Project

General

Profile

Actions

Feature #17303

closed

Remove webrick from stdlib

Added by hsbt (Hiroshi SHIBATA) about 4 years ago. Updated about 4 years ago.

Status:
Closed
Target version:
[ruby-core:100689]

Description

I propose to move webrick to bundled gems or remove it from stdlib of ruby.

We have several vulnerability issues in webrick gem.

https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/

The ruby core team don't have enough time to handle them. We should remove webrick from default gems at least.

Patch for this feature: https://github.com/ruby/ruby/pull/3729


Related issues 1 (0 open1 closed)

Related to Ruby master - Feature #15657: Make webrick to bundled gemsClosedhsbt (Hiroshi SHIBATA)Actions

Updated by jeremyevans0 (Jeremy Evans) about 4 years ago

I am in favor of this change. I prefer removing webrick from stdlib, as otherwise we are still likely to be shipping vulnerable code if there is a security issue in webrick. Moving webrick from default gems to bundled gems doesn't change much security wise, other than making it slightly more difficult to use an separately installed webrick gem.

Updated by Eregon (Benoit Daloze) about 4 years ago

Doesn't RubyGems depend on WEBrick (notably for gem server)?
It seems also RDoc depends on it.
And I know ruby -run -e httpd . -p8080 depends on it as well.

I think having a basic HTTP server in stdlib is important (bundled gem is fine for that).
Notably for properly testing Socket and new IO APIs.

Also removing it entirely without any kind of deprecation first seems like it might break lots of things.

Updated by Eregon (Benoit Daloze) about 4 years ago

It seems like the more fundamental thing we need is more maintainers for WEBrick.
Even if it's removed from stdlib, people will still install it for some existing use cases.

Actions #4

Updated by sawa (Tsuyoshi Sawada) about 4 years ago

  • Subject changed from Make webrick to bundled gems or remove from stdlib to Move webrick to bundled gems or remove it from stdlib
  • Description updated (diff)

Updated by normalperson (Eric Wong) about 4 years ago

wrote:

@normalperson (Eric Wong) What do you think?

I don't really care about Ruby, at the moment...

But if I were paid to care in the future, there is absolutely no
way I could use GitHub (due to Terms-of-Service, JS CAPCHA, etc)
and there needs to be a mailing list (e.g. ruby-core) and
(optional) Redmine tracker for me to work on it.

Updated by mame (Yusuke Endoh) about 4 years ago

Thank you for your reply.
I'm sorry but I cannot afford to hire you and have no bugdet. If I were a billionaire..
Anyway, you are not against the removal of WEBrick from Ruby package.
If you are, let me know.

This is my opinion.
If you are willing to continue to maintain WEBrick, GitHub is not mandatory.
We will keep WEBrick on GitHub, but I think we can transfer the source code to you everytime.
You can maintain it in your own Git server and mailing list, like the unicorn project, if you want.
And I hope so if possible.

@matz (Yukihiro Matsumoto), do you decide the removal of WEBrick?

Updated by ioquatix (Samuel Williams) about 4 years ago

Personally, I'm in favour of a smaller stdlib. Therefore I support this change.

I also believe that we see more innovation when things are allowed to grow under their own terms rather than part of stdlib.

Actions #9

Updated by hsbt (Hiroshi SHIBATA) about 4 years ago

  • Subject changed from Move webrick to bundled gems or remove it from stdlib to Remove webrick from stdlib
  • Status changed from Open to Assigned

Updated by naruse (Yui NARUSE) about 4 years ago

Recently vulnerability handling for webrick is heavy load for CRuby development.
Reports related to webrick is low S/N rate though the importance of bundling webrick with ruby tarball is decreasing.

We remove webrick in ruby repo and separate it as dedicated project.

Actions #12

Updated by mame (Yusuke Endoh) about 4 years ago

  • Target version set to 3.0

Updated by hsbt (Hiroshi SHIBATA) about 4 years ago

  • Status changed from Assigned to Closed

Removed at https://github.com/ruby/ruby/pull/3729

I'm going to resolve the issues related this until the final release of Ruby 3.0.

Actions #14

Updated by hsbt (Hiroshi SHIBATA) almost 4 years ago

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0