Feature #10510
closed
Remove REXML instead of patching it
Added by grosser (Michael Grosser) about 10 years ago.
Updated almost 3 years ago.
Description
There have been at least 3 rexml vulerabilities to date,
having to patch ruby just to make sure it's not being used is taking a lot
of time/effort.
Afaik most people do not use xml anyway (and especially not rexml), just
for comparison: it would make much more sense to have json included, but
it's not.
So let's just drop it & make it a gem.
I believe semantic versioning prevents doing this until Ruby 3 is released (many years from now) but I agree that this issue should be added to the Ruby 3 roadmap.
What about gem-ification of rexml and allow patches be distributed as gems that can be updated?
(like default gems: json, psych, etc)
I think the introduction of default gem for rexml falls into minor version changes and will allow faster responses and alternate upgrade/mitigation paths.
Erik Michaels-Ober wrote:
I believe semantic versioning prevents doing this until Ruby 3 is released (many years from now) but I agree that this issue should be added to the Ruby 3 roadmap.
Wedding release schedules to specific version numbers is what got Perl in such a mess. Shouldn't the version numbers follow what happens in the code and not the other way round? If a change means the version number goes up to 3 then so what! The other stuff that would've been in 3 goes in 4… or 5 or 6.
+1 from me either for the original idea or Luis' idea.
iain
- Status changed from Open to Assigned
- Assignee set to kou (Kouhei Sutou)
- Status changed from Assigned to Closed
rexml is the bundled gems since Ruby 3.0.
Also available in: Atom
PDF
Like0
Like0Like0Like0Like0Like0
Updated by 
Updated by 
Updated by 
Updated by