Hi, Am Mittwoch, den 23.12.2020, 16:15 -0500 schrieb Louis-Philippe Véronneau: > Hello! > > While working on a Clojure package that depends on jruby, I noticed it's > in pretty bad shape: > > 1. it FTBFS (#959600) > > 2. it has a bunch of CVEs (#972230) > > 3. it doesn't run without declaring a specific env var (#977979) > > 4. it loads gems from /usr/lib/ruby/vendor_ruby and it probably should > not for compatibility reasons (#977981) > > 5. it should probably be updated to the latest upstream version, as it > targets ruby 2.3, which is kinda old and has no security support [1] > (#895837)
JRuby needs a regular contributor who cares for it. Miguel isn't very active
anymore, so we need someone who wants to keep jruby and its reverse-
dependencies in shape.
> Being a key package, it hasn't been removed from testing, so people
> might have not noticed those issues.
>
> Adrian Bunk says a large part of the Java ecosystem seems to
> transitively depend on jruby, so I guess all those things are Bad™.
Is there a quick way to determine what is the "large part of the Java
ecosystem"? I don't think jruby is really that important. When I run
reverse-depends -b jruby
or
apt-cache rdepends jruby
only libspring-java and libfreemarker-java look like relevant packages.
> Is there someone that could take a look at this package? It's really out
> of my field of expertise and I don't think I'll be able to help :S
>
> PS: I'm not currently subscribed to this list, so please keep me in CC.
If nobody steps forward to maintain jruby, I am more in favor of making r-deps
less dependent on jruby. I am quite sure in most cases support for jruby is
optional but not essential.
Regards,
Markus
signature.asc
Description: This is a digitally signed message part
