Bug#926280: Don't bundle rubygems
Louis-Philippe Véronneau
pollo at debian.org
Wed Dec 23 19:36:44 GMT 2020
On Tue, 02 Apr 2019 22:23:13 +0200 Moritz Muehlenhoff <jmm at debian.org>
wrote:
> Package: jruby
> Severity: important
>
> (This bug isn't really actionable yet, as it depends on #926278 getting fixed
> in src:ruby2.5)
>
> Please don't use the bundled rubygems any longer, but instead a copy shared
> with the C-based Ruby interpreter.
>
> Given that most of the security issues in the C-based interpreter don't
> affect Jruby (apart from the rubygems) this will considerably reduce the
> overhead for keeping jruby updated in stable/oldstable.
>
> I spoke to upstream (CCed) earlier and they confirmed that jruby bundles
> the rubygems unmodified, so that should not cause any run time issues.
The latest upstream release of jruby is only compatible with ruby 2.5
(see [1] for the progress on 2.7), so I don't think this is feasible.
The ruby team is planning on uploading ruby 3.x after the bullseye
freeze and I don't believe jruby can keep up.
[1]: https://github.com/jruby/jruby/issues/6464
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Louis-Philippe Véronneau
⢿⡄⠘⠷⠚⠋ pollo at debian.org / veronneau.org
⠈⠳⣄
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20201223/f10e0aaf/attachment.sig>
More information about the pkg-java-maintainers
mailing list