New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Concern: Isn't Ruby 2.6 EOL? #267
Comments
The container image has a high number of severe vulnerabilities including multiple critical and high CVEs in both the OS and Ruby. Are there any plans to update the OS and Ruby? |
@onetimesecret any thoughts? |
#256 seems related but it still did not finish the build for me,
was what I have tried next, but then
|
I've come across the same issue - Won't install with Ruby below 3 (docker) but when it does get further we get Token errors because the Code is not updated for Ruby 3. |
@onetimesecret any thoughts? This issue has been open since August. Would it make more sense to look at having someone else maintain this project? There appears to be orgs focused on helping projects like yours stay alive/maintained: https://www.codeshelter.co/ Happy to find more options if this is something that would be of interest to you. |
At long last I've finally had the time and mindspace to make some actual progress on Ruby 3.1+ support (I'd had a number of false starts over the past few years). @venkatamutyala Thanks for raising this issue and for the follow-up. I hadn't heard about Code Shelter. I am interested in getting some help which I think after the Ruby 3 hurdle will be feasible. I pushed a final release of the current codebase (release 0.12.0) and started a pristine I'm working on this in earnest now. One of the pitfalls I'd been getting into was trying to bring some of the dependencies up to this modern era at the same time. I'm giving up on that route so I can focus my attention and not get bogged down again. |
@delano would you take external pull requests for the current work? If so, I can share this with some Ruby user groups that I am a part of. |
@venkatamutyala Absolutely. I'd really appreciate that. |
Just spammed a couple of different groups. As for where I'm capable, if it's related to: DevOps/CI/CD/Platform/Deployment/Containers/Docker/Infrastructure, feel free to tag me on an existing GitHub issue or a new one. |
Thanks @venkatamutyala! Initial support for Ruby 3 is live in the develop branch now. There's a basic workflow that runs tests against a matrix of ruby versions: Any and all feedback is welcome. |
Hey @delano what's the benefit of supporting multiple versions? It feels like extra overhead given folks can just use a version manager to match whatever this project requires. |
Hey, good question. Supporting multiple Ruby versions helps to accommodate a wider range of operating environments. Even just in terms of operating systems, something like Debian or Centos that value stability over flexibility, the available package manager(s) will intentionally lag behind the latest and greatest versions of most tools. There can also be company constraints that are very prescriptive about what is and isn’t allowed to run on the network. Java shops might not allow MRI Ruby but are fine with JRuby for example. So it’s all a balancing act. When it’s easy enough to keep the requirements flexible, we’re all better off for it in the world of open source.Message ID: ***@***.***>
|
I was looking at deploying this and then noticed: https://github.com/onetimesecret/onetimesecret/blob/develop/Dockerfile#L56
per: https://endoflife.date/ruby I believe 2.6 is EOL. Any thoughts on updating this to the latest stable version?
The text was updated successfully, but these errors were encountered: