[Pkg-javascript-devel] nodejs / LTS

Jérémy Lal kapouer at melix.org
Thu Oct 1 08:45:10 UTC 2015 

Hi Security Team and pkg-javascript-devel team,

may i have your opinion on this discussion about having a shared v8 package
maintained by nodejs LTS support ?

Please CC all.

2015-10-01 10:25 GMT+02:00 Moritz Mühlenhoff <mmuhlenhoff at wikimedia.org>:

> Hi,
>
> yes i'm in favor of getting latest nodejs LTS into next debian release (be
> it 4.1 or 4.2,
>>
>> but certainly not 5.0).
>>
>
>
> 4.1.1 is the next LTS: https://github.com/nodejs/LTS/
>

I'm not reading anything on that page regarding version 4.1.1 ? The
documentation there
is a bit outdated and doesn't reflect current choices - they mention
versions and dates as
mere examples to explain their plans.

The next LTS might not be released in time for stretch:
> https://wiki.debian.org/DebianStretch
>
> Do you plan to stick with one version for the nodejs packages or to make
> them co-installable?
>

One version.
If there is a new nodejs LTS several months before Stretch transition
freeze,
then considering an update is reasonable. Future transitions are likely to
be less painful
than the nodejs 0.10 -> 4 one:
- pure js modules are mostly forward-compatible
- c++ addons API compatibility is getting better with node-nan 2.x - most
of the time
  updating node-nan and rebuilding addons will be fine.

I'm thinking of updating v8 debian package and linking against it in nodejs
>> 4 - as you know
>> that wasn't a good idea for libv8-3.14 / nodejs 0.10 as it required too
>> much work.
>> It could be more successful and maintainable if we directly use the
>> nodejs v8 bundled copy,
>> thus taking advantage of nodejs LTS security patches and enlightened
>> choices.
>>
>
> Currently nodejs is the only rdep of libv8-3.14-dev (chromium uses the
> bundled version as well).
> Given that libv8 is an unmaintainable mess I'm personally in favour of
> abandoning the packaged
> libv8 in favour of nodejs using the bundled version (since currently
> nodejs is essentially
> security-unmaintained in jessie)
>

But nodejs isn't actually the only rdep, you should check libv8-dev rdeps
as well:
weechat, uwsgi, mongodb, osmium, plv8.
The mess came from lack of v8 LTS and version ABI support.
Now that nodejs LTS is just doing that work, a shared v8 would benefit from
it.

But I can't/won't decide on this on my own, please contact
> team at security.debian.org for a broader
>
discussion.
>

CC-ing


> PS: could we bring this discussion to pkg-javascript-devel for their
>> information ?
>>
>
> Sure, please CC me, I'm not CCed.
>

CC-ing

Jérémy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20151001/87bba70a/attachment-0001.html>

More information about the Pkg-javascript-devel mailing list