Path: csiph.com!newsfeed.xs4all.nl!newsfeed9.news.xs4all.nl!news.dns-netz.com!news.freedyn.net!aioe.org!bofh.it!news.nic.it!robomod
From: Markus Koschany <apo@debian.org>
Newsgroups: linux.debian.maint.java
Subject: Re: jruby in sid is pretty broken and is a key package. Help?
Date: Wed, 23 Dec 2020 22:50:01 +0100
Message-ID: <Bpkb7-81t-3@gated-at.bofh.it>
References: <BpjI5-7S1-5@gated-at.bofh.it>
Old-Return-Path: <apo@debian.org>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-I/WBaAt2L3oZp4HAv2GY"
MIME-Version: 1.0
Approved: robomod@news.nic.it
Lines: 91
Organization: linux.* mail to news gateway
Sender: robomod@news.nic.it
Xref: csiph.com linux.debian.maint.java:12003


--=-I/WBaAt2L3oZp4HAv2GY
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

Am Mittwoch, den 23.12.2020, 16:15 -0500 schrieb Louis-Philippe V=C3=A9ronn=
eau:
> Hello!
>=20
> While working on a Clojure package that depends on jruby, I noticed it's
> in pretty bad shape:
>=20
> 1. it FTBFS (#959600)
>=20
> 2. it has a bunch of CVEs (#972230)
>=20
> 3. it doesn't run without declaring a specific env var (#977979)
>=20
> 4. it loads gems from /usr/lib/ruby/vendor_ruby and it probably should
> not for compatibility reasons (#977981)
>=20
> 5. it should probably be updated to the latest upstream version, as it
> targets ruby 2.3, which is kinda old and has no security support [1]
> (#895837)

JRuby needs a regular contributor who cares for it. Miguel isn't very activ=
e
anymore, so we need someone who wants to keep jruby and its reverse-
dependencies in shape.

> Being a key package, it hasn't been removed from testing, so people
> might have not noticed those issues.
>=20
> Adrian Bunk says a large part of the Java ecosystem seems to
> transitively depend on jruby, so I guess all those things are Bad=E2=84=
=A2.

Is there a quick way to determine what is the "large part of the Java
ecosystem"? I don't think jruby is really that important. When I run=20

=09
	reverse-depends -b jruby

or
	apt-cache rdepends jruby
=09
only libspring-java and libfreemarker-java look like relevant packages.=20


> Is there someone that could take a look at this package? It's really out
> of my field of expertise and I don't think I'll be able to help :S
>=20
> PS: I'm not currently subscribed to this list, so please keep me in CC.

If nobody steps forward to maintain jruby, I am more in favor of making r-d=
eps
less dependent on jruby. I am quite sure in most cases support for jruby is
optional but not essential.


Regards,

Markus

--=-I/WBaAt2L3oZp4HAv2GY
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl/juitfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQjpRAAhkDi+MKxf0oVJoVtJoJ0hycVyLSuZlKWCq+j5nVq+ZhkC2vzmX9tnjTH
ldzJeBWqMnXLWVssJUNztLsaQV6gyUJU2M4oeJqlGGi3DxeEYHMXLIBSCizyeBIk
zW/OFSPkT4ZEQlaAbnfExJz6kQfy+KcM/b4a8Lrerta6DbQacelQjClkX9z52fXH
khk/QtVYp40eufzTZZ9AGUbZY9NEfcj/PB9DZ5/VMPzh1t577/lFoGRgMlSa0DPD
THAlWZmoNX24EHHztngz1wo0MpKWS14nRTOuz8NH/NiLRC+R5vJ3RdmN4hx5mh8r
1p6/F9lLQGmO8MC13DhnuAKnf/MV/6sHqL1cf3bmzulLKkJg4fMUd3+XPe4lAgE5
98oAyix+plyjz0BM26zaAyZ3BfHdwr/OT/Qy1zVluocy14K22lgiF3T34UYFynGc
W66OLIR0IuXTvSngcc8kHUnzvo0P4sZjHg0yaonuheB78oSr4Oqyo2gpW5X3nQbN
Tz6f/ZAUP3qH/O4DUhqySWRI3foC0SxNELX3mReNsDYcqRK69cTOTerj0eSTW47P
R1JH2VW6L1DYz0+T8PjKYhgNCo4rL0FDVBDVphQxw8iW0txOgcyKQPqd4PLAr5+a
YRUuFjsZ881zPdi0gK0O3HTCDDE2lgsnneSYa6vMCh8ZmrsWKqM=
=Kf5e
-----END PGP SIGNATURE-----

--=-I/WBaAt2L3oZp4HAv2GY--