you able to run a full build, i.e. ./gradlew build?

[cbeams]

Hm. I see you've got Gradle 6.6.1 there. Should be 7.3 on this branch.

[ripcurlx]

Hm. I see you've got Gradle 6.6.1 there. Should be 7.3 on this branch.

True - this is weird indeed, but I freshly checked out the branch. Let me check the git log.

[cbeams]

@Emzy wrote:

Not starting after build [due to ClassNotFoundException]

See the fix in cb7b0e8. @Emzy, please sync up and try again. Everything is working for me locally.

[cbeams]

We're getting close on this PR. @ripcurlx has verified everything works on Windows as expected. @Emzy is verifying pricenode changes. I've seen everything build and run on (non-M1) macos. CI works fine on linux.

Would be good to have a Linux desktop user verify that the app builds and runs successfully there.

[Emzy]

Worked after two builds after upgrade from master.

Reproduce:
As stated in the README I used this script to install a fresh pricenode on Ubuntu 20.04.3 LTS and Debian 10:
https://github.com/bisq-network/bisq/blob/master/pricenode/install_pricenode_debian.sh

After that worked I checked out this PR and started as bisq user:

./gradlew clean
./gradlew :pricenode:installDist  -x test

Build error:

...
> Task :common:compileJava
Note: /bisq/bisq/common/src/main/java/bisq/common/util/Utilities.java uses or overrides a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
Note: Some input files use unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.

> Task :common:processResources NO-SOURCE
> Task :common:classes
> Task :common:jar

> Task :p2p:compileJava
Note: Some input files use or override a deprecated API.
Note: Recompile with -Xlint:deprecation for details.

> Task :p2p:processResources
> Task :p2p:classes
> Task :p2p:jar
> Task :core:compileJava FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':core:compileJava'.
> Dependency verification failed for configuration ':core:compileClasspath'
  One artifact failed verification: jackson-base-2.12.1.pom (com.fasterxml.jackson:jackson-base:2.12.1) from repository MavenRepo
  If the artifacts are trustworthy, you will need to update the gradle/verification-metadata.xml file by following the instructions at https://docs.gradle.org/7.3/userguide/dependency_verification.html#sec:troubleshooting-verification

  Open this report for more details: file:///bisq/bisq/build/reports/dependency-verification/at-1636983752967/dependency-verification-report.html
...

Second build:

./gradlew clean
./gradlew :pricenode:installDist  -x test

No error.

As root:

service bisq-pricenode restart

Works.

[cbeams]

I've taken this PR out of draft, it's good to merge from my perspective. Thanks @ripcurlx and @Emzy and @jmacxx for testing assistance.

[ripcurlx]

I checked all hashes and version changes from the old build file with the new one with following findings:

Library version updates

com.google.protobuf:protobuf-gradle-plugin: 0.8.10 > 0.8.17
org.springframework.boot:spring-boot-gradle-plugin: 1.5.10 > 2.5.6
grpcVersion: 1.25.0 > 1.42.1
lombokVersion: 1.18.12 > 1.18.22
mockitoVersion: 3.5.15 > 4.0.0
protobufVersion: 3.10.0 > 3.19.1

Changed hashes

com.google.api.grpc:proto-google-common-protos
com.google.protobuf:protobuf-java
io.grpc:grpc-api
io.grpc:grpc-context
io.grpc:grpc-core
io.grpc:grpc-netty-shaded
io.grpc:grpc-protobuf-lite
io.grpc:grpc-protobuf
io.grpc:grpc-stub
io.opencensus:opencensus-api
io.opencensus:opencensus-contrib-grpc-metric
io.perfmark:perfmark-api

@cbeams I guess all library version updates where necessary to make this build work?

As we have a a very cautious approach on updating libraries, I'd like to get an ACK of more contributors (at least @chimp1984 or @sqrrm)

[cbeams]

@cbeams I guess all library version updates where necessary to make this build work?

Correct, each of these upgrades were strictly necessary in order to be able to build / run under Gradle 7+

[chimp1984]

Where is io.opencensus (https://github.com/census-instrumentation) and io.perfmark (https://github.com/perfmark/perfmark) used?
I did not find a reference in the source code, so I guess its a transient dependency from some lib (spring?) and should be excluded.

I think we should exclude the price node to an independent project as it has very little Bisq dependency which either could be added as gradle dependency there or just refactored away (I think it was just some utils for currency lists).
That way we would get rid of the spring framework dependencies and probably speed up the build (at least runing price node tests is slow due the real requests).

