jruby in sid is pretty broken and is a key package. Help?
- To: debian-java@lists.debian.org
- Subject: jruby in sid is pretty broken and is a key package. Help?
- From: Louis-Philippe Véronneau <pollo@debian.org>
- Date: Wed, 23 Dec 2020 16:15:06 -0500
- Message-id: <[🔎] 42a0cfd5-19b8-9d60-620a-4acb1732c171@debian.org>
Hello! While working on a Clojure package that depends on jruby, I noticed it's in pretty bad shape: 1. it FTBFS (#959600) 2. it has a bunch of CVEs (#972230) 3. it doesn't run without declaring a specific env var (#977979) 4. it loads gems from /usr/lib/ruby/vendor_ruby and it probably should not for compatibility reasons (#977981) 5. it should probably be updated to the latest upstream version, as it targets ruby 2.3, which is kinda old and has no security support [1] (#895837) Being a key package, it hasn't been removed from testing, so people might have not noticed those issues. Adrian Bunk says a large part of the Java ecosystem seems to transitively depend on jruby, so I guess all those things are Bad™. Is there someone that could take a look at this package? It's really out of my field of expertise and I don't think I'll be able to help :S PS: I'm not currently subscribed to this list, so please keep me in CC. [1]: https://www.ruby-lang.org/en/news/2018/06/20/support-of-ruby-2-2-has-ended/ -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Louis-Philippe Véronneau ⢿⡄⠘⠷⠚⠋ pollo@debian.org / veronneau.org ⠈⠳⣄
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
Reply to:
- Follow-Ups:
- Re: jruby in sid is pretty broken and is a key package. Help?
- From: Markus Koschany <apo@debian.org>
- Re: jruby in sid is pretty broken and is a key package. Help?
- Prev by Date: Re: Please be careful with Google Java packages
- Next by Date: Re: jruby in sid is pretty broken and is a key package. Help?
- Previous by thread: Re: Please be careful with Google Java packages
- Next by thread: Re: jruby in sid is pretty broken and is a key package. Help?
- Index(es):