When dev-libs/syck is installed, dev-lang/ruby will build the YAML parser based on syck as /usr/lib/ruby/1.8/i686-linux/syck.so . The bad part is that the extension does not link against it dynamically but instead statically (thus will require an explicit rebuild after a security issue). Not only we should look for a way to link to the shared object but it should be tied to an USE flag, or always be depended upon, since automagic is bad.
No, silly me, no automagic dep, just it couldn't hit on my system since syck is not installed. Still bad.
Upstream has planned to remove syck in the future and replace it with another yaml library as the original maintainer (why) has vanished.
From: Aaron Patterson <aaron@tenderlovemaking.com> To: ruby-core@ruby-lang.org Subject: [ruby-core:28215] Removing Syck from ruby Date: Thu, 18 Feb 2010 16:22:06 +0900 [...] I would like to move my replacement (Psych[1]) in to ruby's svn so that people can start migrating to the new API. Psych has a *mostly* compatible API with Syck. Since Psych uses libyaml, that means it follows the YAML spec more closely than Syck does. This means that switching from Syck to Psych /will/ break things. I would like to remove Syck from ruby, and release it as a gem that I will maintain. That way people depending on the legacy behaviors of Syck will not be let down, though they will be highly encouraged to upgrade. [...]
Ruby 1.9 uses psych (and thus libyaml), but we still have this situation for ruby 1.8, and I'm pretty sure upstream is not going to make these changes.
I am afraid that you will have similar issues with Ruby 2.0 soon: https://bugs.ruby-lang.org/issues/7375
All versions of ruby that use syck for YAML support have been removed from the tree.