@ripcurlx Have you tested that update for building the binaries?
Which java version is now required? Does it work already with Java 16? I guess binary build still does not work with that, right? So Java 11 -15 is likely the required version, right?

com.google.protobuf:protobuf-gradle-plugin: 0.8.10 > 0.8.17
org.springframework.boot:spring-boot-gradle-plugin: 1.5.10 > 2.5.6
grpcVersion: 1.25.0 > 1.42.1
lombokVersion: 1.18.12 > 1.18.22
mockitoVersion: 3.5.15 > 4.0.0
protobufVersion: 3.10.0 > 3.19.1

Is the grpcVersion, lombokVersion and protobufVersion required?
I prefer to be conservative as long not absolutely needed of if they fix a know bug we encounter. Supply chain attack is a real threat so better to minimize that surface. I doubt that a Google lib has big risks to become victim of that, but a lib like lombok has likely less security critical eyes on it.

[ripcurlx]

@ripcurlx Have you tested that update for building the binaries?

Yes, I've built macOS for now using JDK 15 and JDK 11

So Java 11 -15 is likely the required version, right?

Yes, I think so.

[cbeams]

Where is io.opencensus (https://github.com/census-instrumentation) and io.perfmark (https://github.com/perfmark/perfmark) used?
I did not find a reference in the source code, so I guess its a transient dependency from some lib (spring?) and should be excluded.

perfmark and opencensus are both transitive dependencies of grpc-core. I remember running across them before, quite a while ago, i.e. in an older version of grpc (they're not new). I would not recommend excluding them. Keep in mind that the move away from gradle-witness to Gradle's built-in dependency verification now captures all dependencies, around 273 as opposed to the just 64 dependencies we were tracking before. So it's not surprising they show up here for the first time.

I think we should exclude the price node to an independent project as it has very little Bisq dependency which either could be added as gradle dependency there or just refactored away (I think it was just some utils for currency lists).
That way we would get rid of the spring framework dependencies and probably speed up the build (at least runing price node tests is slow due the real requests).

Sounds like a reasonable change, but I'd recommend making it a subsequent change instead of doing it as part of this PR. I can commit to doing that.

Which java version is now required? Does it work already with Java 16? I guess binary build still does not work with that, right? So Java 11 -15 is likely the required version, right?

Building and running against JDKs 11 -> 15 work in conjunction with this PR. JDK 16 and 17 may work, I can't recall whether I tested them. See also #5835.

Is the grpcVersion, lombokVersion and protobufVersion required?

I can double-check this; one or more of them may not be strictly necessary for the Gradle 7.3 upgrade here, but were rather required for supporting building on Apple M1 (#5835). So even if we didn't upgrade them here, we would definitely have to upgrade them in that PR. For that reason, I'd prefer to leave them as-is here to avoid reworking the PR, dependency verification metadata, etc.

I prefer to be conservative as long not absolutely needed of if they fix a know bug we encounter. Supply chain attack is a real threat so better to minimize that surface. I doubt that a Google lib has big risks to become victim of that, but a lib like lombok has likely less security critical eyes on it.

I agree supply chain attacks are a real risk, but an overly conservative approach to using and upgrading dependencies is also a risk. This concern is something that comes up over and over again, and I think we'd be wise to come up with an 'official' and pragmatic policy on this matter. I suggest something like the following: that like all code changes, dependency updates cannot be committed without review. And that "review" means that the committer making the change needs to account for why the dependencies are being updated and that the reviewer needs to verify those claims. Both parties should consider the context for the changes, including how likely it is that an attack might be involved. For example, a likely scenario for a supply chain attack would be that some helpful-seeming new contributor comes along and informs us that one of our dependencies is out of date, and that we should really use the newest version of it. This would be a highly suspicious change for obvious reasons. On the other hand, the changes in this PR are by nature much lower risk. We're updating dependencies we've been using for years, and we're doing it for our own reasons on our own timeline. The chances of an attacker coordinating a supply chain attack in conjunction with this PR are not zero, but are very low. We should therefore do basic diligence on the dependencies being changed, but we shouldn't be afraid to make the changes that are necessary to keep our build system up to date, that ensure Bisq can be built on relevant architectures, etc.

[chimp1984]

Sounds like a reasonable change, but I'd recommend making it a subsequent change instead of doing it as part of this PR. I can commit to doing that.

Yes that would be great. I guess you will know the right way how to do it without losing the GH history (but also if thats not feasible I think its worth it).

Agree to the statements regarding supply chain attacks...

[cbeams]

Yes that would be great. I guess you will know the right way how to do it without losing the GH history (but also if thats not feasible I think its worth it).

See #5824. Keeping history won't be feasible. I've tried this before, it's not worth the trouble.

Agree to the statements regarding supply chain attacks...

Roger that. Does this PR have your ACK at this point?

[chimp1984]

Concept ACK

[ripcurlx]

ACK

[wiz]

I think we should exclude the price node to an independent project as it has very little Bisq dependency which either could be added as gradle dependency there or just refactored away

@chimp1984 yeah I agree, actually we were thinking of doing this as part of the mempool project, but as a low priority task