Home Original page

Re: jruby in sid is pretty broken and is a key package. Help?

Hi,

Am Mittwoch, den 23.12.2020, 16:15 -0500 schrieb Louis-Philippe VĂ©ronneau:
> Hello!
> 
> While working on a Clojure package that depends on jruby, I noticed it's
> in pretty bad shape:
> 
> 1. it FTBFS (#959600)
> 
> 2. it has a bunch of CVEs (#972230)
> 
> 3. it doesn't run without declaring a specific env var (#977979)
> 
> 4. it loads gems from /usr/lib/ruby/vendor_ruby and it probably should
> not for compatibility reasons (#977981)
> 
> 5. it should probably be updated to the latest upstream version, as it
> targets ruby 2.3, which is kinda old and has no security support [1]
> (#895837)

JRuby needs a regular contributor who cares for it. Miguel isn't very active
anymore, so we need someone who wants to keep jruby and its reverse-
dependencies in shape.

> Being a key package, it hasn't been removed from testing, so people
> might have not noticed those issues.
> 
> Adrian Bunk says a large part of the Java ecosystem seems to
> transitively depend on jruby, so I guess all those things are Bad™.

Is there a quick way to determine what is the "large part of the Java
ecosystem"? I don't think jruby is really that important. When I run 

	
	reverse-depends -b jruby

or
	apt-cache rdepends jruby
	
only libspring-java and libfreemarker-java look like relevant packages. 


> Is there someone that could take a look at this package? It's really out
> of my field of expertise and I don't think I'll be able to help :S
> 
> PS: I'm not currently subscribed to this list, so please keep me in CC.

If nobody steps forward to maintain jruby, I am more in favor of making r-deps
less dependent on jruby. I am quite sure in most cases support for jruby is
optional but not essential.


Regards,

Markus

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: