On Tue, 02 Apr 2019 22:23:13 +0200 Moritz Muehlenhoff <j...@debian.org> wrote: > Package: jruby > Severity: important > > (This bug isn't really actionable yet, as it depends on #926278 getting fixed > in src:ruby2.5) > > Please don't use the bundled rubygems any longer, but instead a copy shared > with the C-based Ruby interpreter. > > Given that most of the security issues in the C-based interpreter don't > affect Jruby (apart from the rubygems) this will considerably reduce the > overhead for keeping jruby updated in stable/oldstable. > > I spoke to upstream (CCed) earlier and they confirmed that jruby bundles > the rubygems unmodified, so that should not cause any run time issues.
The latest upstream release of jruby is only compatible with ruby 2.5 (see [1] for the progress on 2.7), so I don't think this is feasible. The ruby team is planning on uploading ruby 3.x after the bullseye freeze and I don't believe jruby can keep up. [1]: https://github.com/jruby/jruby/issues/6464 -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Louis-Philippe Véronneau ⢿⡄⠘⠷⠚⠋ po...@debian.org / veronneau.org ⠈⠳⣄
OpenPGP_signature
Description: OpenPGP digital signature
