Hi,

Am Mittwoch, den 23.12.2020, 16:15 -0500 schrieb Louis-Philippe Véronneau:

Hello!

While working on a Clojure package that depends on jruby, I noticed it's
in pretty bad shape:

1. it FTBFS (#959600)

2. it has a bunch of CVEs (#972230)

3. it doesn't run without declaring a specific env var (#977979)

4. it loads gems from /usr/lib/ruby/vendor_ruby and it probably should
not for compatibility reasons (#977981)

5. it should probably be updated to the latest upstream version, as it targets ruby 2.3, which is kinda old and has no security support [1] (#895837)

JRuby needs a regular contributor who cares for it. Miguel isn't very active anymore, so we need someone who wants to keep jruby and its reverse- dependencies in shape.

Being a key package, it hasn't been removed from testing, so people
might have not noticed those issues.

Adrian Bunk says a large part of the Java ecosystem seems to
transitively depend on jruby, so I guess all those things are Bad™.

Is there a quick way to determine what is the "large part of the Java ecosystem"? I don't think jruby is really that important. When I run


reverse-depends -b jruby

or
apt-cache rdepends jruby

only libspring-java and libfreemarker-java look like relevant packages.

Is there someone that could take a look at this package? It's really out
of my field of expertise and I don't think I'll be able to help :S

PS: I'm not currently subscribed to this list, so please keep me in CC.

If nobody steps forward to maintain jruby, I am more in favor of making r-deps less dependent on jruby. I am quite sure in most cases support for jruby is optional but not essential.


Regards,

Markus

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl/juitfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQjpRAAhkDi+MKxf0oVJoVtJoJ0hycVyLSuZlKWCq+j5nVq+ZhkC2vzmX9tnjTH ldzJeBWqMnXLWVssJUNztLsaQV6gyUJU2M4oeJqlGGi3DxeEYHMXLIBSCizyeBIk zW/OFSPkT4ZEQlaAbnfExJz6kQfy+KcM/b4a8Lrerta6DbQacelQjClkX9z52fXH khk/QtVYp40eufzTZZ9AGUbZY9NEfcj/PB9DZ5/VMPzh1t577/lFoGRgMlSa0DPD THAlWZmoNX24EHHztngz1wo0MpKWS14nRTOuz8NH/NiLRC+R5vJ3RdmN4hx5mh8r 1p6/F9lLQGmO8MC13DhnuAKnf/MV/6sHqL1cf3bmzulLKkJg4fMUd3+XPe4lAgE5 98oAyix+plyjz0BM26zaAyZ3BfHdwr/OT/Qy1zVluocy14K22lgiF3T34UYFynGc W66OLIR0IuXTvSngcc8kHUnzvo0P4sZjHg0yaonuheB78oSr4Oqyo2gpW5X3nQbN Tz6f/ZAUP3qH/O4DUhqySWRI3foC0SxNELX3mReNsDYcqRK69cTOTerj0eSTW47P R1JH2VW6L1DYz0+T8PjKYhgNCo4rL0FDVBDVphQxw8iW0txOgcyKQPqd4PLAr5+a YRUuFjsZ881zPdi0gK0O3HTCDDE2lgsnneSYa6vMCh8ZmrsWKqM=
=Kf5e
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --vQiNtngeqmRRy5fgDHex2avFRiWBsuMkN
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

Hello!

While working on a Clojure package that depends on jruby, I noticed it's
in pretty bad shape:

1. it FTBFS (#959600)

2. it has a bunch of CVEs (#972230)

3. it doesn't run without declaring a specific env var (#977979)

4. it loads gems from /usr/lib/ruby/vendor_ruby and it probably should
not for compatibility reasons (#977981)

5. it should probably be updated to the latest upstream version, as it
targets ruby 2.3, which is kinda old and has no security support [1]
(#895837)

Being a key package, it hasn't been removed from testing, so people
might have not noticed those issues.

Adrian Bunk says a large part of the Java ecosystem seems to
transitively depend on jruby, so I guess all those things are Bad™.

Is there someone that could take a look at this package? It's really out
of my field of expertise and I don't think I'll be able to help :S

PS: I'm not currently subscribed to this list, so please keep me in CC.

[1]: https://www.ruby-lang.org/en/news/2018/06/20/support-of-ruby-2-2-has-ended/

--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Louis-Philippe Véronneau
⢿⡄⠘⠷⠚⠋ pollo@debian.org / veronneau.org
⠈⠳⣄


--vQiNtngeqmRRy5fgDHex2avFRiWBsuMkN--

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEZ39U8fqGga2OwLzmeurE7GqqCpcFAl/js1oFAwAAAAAACgkQeurE7GqqCpc4 eQ//YB+tatRRTtlDo+3SdXYccAwC7I6U6WWgHaTKbgltaolVCnkCwDmd/k2FD1rEQ3F7wXmaGHVv 73mpUi/QcUKcBAU/MonfB3aSRFZdN3dI6hoNWMW9TvMZg7Nb4XKWIAUqJxPQPq99Hb3EVwgs/Jdy ZRB+TVSDFUFy6aS9IK1F3YZGhtj+fEp2FV+yojvE0RY4h7lrOhoNvXNTrKnIz/My3qb/C9eRArOJ KsOnjlr73O2DLNiezHUCDaEwrHp72/DdEXaCEPZjWCZpok0g/JEpd4xPAJrMFr7LcNuyuzcS8uuT PdVEfw/BSw+wJgn4ZRkTw45RKQhQU4iDaD13o1VrGmiiuytPrwQVhjiFDhydkx/8ONBBaWUfKScg AmfAwZ/GEj8izGzHV4ZUNqD0M/IRDDyLkzURLuOVo2/rNPA+ZA24A8u3DXx0ZuFUSMtT/0Mfi3ll so2vewpJpU37UH8MAagCKCJGsyMgZSmJv1dwIAUOhy6kyPb1TpLRpoSQaK1wjC2p84sxyp+gISk7 Q7SgkQ9Fik9HXMaf64maPFivStT3hokiQTmpjp1zEndKaCc34J3SHQhlWNNVGxlwQaDSZA2YxfWO 8/fc4NWS1xoSaLGXyyUP6xc6Wj/Yq3H/m5k+iRDg3nEHNLeOCC5bbe1aHw50mu1sZ+2Pw5XQF5Od f54=
=5vX8
-

To: debian-java@lists.debian.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --YeYutzVotSqim1vEF3omVSM6hzD8jeAcE
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 2020-12-23 16 h 44, Markus Koschany wrote:

Adrian Bunk says a large part of the Java ecosystem seems to
transitively depend on jruby, so I guess all those things are Bad™.

Is there a quick way to determine what is the "large part of the Java ecosystem"? I don't think jruby is really that important. When I run


reverse-depends -b jruby

or
apt-cache rdepends jruby

only libspring-java and libfreemarker-java look like relevant packages.

Is there someone that could take a look at this package? It's really out
of my field of expertise and I don't think I'll be able to help :S

PS: I'm not currently subscribed to this list, so please keep me in CC.

If nobody steps forward to maintain jruby, I am more in favor of making r-deps
less dependent on jruby. I am quite sure in most cases support for jruby is optional but not essential.

Ah, maybe that's what it is yes, I haven't looked at the rdepends very
hard, I just saw it was a key package.

If re-working the r-deps is the solution, so be it, but it would be a
shame, as I need jruby to package Puppet 6 :(

--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Louis-Philippe Véronneau
⢿⡄⠘⠷⠚⠋ pollo@debian.org / veronneau.org
⠈⠳⣄


--YeYutzVotSqim1vEF3omVSM6hzD8jeAcE--

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEZ39U8fqGga2OwLzmeurE7GqqCpcFAl/jvBQFAwAAAAAACgkQeurE7GqqCpdH XRAAqUUCi6IGPQcfoPog3HkG03S2ls8kMQLcycArkW9oCQ2QeXE81wgmhT8P2OkuxwBSBfIZDyiV DZajkvTi3njsIheLk/eJeifNilD+PHYy46qHjcnvvYN55BvfbAHEA7zC8Iqaha6nZ91KwMSMHAVd JNvIOVx6Gh2O/8yg9zIE2U/hhWgdGZCmIavlUvV4zh7GZeORI8PHiE9NqYHWHte+r3/r3IdV4b+K ecjGsDE+yLEb3x4LiDvtmkOEqXsxCXslddsJLDvaTtqBAANBnZLcvgGsFa4PmXL3jLuOkAiDfA44 jLfLGGtlhYYdy/IBf8zh6VBv0dUyju3vwi3a2p5fHsX4SBIK4em0WUzZRuPtlwD7ffZQ9vRdyNf4 J48+BRVjgSe1/whyKszD7ftaSqoEBilJbLhXuJ59DHIOlUamk8TdBl32lIBLbpf0tS78YjxYsNxU x/+Yia/y9V1Z8TGqMV0Nu2TI7xvaD72AJpP1b5ReaM1HOprpl1hMmTui0dmUZ7vwU3octd0VhWt4 dRTQvXgZD9J14MUfDaTIyxQlSEF2QHNX5IIOUZF9vxhusPCNOyRHgLEk8M9lWd2PZ41jJmi+t0Zw Rwlc+6pyWhw0QMy16uhbp3yh5urbd9AwjbN8d70dV7n1AEUs+IrjCVmcFYI0BO9Noytl/KhUvXf3 hm4=
=r9CI
-

On Wed, Dec 23, 2020 at 10:44:11PM +0100, Markus Koschany wrote:

...
Am Mittwoch, den 23.12.2020, 16:15 -0500 schrieb Louis-Philippe Véronneau:
...

Adrian Bunk says a large part of the Java ecosystem seems to
transitively depend on jruby, so I guess all those things are Bad™.

