Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #12003

Re: jruby in sid is pretty broken and is a key package. Help?

From Markus Koschany <apo@debian.org>
Newsgroups linux.debian.maint.java
Subject Re: jruby in sid is pretty broken and is a key package. Help?
Date 2020-12-23 22:50 +0100
Message-ID <Bpkb7-81t-3@gated-at.bofh.it> (permalink)
References <BpjI5-7S1-5@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Hi,

Am Mittwoch, den 23.12.2020, 16:15 -0500 schrieb Louis-Philippe Véronneau:
> Hello!
> 
> While working on a Clojure package that depends on jruby, I noticed it's
> in pretty bad shape:
> 
> 1. it FTBFS (#959600)
> 
> 2. it has a bunch of CVEs (#972230)
> 
> 3. it doesn't run without declaring a specific env var (#977979)
> 
> 4. it loads gems from /usr/lib/ruby/vendor_ruby and it probably should
> not for compatibility reasons (#977981)
> 
> 5. it should probably be updated to the latest upstream version, as it
> targets ruby 2.3, which is kinda old and has no security support [1]
> (#895837)

JRuby needs a regular contributor who cares for it. Miguel isn't very active
anymore, so we need someone who wants to keep jruby and its reverse-
dependencies in shape.

> Being a key package, it hasn't been removed from testing, so people
> might have not noticed those issues.
> 
> Adrian Bunk says a large part of the Java ecosystem seems to
> transitively depend on jruby, so I guess all those things are Bad™.

Is there a quick way to determine what is the "large part of the Java
ecosystem"? I don't think jruby is really that important. When I run 

	
	reverse-depends -b jruby

or
	apt-cache rdepends jruby
	
only libspring-java and libfreemarker-java look like relevant packages. 


> Is there someone that could take a look at this package? It's really out
> of my field of expertise and I don't think I'll be able to help :S
> 
> PS: I'm not currently subscribed to this list, so please keep me in CC.

If nobody steps forward to maintain jruby, I am more in favor of making r-deps
less dependent on jruby. I am quite sure in most cases support for jruby is
optional but not essential.


Regards,

Markus

Back to linux.debian.maint.java | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

jruby in sid is pretty broken and is a key package. Help? Louis-Philippe Véronneau <pollo@debian.org> - 2020-12-23 22:20 +0100
  Re: jruby in sid is pretty broken and is a key package. Help? Markus Koschany <apo@debian.org> - 2020-12-23 22:50 +0100
    Re: jruby in sid is pretty broken and is a key package. Help? Louis-Philippe Véronneau <pollo@debian.org> - 2020-12-23 23:00 +0100
    Re: jruby in sid is pretty broken and is a key package. Help? Adrian Bunk <bunk@debian.org> - 2020-12-23 23:30 +0100
      Re: jruby in sid is pretty broken and is a key package. Help? Markus Koschany <apo@debian.org> - 2020-12-24 00:50 +0100
        Re: jruby in sid is pretty broken and is a key package. Help? Sudip Mukherjee <sudipm.mukherjee@gmail.com> - 2020-12-24 01:00 +0100
    Re: jruby in sid is pretty broken and is a key package. Help? Louis-Philippe Véronneau <pollo@debian.org> - 2020-12-30 20:20 +0100

csiph-web