Path: csiph.com!news.mixmin.net!aioe.org!bofh.it!news.nic.it!robomod From: =?UTF-8?Q?Louis-Philippe_V=c3=a9ronneau?= Newsgroups: linux.debian.maint.java Subject: jruby in sid is pretty broken and is a key package. Help? Date: Wed, 23 Dec 2020 22:20:01 +0100 Message-ID: X-Original-To: debian-java@lists.debian.org X-Mailbox-Line: From debian-java-request@lists.debian.org Wed Dec 23 21:15:52 2020 Old-Return-Path: X-Amavis-Spam-Status: No, score=-11.198 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, BODY_8BITS=1.5, LDO_WHITELIST=-5, PGPSIGNATURE=-5, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001] autolearn=ham autolearn_force=no X-Policyd-Weight: using cached result; rate: -4.6 X-Riseup-User-ID: 4A5E35606F524EF11B982FC943AC9B9DDF3D49ED89D63990C3646C74AD3CF153 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="QGrB01ZwC5ZGo8Hp7P1yP3PIsujbubk6c" X-Mailing-List: archive/latest/22628 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/42a0cfd5-19b8-9d60-620a-4acb1732c171@debian.org Approved: robomod@news.nic.it Lines: 81 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Date: Wed, 23 Dec 2020 16:15:06 -0500 X-Original-Message-ID: <42a0cfd5-19b8-9d60-620a-4acb1732c171@debian.org> Xref: csiph.com linux.debian.maint.java:12002 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --QGrB01ZwC5ZGo8Hp7P1yP3PIsujbubk6c Content-Type: multipart/mixed; boundary="vQiNtngeqmRRy5fgDHex2avFRiWBsuMkN"; protected-headers="v1" From: =?UTF-8?Q?Louis-Philippe_V=c3=a9ronneau?= To: debian-java@lists.debian.org Message-ID: <42a0cfd5-19b8-9d60-620a-4acb1732c171@debian.org> Subject: jruby in sid is pretty broken and is a key package. Help? --vQiNtngeqmRRy5fgDHex2avFRiWBsuMkN Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Hello! While working on a Clojure package that depends on jruby, I noticed it's in pretty bad shape: 1. it FTBFS (#959600) 2. it has a bunch of CVEs (#972230) 3. it doesn't run without declaring a specific env var (#977979) 4. it loads gems from /usr/lib/ruby/vendor_ruby and it probably should not for compatibility reasons (#977981) 5. it should probably be updated to the latest upstream version, as it targets ruby 2.3, which is kinda old and has no security support [1] (#895837) Being a key package, it hasn't been removed from testing, so people might have not noticed those issues. Adrian Bunk says a large part of the Java ecosystem seems to transitively depend on jruby, so I guess all those things are Bad=E2=84=A2= =2E Is there someone that could take a look at this package? It's really out of my field of expertise and I don't think I'll be able to help :S PS: I'm not currently subscribed to this list, so please keep me in CC. [1]: https://www.ruby-lang.org/en/news/2018/06/20/support-of-ruby-2-2-has-ende= d/ --=20 =E2=A2=80=E2=A3=B4=E2=A0=BE=E2=A0=BB=E2=A2=B6=E2=A3=A6=E2=A0=80 =E2=A3=BE=E2=A0=81=E2=A2=A0=E2=A0=92=E2=A0=80=E2=A3=BF=E2=A1=81 Louis-= Philippe V=C3=A9ronneau =E2=A2=BF=E2=A1=84=E2=A0=98=E2=A0=B7=E2=A0=9A=E2=A0=8B pollo@debian.o= rg / veronneau.org =E2=A0=88=E2=A0=B3=E2=A3=84 --vQiNtngeqmRRy5fgDHex2avFRiWBsuMkN-- --QGrB01ZwC5ZGo8Hp7P1yP3PIsujbubk6c Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEEZ39U8fqGga2OwLzmeurE7GqqCpcFAl/js1oFAwAAAAAACgkQeurE7GqqCpc4 eQ//YB+tatRRTtlDo+3SdXYccAwC7I6U6WWgHaTKbgltaolVCnkCwDmd/k2FD1rEQ3F7wXmaGHVv 73mpUi/QcUKcBAU/MonfB3aSRFZdN3dI6hoNWMW9TvMZg7Nb4XKWIAUqJxPQPq99Hb3EVwgs/Jdy ZRB+TVSDFUFy6aS9IK1F3YZGhtj+fEp2FV+yojvE0RY4h7lrOhoNvXNTrKnIz/My3qb/C9eRArOJ KsOnjlr73O2DLNiezHUCDaEwrHp72/DdEXaCEPZjWCZpok0g/JEpd4xPAJrMFr7LcNuyuzcS8uuT PdVEfw/BSw+wJgn4ZRkTw45RKQhQU4iDaD13o1VrGmiiuytPrwQVhjiFDhydkx/8ONBBaWUfKScg AmfAwZ/GEj8izGzHV4ZUNqD0M/IRDDyLkzURLuOVo2/rNPA+ZA24A8u3DXx0ZuFUSMtT/0Mfi3ll so2vewpJpU37UH8MAagCKCJGsyMgZSmJv1dwIAUOhy6kyPb1TpLRpoSQaK1wjC2p84sxyp+gISk7 Q7SgkQ9Fik9HXMaf64maPFivStT3hokiQTmpjp1zEndKaCc34J3SHQhlWNNVGxlwQaDSZA2YxfWO 8/fc4NWS1xoSaLGXyyUP6xc6Wj/Yq3H/m5k+iRDg3nEHNLeOCC5bbe1aHw50mu1sZ+2Pw5XQF5Od f54= =5vX8 -----END PGP SIGNATURE----- --QGrB01ZwC5ZGo8Hp7P1yP3PIsujbubk6c--