Feature #10510
closed
Remove REXML instead of patching it
Description
There have been at least 3 rexml vulerabilities to date,
having to patch ruby just to make sure it's not being used is taking a lot
of time/effort.
Afaik most people do not use xml anyway (and especially not rexml), just
for comparison: it would make much more sense to have json included, but
it's not.
So let's just drop it & make it a gem.
Updated by sferik (Erik Michaels-Ober) about 10 years ago
I believe semantic versioning prevents doing this until Ruby 3 is released (many years from now) but I agree that this issue should be added to the Ruby 3 roadmap.
Updated by luislavena (Luis Lavena) about 10 years ago
What about gem-ification of rexml and allow patches be distributed as gems that can be updated?
(like default gems: json, psych, etc)
I think the introduction of default gem for rexml falls into minor version changes and will allow faster responses and alternate upgrade/mitigation paths.
Updated by yb601 (Iain Barnett) almost 10 years ago
Erik Michaels-Ober wrote:
I believe semantic versioning prevents doing this until Ruby 3 is released (many years from now) but I agree that this issue should be added to the Ruby 3 roadmap.
Wedding release schedules to specific version numbers is what got Perl in such a mess. Shouldn't the version numbers follow what happens in the code and not the other way round? If a change means the version number goes up to 3 then so what! The other stuff that would've been in 3 goes in 4… or 5 or 6.
+1 from me either for the original idea or Luis' idea.
iain
Updated by hsbt (Hiroshi SHIBATA) almost 10 years ago
- Status changed from Open to Assigned
- Assignee set to kou (Kouhei Sutou)
Updated by hsbt (Hiroshi SHIBATA) almost 3 years ago
- Status changed from Assigned to Closed
rexml is the bundled gems since Ruby 3.0.