[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

jruby in sid is pretty broken and is a key package. Help?


While working on a Clojure package that depends on jruby, I noticed it's
in pretty bad shape:

1. it FTBFS (#959600)

2. it has a bunch of CVEs (#972230)

3. it doesn't run without declaring a specific env var (#977979)

4. it loads gems from /usr/lib/ruby/vendor_ruby and it probably should
not for compatibility reasons (#977981)

5. it should probably be updated to the latest upstream version, as it
targets ruby 2.3, which is kinda old and has no security support [1]

Being a key package, it hasn't been removed from testing, so people
might have not noticed those issues.

Adrian Bunk says a large part of the Java ecosystem seems to
transitively depend on jruby, so I guess all those things are Bad™.

Is there someone that could take a look at this package? It's really out
of my field of expertise and I don't think I'll be able to help :S

PS: I'm not currently subscribed to this list, so please keep me in CC.


  ⣾⠁⢠⠒⠀⣿⡁  Louis-Philippe Véronneau
  ⢿⡄⠘⠷⠚⠋   pollo@debian.org / veronneau.org

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply to: