Hello!
While working on a Clojure package that depends on jruby, I noticed it's
in pretty bad shape:
1. it FTBFS (#959600)
2. it has a bunch of CVEs (#972230)
3. it doesn't run without declaring a specific env var (#977979)
4. it loads gems from /usr/lib/ruby/vendor_ruby and it probably should
not for compatibility reasons (#977981)
5. it should probably be updated to the latest upstream version, as it targets ruby 2.3, which is kinda old and has no security support [1] (#895837)
Being a key package, it hasn't been removed from testing, so people
might have not noticed those issues.
Adrian Bunk says a large part of the Java ecosystem seems to
transitively depend on jruby, so I guess all those things are Bad™.
Is there someone that could take a look at this package? It's really out
of my field of expertise and I don't think I'll be able to help :S
PS: I'm not currently subscribed to this list, so please keep me in CC.
Adrian Bunk says a large part of the Java ecosystem seems to
transitively depend on jruby, so I guess all those things are Bad™.
Is there a quick way to determine what is the "large part of the Java ecosystem"? I don't think jruby is really that important. When I run
reverse-depends -b jruby
or
apt-cache rdepends jruby
only libspring-java and libfreemarker-java look like relevant packages.
Is there someone that could take a look at this package? It's really out
of my field of expertise and I don't think I'll be able to help :S
PS: I'm not currently subscribed to this list, so please keep me in CC.
If nobody steps forward to maintain jruby, I am more in favor of making r-deps
less dependent on jruby. I am quite sure in most cases support for jruby is optional but not essential.
...
Am Mittwoch, den 23.12.2020, 16:15 -0500 schrieb Louis-Philippe Véronneau:
...
Adrian Bunk says a large part of the Java ecosystem seems to
transitively depend on jruby, so I guess all those things are Bad™.
Is there a quick way to determine what is the "large part of the Java ecosystem"? I don't think jruby is really that important. When I run
reverse-depends -b jruby
or
apt-cache rdepends jruby
only libspring-java and libfreemarker-java look like relevant packages.
...
Regards,
Markus
Am Mittwoch, den 23.12.2020, 23:54 +0200 schrieb Adrian Bunk:
jruby
-> libspring-java
-> guice
-> gradle
-> maven
We should try to break this dependency-chain. gradle and maven in Debian don't
really need jruby.
jruby
-> libspring-java
-> guice
-> gradle
-> maven
If nobody steps forward to maintain jruby, I am more in favor of making r-deps
less dependent on jruby. I am quite sure in most cases support for jruby is optional but not essential.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 294 |
Nodes: | 16 (2 / 14) |
Uptime: | 246:13:47 |
Calls: | 6,626 |
Calls today: | 2 |
Files: | 12,175 |
Messages: | 5,320,792 |