1. Forum
  2. Usenet
  3. LINUX.DEBIAN.MAINT.JAVA

  • jruby in sid is pretty broken and is a key package. Help?

    From Markus Koschany@21:1/5 to All on Wed Dec 23 22:50:01 2020
    Hi,

    Am Mittwoch, den 23.12.2020, 16:15 -0500 schrieb Louis-Philippe Véronneau:
    Hello!

    While working on a Clojure package that depends on jruby, I noticed it's
    in pretty bad shape:

    1. it FTBFS (#959600)

    2. it has a bunch of CVEs (#972230)

    3. it doesn't run without declaring a specific env var (#977979)

    4. it loads gems from /usr/lib/ruby/vendor_ruby and it probably should
    not for compatibility reasons (#977981)

    5. it should probably be updated to the latest upstream version, as it targets ruby 2.3, which is kinda old and has no security support [1] (#895837)

    JRuby needs a regular contributor who cares for it. Miguel isn't very active anymore, so we need someone who wants to keep jruby and its reverse- dependencies in shape.

    Being a key package, it hasn't been removed from testing, so people
    might have not noticed those issues.

    Adrian Bunk says a large part of the Java ecosystem seems to
    transitively depend on jruby, so I guess all those things are Bad™.

    Is there a quick way to determine what is the "large part of the Java ecosystem"? I don't think jruby is really that important. When I run


    reverse-depends -b jruby

    or
    apt-cache rdepends jruby

    only libspring-java and libfreemarker-java look like relevant packages.


    Is there someone that could take a look at this package? It's really out
    of my field of expertise and I don't think I'll be able to help :S

    PS: I'm not currently subscribed to this list, so please keep me in CC.

    If nobody steps forward to maintain jruby, I am more in favor of making r-deps less dependent on jruby. I am quite sure in most cases support for jruby is optional but not essential.


    Regards,

    Markus

    -----BEGIN PGP SIGNATURE-----

    iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl/juitfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQjpRAAhkDi+MKxf0oVJoVtJoJ0hycVyLSuZlKWCq+j5nVq+ZhkC2vzmX9tnjTH ldzJeBWqMnXLWVssJUNztLsaQV6gyUJU2M4oeJqlGGi3DxeEYHMXLIBSCizyeBIk zW/OFSPkT4ZEQlaAbnfExJz6kQfy+KcM/b4a8Lrerta6DbQacelQjClkX9z52fXH khk/QtVYp40eufzTZZ9AGUbZY9NEfcj/PB9DZ5/VMPzh1t577/lFoGRgMlSa0DPD THAlWZmoNX24EHHztngz1wo0MpKWS14nRTOuz8NH/NiLRC+R5vJ3RdmN4hx5mh8r 1p6/F9lLQGmO8MC13DhnuAKnf/MV/6sHqL1cf3bmzulLKkJg4fMUd3+XPe4lAgE5 98oAyix+plyjz0BM26zaAyZ3BfHdwr/OT/Qy1zVluocy14K22lgiF3T34UYFynGc W66OLIR0IuXTvSngcc8kHUnzvo0P4sZjHg0yaonuheB78oSr4Oqyo2gpW5X3nQbN Tz6f/ZAUP3qH/O4DUhqySWRI3foC0SxNELX3mReNsDYcqRK69cTOTerj0eSTW47P R1JH2VW6L1DYz0+T8PjKYhgNCo4rL0FDVBDVphQxw8iW0txOgcyKQPqd4PLAr5+a YRUuFjsZ881zPdi0gK0O3HTCDDE2lgsnneSYa6vMCh8ZmrsWKqM=
    =Kf5e
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?Q?Louis-Philippe_V=c3=a9ron@21:1/5 to All on Wed Dec 23 22:20:01 2020
    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --vQiNtngeqmRRy5fgDHex2avFRiWBsuMkN
    Content-Type: text/plain; charset=utf-8
    Content-Language: en-US
    Content-Transfer-Encoding: quoted-printable

    Hello!

    While working on a Clojure package that depends on jruby, I noticed it's
    in pretty bad shape:

    1. it FTBFS (#959600)

    2. it has a bunch of CVEs (#972230)

    3. it doesn't run without declaring a specific env var (#977979)

    4. it loads gems from /usr/lib/ruby/vendor_ruby and it probably should
    not for compatibility reasons (#977981)

    5. it should probably be updated to the latest upstream version, as it
    targets ruby 2.3, which is kinda old and has no security support [1]
    (#895837)

    Being a key package, it hasn't been removed from testing, so people
    might have not noticed those issues.

