Without this package, after Puppet has upgraded Jenkins and its plugins,
I see:

  Error: /Stage[main]/Jenkins::Cli/Exec[jenkins-cli]: Failed to call refresh: Could not find command 'jar'
  Error: /Stage[main]/Jenkins::Cli/Exec[jenkins-cli]: Could not find command 'jar'

Stored XSS vulnerability for Git plugin 3.12.1:

    https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1723

The update of Mailer plugin was not mandatory but can save a bit of work
later.

Stored XSS vulnerability in Subversion Plugin 2.12.2:

    https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1725

Update of dependencies is not needed but may save a bit of work in the
future.

**ATTENTION** -- This plugin was not defined in Puppet configuration
prior to this commit, but it was installed in our Jenkins instance
(https://jenkins.tails.boum.org).

Dangerous permissions can be configured independently of Administer
permission (in version 1.1):

    https://jenkins.io/security/advisory/2017-04-10/#matrix-authorization-strategy-plugin-allowed-configuring-dangerous-permissions

Dependencies updates are not mandatory, but may save a bit of work in
the future.

Sandbox bypass vulnerabilities in "Script Security" plugin (1.64):

    https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1658
    https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1713
    https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1579
    https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1754

Stored XSS vulnerability in Timestamper Plugin (1.10):

    https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1784

Timestamper 1.11.2 (non-implied) dependencies:

    Pipeline: API ≥ 2.39
    Pipeline: Step API ≥ 2.19

"Pipeline: Step API" update is not mandatory but does no harm and may
save a bit of work in the future.

Multiple security vulnerabilities in Jenkins 2.196 and earlier, and LTS
2.176.3 and earlier:

    https://jenkins.io/security/advisory/2019-09-25/

Multiple security vulnerabilities in Jenkins 2.227 and earlier, LTS
2.204.5 and earlier:

    https://jenkins.io/security/advisory/2020-03-25/

Multiple vulnerabilities in Jenkins 2.218 and earlier, LTS 2.204.1 and
earlier:

    https://jenkins.io/security/advisory/2020-01-29/

Jenkins is reporting a vulnerability for a version that is older than we
are currently using (2.2.1):

    Exposure of sensitive build variables stored by EnvInject 1.90 and earlier
    https://jenkins.io/security/advisory/2018-02-26/#SECURITY-248

But I'm upgrading anyway because it feels good to be up to date.

I've checked in these pages that dependencies don't change:

    https://plugins.jenkins.io/envinject/
    https://plugins.jenkins.io/envinject-api/

I've looked at the changelogs:

    https://github.com/jenkinsci/envinject-plugin/releases/tag/envinject-2.3.0
    https://github.com/jenkinsci/envinject-api-plugin/commits/envinject-api-1.7

I think upgrading should cause no harm.

I've added this packages 6.5 years ago via
a5b072bbd10cd83d6cd194bf1eba1014393b9333 in puppet-lizard-manifests.git, because
"It's needed to run the test suite of our Perl projects".

But:

 - I've never set up Jenkins jobs that run the test suite of our Perl projects.
 - This package has been orphaned (https://bugs.debian.org/946410).
 - Jenkins now has a TAP plugin (https://plugins.jenkins.io/tap),
   so if we ever set up Jenkins jobs for test suites that natively expose
   their output in the TAP format, we can use that plugin instead
   of converting TAP to JUnit XMP.

Currently, the Jenkins CSS theme does not differentiate which links were
already clicked on the web interface. As that's an important feature for
the workflow of some of Tails devs, the workaround is to customize the
CSS using the Simple Theme plugin.

See: https://issues.jenkins-ci.org/browse/JENKINS-26013

I vaguely hope this will solve a problem with build parameters
not being passed to downstream jobs.

This reverts commit 313274ba.

Subversion is a detached plugin which is distributed with Jenkins, and we think that
if we do not also upgrade it Jenkins will enforce the version of all bundled
plugins.

Another plugin (parameterized-trigger-plugin) needs matrix-project
at least 1.6. We don't want to downgrade that one because we use
it a lot and the older version is at least 3 years old.

So we are reverting the downgrading of matrix-project and will make
Jenkins swallow it somehow.

Jenkins will forcefully downgrade these plugins if we try to run newer
versions of them, so we downgrade them in our Puppet codebase to try to
make jenkins happy.

The /etc/default/jenkins shipped in the upstream packages listens
on all addresses already.

Otherwise, the jenkins package cannot be upgraded to 2.x because
it ships a file that's in the old jenkins-common package.