Issue #19178 has been updated by graywolf (Gray Wolf). hsbt (Hiroshi SHIBATA) wrote in #note-8:
But your way of updating "json" as a normal gem over the default gem means that whenever ruby is used with --disable-gems then the updated version is not used and thus a CVE could still be exposed.
`--disable-gems` is only development option for debugging the Ruby binary. Do not use it for application or software development.
That is interesting. I know that I do use it in few places, usually for startup time reduction: ``` +$ time -p ruby -e 'puts 1' 1 real 0.06 user 0.04 sys 0.01 +$ time -p ruby --disable-all -e 'puts 1' 1 real 0.01 user 0.00 sys 0.01 ``` Since that (based on you comment) does not seems like a right thing to do, are there other options to make ruby start up faster that are actually supported? ---------------------------------------- Misc #19178: How does CRuby handle CVE issues in stdlib gems which get patched? https://bugs.ruby-lang.org/issues/19178#change-100485 * Author: Segaja (Andreas Schleifer) * Status: Open * Priority: Normal ---------------------------------------- If there is a CVE issue in one of the stdlibs ( https://stdgems.org/ ) which gets patched, what is CRubys approach on how to push this critical fix to the users? As far as I know stdlibs get only updated for the users if CRuby releases a new version. So will CRuby always release a new version if there is a critical fix an stdlib "needs" to be updated? -- https://bugs.ruby-lang.org/