    Adrian Bunk says a large part of the Java ecosystem seems to
    transitively depend on jruby, so I guess all those things are Bad™.

    Is there someone that could take a look at this package? It's really out
    of my field of expertise and I don't think I'll be able to help :S

    PS: I'm not currently subscribed to this list, so please keep me in CC.

    [1]: https://www.ruby-lang.org/en/news/2018/06/20/support-of-ruby-2-2-has-ended/

    --
    ⢀⣴⠾⠻⢶⣦⠀
    ⣾⠁⢠⠒⠀⣿⡁ Louis-Philippe Véronneau
    ⢿⡄⠘⠷⠚⠋ [email protected] / veronneau.org
    ⠈⠳⣄


    --vQiNtngeqmRRy5fgDHex2avFRiWBsuMkN--

    -----BEGIN PGP SIGNATURE-----

    wsF5BAABCAAjFiEEZ39U8fqGga2OwLzmeurE7GqqCpcFAl/js1oFAwAAAAAACgkQeurE7GqqCpc4 eQ//YB+tatRRTtlDo+3SdXYccAwC7I6U6WWgHaTKbgltaolVCnkCwDmd/k2FD1rEQ3F7wXmaGHVv 73mpUi/QcUKcBAU/MonfB3aSRFZdN3dI6hoNWMW9TvMZg7Nb4XKWIAUqJxPQPq99Hb3EVwgs/Jdy ZRB+TVSDFUFy6aS9IK1F3YZGhtj+fEp2FV+yojvE0RY4h7lrOhoNvXNTrKnIz/My3qb/C9eRArOJ KsOnjlr73O2DLNiezHUCDaEwrHp72/DdEXaCEPZjWCZpok0g/JEpd4xPAJrMFr7LcNuyuzcS8uuT PdVEfw/BSw+wJgn4ZRkTw45RKQhQU4iDaD13o1VrGmiiuytPrwQVhjiFDhydkx/8ONBBaWUfKScg AmfAwZ/GEj8izGzHV4ZUNqD0M/IRDDyLkzURLuOVo2/rNPA+ZA24A8u3DXx0ZuFUSMtT/0Mfi3ll so2vewpJpU37UH8MAagCKCJGsyMgZSmJv1dwIAUOhy6kyPb1TpLRpoSQaK1wjC2p84sxyp+gISk7 Q7SgkQ9Fik9HXMaf64maPFivStT3hokiQTmpjp1zEndKaCc34J3SHQhlWNNVGxlwQaDSZA2YxfWO 8/fc4NWS1xoSaLGXyyUP6xc6Wj/Yq3H/m5k+iRDg3nEHNLeOCC5bbe1aHw50mu1sZ+2Pw5XQF5Od f54=
    =5vX8
    -
  • From =?UTF-8?Q?Louis-Philippe_V=c3=a9ron@21:1/5 to Markus Koschany on Wed Dec 23 23:00:02 2020
    To: [email protected]

    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --YeYutzVotSqim1vEF3omVSM6hzD8jeAcE
    Content-Type: text/plain; charset=utf-8
    Content-Language: en-US
    Content-Transfer-Encoding: quoted-printable

    On 2020-12-23 16 h 44, Markus Koschany wrote:
    Adrian Bunk says a large part of the Java ecosystem seems to
    transitively depend on jruby, so I guess all those things are Bad™.

    Is there a quick way to determine what is the "large part of the Java ecosystem"? I don't think jruby is really that important. When I run


    reverse-depends -b jruby

    or
    apt-cache rdepends jruby

    only libspring-java and libfreemarker-java look like relevant packages.


    Is there someone that could take a look at this package? It's really out
    of my field of expertise and I don't think I'll be able to help :S

    PS: I'm not currently subscribed to this list, so please keep me in CC.

    If nobody steps forward to maintain jruby, I am more in favor of making r-deps
    less dependent on jruby. I am quite sure in most cases support for jruby is optional but not essential.

    Ah, maybe that's what it is yes, I haven't looked at the rdepends very
    hard, I just saw it was a key package.