Is there a quick way to determine what is the "large part of the Java ecosystem"? I don't think jruby is really that important. When I run


reverse-depends -b jruby

or
apt-cache rdepends jruby

only libspring-java and libfreemarker-java look like relevant packages.
...

jruby
-> libspring-java
-> guice
-> gradle
-> maven

Regards,

Markus

cu
Adrian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Dec 23, 2020 at 11:48 PM Markus Koschany <apo@debian.org> wrote:

Am Mittwoch, den 23.12.2020, 23:54 +0200 schrieb Adrian Bunk:

jruby
-> libspring-java
-> guice
-> gradle
-> maven

We should try to break this dependency-chain. gradle and maven in Debian don't
really need jruby.

iiuc, libspring-java has 'jruby' as optional. so it should be possible
to remove that.


--
Regards
Sudip

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Am Mittwoch, den 23.12.2020, 23:54 +0200 schrieb Adrian Bunk:

jruby
-> libspring-java
-> guice
-> gradle
-> maven

We should try to break this dependency-chain. gradle and maven in Debian don't really need jruby.

Markus

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl/j1x9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTT4A//XbidX+1EqoWNI8ZmaUeq7EizZ0ZgiIPDyBmR18PL62csuwMYNF+eu9rh /igvyPvrg14l3BNJiT/UC0tuG4HG4AzYNT91CrWedZQM2q5rwEqxOt5i84xLIsho GACNC8BsyI0RcQrbqTZ9VE30ZPMk9vzbmOGr3xaOua6nVaECiq/6F/hwcRb0dNTN JTA8x+ulTyqHuuiKFvluvvlemx0El+6BPqyOOST5z2zPhO/o4EqGoQKSS1o7jNgJ dcC8Gsn/LsJvUBtXcyRmyPYBfaqIRVeGUyGbYIZn8P3nIdmdKO0SkydvkhQr98FV sz/4Fcg8m/+DbdU7ogeqBXjM9b4xuQCz3Rj6oiyrcf8i+ml1L3licYjEdR9vWZia bnSzL+igvlhQ8fGJrDLtM2/cdM34UYmvMBrGIy4xsyH9JaFpiBQRsm193TOFJc9a pNkvgRSXarnygRdk56LUZgRhXFhzkxzNzDiRn7NPsCCfihzhi0VH0zKG4dCk3x+5 ZhCpXqzVyLQbIHC1UPJaSrd/q22zfTXAeLEKa9o/AFhJgs6YZu4Trvu4dGPQ/WdJ IaToNQQUR1RbDgLZdFChwFrRT+Au3zVO3rRTZ3znz51nqzo4rCu2/6awhZReCdxJ mvMcEgGGvRxLGKK+AKTA1Wv6VKcbAKZ9RiuCB4y87YjB6jut3pM=
=JBY2
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --TI6ECSTPzwVr35xyFMNpROXoi0pp56pYD
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 2020-12-23 16 h 44, Markus Koschany wrote:

If nobody steps forward to maintain jruby, I am more in favor of making r-deps
less dependent on jruby. I am quite sure in most cases support for jruby is optional but not essential.

FWIW, I've started looking at updating jruby. I've touched 2 deps
already (backport9 and jnr-constants) and zigo refreshed all the patches
for the latest version [1].

I won't promise anything, but it's not like I can make jruby less usable
than it currently is :)

[1]: https://salsa.debian.org/zigo/jruby

--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Louis-Philippe Véronneau
⢿⡄⠘⠷⠚⠋ pollo@debian.org / veronneau.org
⠈⠳⣄


--TI6ECSTPzwVr35xyFMNpROXoi0pp56pYD--

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEZ39U8fqGga2OwLzmeurE7GqqCpcFAl/s0QYFAwAAAAAACgkQeurE7GqqCpcO bxAArlcPw6r7F1a5BLuWz7xdvAwiIto9j1ECxzHnHrtm4+VOEKVWreAUW9ZA2xT3yMt+6FH43VBi becrtdVBrsWOtcgwBh3oormK3UwSpF5uzThNPGsV4DifdMqnSL8R9MvvqonaSOawjMDAXzw9ofSI vqt7sWkjwmqsbyJUf7ku9eMjJ9lpdn0rx83xdnVORWQbYTfxKmxx2DmzSh9eo/GvqQ1RjGkqO2Vi nbtLDsctn3fYWBOa6qdsPCATnfRokvwy6/7QglH7b6SOvG5dIKYo0i0sWa+GEbkicf/Zi0IwJANt hNjITvR27aNRrRxsJuH1AsqlLHwbErijKLCUod9mX5eSrx03M1597fXJY6eb9ukzmf6nWqJAYlhH N0A0EAn5CSHn6QqzNPbRjGqbbXyjtSBpg8Fz8HJPXpfHCxedVUuaLo8nthb+DaKm/SKfnPLD6WOs cvlWSdTf9l1nvcnnmZDPzycZ4fevMAoh9RlE1wjef/FleFwhZijLAbIjek6ZlXN2eCfJxR+kvd4s v4d6jCyymxDu0STJlEQGJ1WwtaUrnqTU+kEtk65+yAIB6hK1QXpCfVw71TpjdG/2sGef5/IKzdxs TIvuouQCLDpKHJ2OA/tPryW94g5pjpI5b5skxmnmHU3afWc+UIhqSG8Lx78M+93LumLV8YgAmlhV yx0=
=roXx
-