Bug#926280: Don't bundle rubygems

[Louis-Philippe Véronneau]

On Tue, 02 Apr 2019 22:23:13 +0200 Moritz Muehlenhoff <jmm at debian.org>
wrote:
> Package: jruby
> Severity: important
> 
> (This bug isn't really actionable yet, as it depends on #926278 getting fixed
> in src:ruby2.5)
> 
> Please don't use the bundled rubygems any longer, but instead a copy shared
> with the C-based Ruby interpreter.
> 
> Given that most of the security issues in the C-based interpreter don't
> affect Jruby (apart from the rubygems) this will considerably reduce the
> overhead for keeping jruby updated in stable/oldstable.
> 
> I spoke to upstream (CCed) earlier and they confirmed that jruby bundles
> the rubygems unmodified, so that should not cause any run time issues.

The latest upstream release of jruby is only compatible with ruby 2.5
(see [1] for the progress on 2.7), so I don't think this is feasible.

The ruby team is planning on uploading ruby 3.x after the bullseye
freeze and I don't believe jruby can keep up.

[1]: https://github.com/jruby/jruby/issues/6464

-- 
  ⢀⣴⠾⠻⢶⣦⠀
  ⣾⠁⢠⠒⠀⣿⡁  Louis-Philippe Véronneau
  ⢿⡄⠘⠷⠚⠋   pollo at debian.org / veronneau.org
  ⠈⠳⣄

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20201223/f10e0aaf/attachment.sig>