Project

General

Profile

Feature #10510

Remove REXML instead of patching it

Added by grosser (Michael Grosser) almost 5 years ago. Updated almost 5 years ago.

Status:
Assigned
Priority:
Normal
Target version:
-
[ruby-core:66269]

Description

There have been at least 3 rexml vulerabilities to date,
having to patch ruby just to make sure it's not being used is taking a lot
of time/effort.

Afaik most people do not use xml anyway (and especially not rexml), just
for comparison: it would make much more sense to have json included, but
it's not.

So let's just drop it & make it a gem.

History

Updated by sferik (Erik Michaels-Ober) almost 5 years ago

I believe semantic versioning prevents doing this until Ruby 3 is released (many years from now) but I agree that this issue should be added to the Ruby 3 roadmap.

Updated by luislavena (Luis Lavena) almost 5 years ago

What about gem-ification of rexml and allow patches be distributed as gems that can be updated?

(like default gems: json, psych, etc)

I think the introduction of default gem for rexml falls into minor version changes and will allow faster responses and alternate upgrade/mitigation paths.

Updated by yb601 (Iain Barnett) almost 5 years ago

Erik Michaels-Ober wrote:

I believe semantic versioning prevents doing this until Ruby 3 is released (many years from now) but I agree that this issue should be added to the Ruby 3 roadmap.

Wedding release schedules to specific version numbers is what got Perl in such a mess. Shouldn't the version numbers follow what happens in the code and not the other way round? If a change means the version number goes up to 3 then so what! The other stuff that would've been in 3 goes in 4… or 5 or 6.

+1 from me either for the original idea or Luis' idea.

iain

Updated by hsbt (Hiroshi SHIBATA) almost 5 years ago

  • Status changed from Open to Assigned
  • Assignee set to kou (Kouhei Sutou)

Also available in: Atom PDF