Hi, Am Mittwoch, den 23.12.2020, 16:15 -0500 schrieb Louis-Philippe Véronneau: > Hello! > > While working on a Clojure package that depends on jruby, I noticed it's > in pretty bad shape: > > 1. it FTBFS (#959600) > > 2. it has a bunch of CVEs (#972230) > > 3. it doesn't run without declaring a specific env var (#977979) > > 4. it loads gems from /usr/lib/ruby/vendor_ruby and it probably should > not for compatibility reasons (#977981) > > 5. it should probably be updated to the latest upstream version, as it > targets ruby 2.3, which is kinda old and has no security support [1] > (#895837) JRuby needs a regular contributor who cares for it. Miguel isn't very active anymore, so we need someone who wants to keep jruby and its reverse- dependencies in shape. > Being a key package, it hasn't been removed from testing, so people > might have not noticed those issues. > > Adrian Bunk says a large part of the Java ecosystem seems to > transitively depend on jruby, so I guess all those things are Bad™. Is there a quick way to determine what is the "large part of the Java ecosystem"? I don't think jruby is really that important. When I run reverse-depends -b jruby or apt-cache rdepends jruby only libspring-java and libfreemarker-java look like relevant packages. > Is there someone that could take a look at this package? It's really out > of my field of expertise and I don't think I'll be able to help :S > > PS: I'm not currently subscribed to this list, so please keep me in CC. If nobody steps forward to maintain jruby, I am more in favor of making r-deps less dependent on jruby. I am quite sure in most cases support for jruby is optional but not essential. Regards, Markus
Attachment:
signature.asc
Description: This is a digitally signed message part