puppet-dashboard is one of the only remaining ports still depending on ruby 1.8.
Embeds Rails 2.3.17, released in Feburary 2013, and many other ruby libraries of similar vintage. I'm not sure it's actually vulnerable to any of the many Rails vulnerabilities announced since, but it wouldn't surprise me. Port doesn't actually build anything, it basically just untars and retars the distfile, other than fixing shebang lines and changing some hardcoded paths. I think removing it using the following quirk makes sense: "web application with no benefit being packaged" OKs to remove? Thanks, Jeremy