    If re-working the r-deps is the solution, so be it, but it would be a
    shame, as I need jruby to package Puppet 6 :(

    --
    ⢀⣴⠾⠻⢶⣦⠀
    ⣾⠁⢠⠒⠀⣿⡁ Louis-Philippe Véronneau
    ⢿⡄⠘⠷⠚⠋ [email protected] / veronneau.org
    ⠈⠳⣄


    --YeYutzVotSqim1vEF3omVSM6hzD8jeAcE--

    -----BEGIN PGP SIGNATURE-----

    wsF5BAABCAAjFiEEZ39U8fqGga2OwLzmeurE7GqqCpcFAl/jvBQFAwAAAAAACgkQeurE7GqqCpdH XRAAqUUCi6IGPQcfoPog3HkG03S2ls8kMQLcycArkW9oCQ2QeXE81wgmhT8P2OkuxwBSBfIZDyiV DZajkvTi3njsIheLk/eJeifNilD+PHYy46qHjcnvvYN55BvfbAHEA7zC8Iqaha6nZ91KwMSMHAVd JNvIOVx6Gh2O/8yg9zIE2U/hhWgdGZCmIavlUvV4zh7GZeORI8PHiE9NqYHWHte+r3/r3IdV4b+K ecjGsDE+yLEb3x4LiDvtmkOEqXsxCXslddsJLDvaTtqBAANBnZLcvgGsFa4PmXL3jLuOkAiDfA44 jLfLGGtlhYYdy/IBf8zh6VBv0dUyju3vwi3a2p5fHsX4SBIK4em0WUzZRuPtlwD7ffZQ9vRdyNf4 J48+BRVjgSe1/whyKszD7ftaSqoEBilJbLhXuJ59DHIOlUamk8TdBl32lIBLbpf0tS78YjxYsNxU x/+Yia/y9V1Z8TGqMV0Nu2TI7xvaD72AJpP1b5ReaM1HOprpl1hMmTui0dmUZ7vwU3octd0VhWt4 dRTQvXgZD9J14MUfDaTIyxQlSEF2QHNX5IIOUZF9vxhusPCNOyRHgLEk8M9lWd2PZ41jJmi+t0Zw Rwlc+6pyWhw0QMy16uhbp3yh5urbd9AwjbN8d70dV7n1AEUs+IrjCVmcFYI0BO9Noytl/KhUvXf3 hm4=
    =r9CI
    -
  • From Adrian Bunk@21:1/5 to Markus Koschany on Wed Dec 23 23:30:02 2020
    On Wed, Dec 23, 2020 at 10:44:11PM +0100, Markus Koschany wrote:
    ...
    Am Mittwoch, den 23.12.2020, 16:15 -0500 schrieb Louis-Philippe Véronneau:
    ...
    Adrian Bunk says a large part of the Java ecosystem seems to
    transitively depend on jruby, so I guess all those things are Bad™.

    Is there a quick way to determine what is the "large part of the Java ecosystem"? I don't think jruby is really that important. When I run


    reverse-depends -b jruby

    or
    apt-cache rdepends jruby

    only libspring-java and libfreemarker-java look like relevant packages.
    ...

    jruby
    -> libspring-java
    -> guice
    -> gradle
    -> maven

    Regards,

    Markus

    cu
    Adrian

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sudip Mukherjee@21:1/5 to [email protected] on Thu Dec 24 01:00:01 2020
    On Wed, Dec 23, 2020 at 11:48 PM Markus Koschany <[email protected]> wrote:

    Am Mittwoch, den 23.12.2020, 23:54 +0200 schrieb Adrian Bunk:

    jruby
    -> libspring-java
    -> guice
    -> gradle
    -> maven


    We should try to break this dependency-chain. gradle and maven in Debian don't
    really need jruby.

    iiuc, libspring-java has 'jruby' as optional. so it should be possible
    to remove that.


    --
    Regards
    Sudip

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Markus Koschany@21:1/5 to All on Thu Dec 24 00:50:01 2020
    Am Mittwoch, den 23.12.2020, 23:54 +0200 schrieb Adrian Bunk:

    jruby
    -> libspring-java
    -> guice
    -> gradle
    -> maven


    We should try to break this dependency-chain. gradle and maven in Debian don't really need jruby.

