08:48 <olle> @headius I have a suggestion. Collect all the currently-blogging JRuby team members, and update http://jruby.org/blogs with their blogs.

08:50 <olle> I'll create a GitHub Issue to collect links.

11:49 <GitHub195> [jruby] ivoanjo opened issue #4891: JRuby returns nil backtrace for living newborn threads, whereas MRI returns [] https://git.io/vb0cE

13:57 <headius> yo yo yo

13:57 <headius> olle: yeah good idea

13:57 <headius> I'm not sure who that includes exactly :-)

13:57 <olle> headius: I started, https://github.com/jruby/jruby.github.io/issues/9

13:58 <headius> nice!

15:03 <GitHub94> [jruby] headius closed issue #4891: JRuby returns nil backtrace for living newborn threads, whereas MRI returns [] https://git.io/vb0cE

15:04 <headius> fidothe: neato

15:05 <headius> fidothe: what you have here seems reasonable...it tries to load from classpath, and if that doesn't work it uses the given saxon_home

15:06 <fidothe> headius: Thanks!

15:07 <fidothe> I was concerned I might be missing an obvious-to-actual-java-programmers expectation around how the classpath is actually used

15:13 <headius> mkristian on gitter might have some suggestions, he's our expert on packaging jars with libraries

15:13 <headius> gitter jruby/jruby

15:22 <GitHub8> [jruby] headius closed issue #4885: powerpc64le-linux "Syslog not supported on this platform" https://git.io/vbnud

15:49 <fidothe> headius: I’ll pop in, thanks

18:10 <nowhereFast> https://www.blackhat.com/docs/eu-17/materials/eu-17-Arnaboldi-Exposing-Hidden-Exploitable-Behaviors-In-Programming-Languages-Using-Differential-Fuzzing-wp.pdf

18:11 <nowhereFast> p.15 points to a remote code execution vulnrability in JRuby

18:11 <nowhereFast> ^incase that hasn't already come up

18:13 <headius> nowhereFast: that's not a vulnerability, it's a feature

18:13 <headius> it's supposed to execute remote code

18:14 <headius> it's no more an exploit than loading a Java jar file over a URL and executing the code in it

18:14 <headius> and that's a pretty standard Java thing to do

18:15 <nowhereFast> :) yup, pasted it more for what it's being presented

18:16 <nowhereFast> as

18:22 <headius> yeah I commented on his blog post about the paper, we'll see what he says

18:22 <headius> I don't consider it an exploit because you'd have to be able to modify a user's code to load this remote URL

18:23 <headius> yeah I call shenanigans on this

18:23 <headius> he basically writes code that attempts to load something off a remote server and then when it does so he calls that an exploit

18:24 <headius> he explicitly tries to make it load that URL

18:26 <nowhereFast> yeh, that makes sense, seems like a bit of a publicity stunt on his part too, yet many sites will jump on this and put it out there as gospel

19:11 <headius> ugh

19:11 <headius> I'm already seeing blog posts about his results

19:11 <headius> why wouldn't he contact us before publishing this?

22:26 <fidothe> Hey, I'm seeing something odd with Process.spawn (well, specifically, Open3.capture3) where, once I've called out to it a bunch (i don't have exact numbers but I can figure it out), the call starts failing with unable-to-allocate errors, despite there being plenty of memory available according to top

22:28 <headius> fidothe: sounds like something you should open an issue for

22:28 <headius> provide as much info as you can, ideally a simple reproduction

22:29 <fidothe> i'll do that