[Pkg-javascript-devel] Bug#904274: nodejs: Debian nodejs is not ABI-compatible with upstream nodejs

Elana Hashman ehashman at debian.org
Sun Jul 22 16:37:24 BST 2018 

Package: nodejs
Version: 8.10.0~dfsg-2
Severity: important

This bug was initially reported downstream against Ubuntu in 
https://bugs.launchpad.net/ubuntu/+source/nodejs/+bug/1779863 by the 
upstream GRPC maintainer.

Summary of the issue: upstream nodejs vendors its openssl dependency and 
exports the openssl symbols as part of its ABI for native extensions. 
Node 8.x depends on openssl 1.0.2. However, Node 8.x in Debian depends 
on the default openssl, version 1.1.0. As a result, the Debian nodejs 
package provides an incompatible ABI for compiled native node 
extensions, resulting in subtle and confusing bugs for end users.

Note that Ubuntu is using an unpatched upstream Debian package in 
Bionic/18.04. Hence, this bug really affects the Debian build, not just 
Ubuntu. IMO we should not diverge from the ABI contract that upstream 
provides. Typical nodejs development practices involve downloading 
dependencies with npm, which may include precompiled native dependencies 
that rely on a stable node ABI. It is very confusing for end users to 
install a system nodejs, download these deps as normal, and then 
encounter subtle incompatibilities with scary error messages, like this:

node: symbol lookup error: 
/home/pixel/node-openssl-addon-example/build/Release/openssl_example.node: 
undefined symbol: SSL_library_init

This seriously impacts the user experience for nodejs users. And I'm 
worried that because this is an openssl 1.0.x issue, this problem is 
even uglier. I imagine nodejs vendored upstream openssl, which lacks 
symbol versions altogether (which could potentially mitigate the issue a 
little bit, for systems that have both openssl version .so's installed).

Ubuntu Bionic will need to patch their builddeps downstream to use the 
right version of openssl, and I'm going to comment on their bug along 
those lines. This is also an option for us in Debian, but given that we 
want to drop openssl 1.0.2 in buster, I'd suggest we could also fix this 
bug by upgrading node to 10.x, available in experimental, which depends 
on openssl 1.1.0 upstream.

- e

More information about the Pkg-javascript-devel mailing list