    Markus

    -----BEGIN PGP SIGNATURE-----

    iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl/j1x9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTT4A//XbidX+1EqoWNI8ZmaUeq7EizZ0ZgiIPDyBmR18PL62csuwMYNF+eu9rh /igvyPvrg14l3BNJiT/UC0tuG4HG4AzYNT91CrWedZQM2q5rwEqxOt5i84xLIsho GACNC8BsyI0RcQrbqTZ9VE30ZPMk9vzbmOGr3xaOua6nVaECiq/6F/hwcRb0dNTN JTA8x+ulTyqHuuiKFvluvvlemx0El+6BPqyOOST5z2zPhO/o4EqGoQKSS1o7jNgJ dcC8Gsn/LsJvUBtXcyRmyPYBfaqIRVeGUyGbYIZn8P3nIdmdKO0SkydvkhQr98FV sz/4Fcg8m/+DbdU7ogeqBXjM9b4xuQCz3Rj6oiyrcf8i+ml1L3licYjEdR9vWZia bnSzL+igvlhQ8fGJrDLtM2/cdM34UYmvMBrGIy4xsyH9JaFpiBQRsm193TOFJc9a pNkvgRSXarnygRdk56LUZgRhXFhzkxzNzDiRn7NPsCCfihzhi0VH0zKG4dCk3x+5 ZhCpXqzVyLQbIHC1UPJaSrd/q22zfTXAeLEKa9o/AFhJgs6YZu4Trvu4dGPQ/WdJ IaToNQQUR1RbDgLZdFChwFrRT+Au3zVO3rRTZ3znz51nqzo4rCu2/6awhZReCdxJ mvMcEgGGvRxLGKK+AKTA1Wv6VKcbAKZ9RiuCB4y87YjB6jut3pM=
    =JBY2
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?Q?Louis-Philippe_V=c3=a9ron@21:1/5 to Markus Koschany on Wed Dec 30 20:20:01 2020
    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --TI6ECSTPzwVr35xyFMNpROXoi0pp56pYD
    Content-Type: text/plain; charset=utf-8
    Content-Language: en-US
    Content-Transfer-Encoding: quoted-printable

    On 2020-12-23 16 h 44, Markus Koschany wrote:
    If nobody steps forward to maintain jruby, I am more in favor of making r-deps
    less dependent on jruby. I am quite sure in most cases support for jruby is optional but not essential.

    FWIW, I've started looking at updating jruby. I've touched 2 deps
    already (backport9 and jnr-constants) and zigo refreshed all the patches
    for the latest version [1].

    I won't promise anything, but it's not like I can make jruby less usable
    than it currently is :)

    [1]: https://salsa.debian.org/zigo/jruby

    --
    ⢀⣴⠾⠻⢶⣦⠀
    ⣾⠁⢠⠒⠀⣿⡁ Louis-Philippe Véronneau
    ⢿⡄⠘⠷⠚⠋ [email protected] / veronneau.org
    ⠈⠳⣄


    --TI6ECSTPzwVr35xyFMNpROXoi0pp56pYD--

    -----BEGIN PGP SIGNATURE-----

    wsF5BAABCAAjFiEEZ39U8fqGga2OwLzmeurE7GqqCpcFAl/s0QYFAwAAAAAACgkQeurE7GqqCpcO bxAArlcPw6r7F1a5BLuWz7xdvAwiIto9j1ECxzHnHrtm4+VOEKVWreAUW9ZA2xT3yMt+6FH43VBi becrtdVBrsWOtcgwBh3oormK3UwSpF5uzThNPGsV4DifdMqnSL8R9MvvqonaSOawjMDAXzw9ofSI vqt7sWkjwmqsbyJUf7ku9eMjJ9lpdn0rx83xdnVORWQbYTfxKmxx2DmzSh9eo/GvqQ1RjGkqO2Vi nbtLDsctn3fYWBOa6qdsPCATnfRokvwy6/7QglH7b6SOvG5dIKYo0i0sWa+GEbkicf/Zi0IwJANt hNjITvR27aNRrRxsJuH1AsqlLHwbErijKLCUod9mX5eSrx03M1597fXJY6eb9ukzmf6nWqJAYlhH N0A0EAn5CSHn6QqzNPbRjGqbbXyjtSBpg8Fz8HJPXpfHCxedVUuaLo8nthb+DaKm/SKfnPLD6WOs cvlWSdTf9l1nvcnnmZDPzycZ4fevMAoh9RlE1wjef/FleFwhZijLAbIjek6ZlXN2eCfJxR+kvd4s v4d6jCyymxDu0STJlEQGJ1WwtaUrnqTU+kEtk65+yAIB6hK1QXpCfVw71TpjdG/2sGef5/IKzdxs TIvuouQCLDpKHJ2OA/tPryW94g5pjpI5b5skxmnmHU3afWc+UIhqSG8Lx78M+93LumLV8YgAmlhV yx0=
    =roXx
    -