-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace WEBrick because it is no longer recommended for production use #4648
Comments
Thanks for your report. |
@daipom i saw this alternative Not sure if there are other alternatives, need to research more |
@Athishpranav2003 Thanks! Sorry, since I'm unfamiliar with these libraries and don't have much time this month, I cannot say for sure about the direction now. |
It's similar for me |
Fluentd has been used async-http and webrick for http server in in_http and RPC. |
The most popular Ruby web server is Puma: https://github.com/puma/puma |
Describe the bug
Fluentd depends on
webrick
and uses it in quite a few places and thus although it's no longer included in ruby, it is required (e.g. the dockerfile installsruby-webrick
).There have been a fair few CVEs reported for webrick in recent years, but more worrying is that in response to a recent security vulnerability report, one of the maintainers said "webrick is not for production".
If fluentd contines to rely on this, it feels risky (e.g. maybe future reports may not be patched so quickly / at all).
Perhaps it would be wise to migrate each usage away from webrick to a production-suitable replacement?
To Reproduce
Install fluentd - you will not be able to do this without also installing webrick.
Expected behavior
We should move away from production use of a package which the maintainers no longer recommend for production use.
Your Environment
Your Configuration
Your Error Log
Additional context
No response
The text was updated successfully, but these errors were encountered: