[Pkg-javascript-devel] Bug#904274: Bug#904274: nodejs: Debian nodejs is not ABI-compatible with upstream nodejs
Jérémy Lal
kapouer at melix.org
Sun Jul 22 18:35:35 BST 2018
Forwarded: https://github.com/nodejs/node/issues/21897
2018-07-22 17:37 GMT+02:00 Elana Hashman <ehashman at debian.org>:
> Package: nodejs
> Version: 8.10.0~dfsg-2
> Severity: important
>
> This bug was initially reported downstream against Ubuntu in
> https://bugs.launchpad.net/ubuntu/+source/nodejs/+bug/1779863 by the
> upstream GRPC maintainer.
>
> Summary of the issue: upstream nodejs vendors its openssl dependency and
> exports the openssl symbols as part of its ABI for native extensions. Node
> 8.x depends on openssl 1.0.2. However, Node 8.x in Debian depends on the
> default openssl, version 1.1.0. As a result, the Debian nodejs package
> provides an incompatible ABI for compiled native node extensions, resulting
> in subtle and confusing bugs for end users.
>
> Note that Ubuntu is using an unpatched upstream Debian package in
> Bionic/18.04. Hence, this bug really affects the Debian build, not just
> Ubuntu. IMO we should not diverge from the ABI contract that upstream
> provides. Typical nodejs development practices involve downloading
> dependencies with npm, which may include precompiled native dependencies
> that rely on a stable node ABI. It is very confusing for end users to
> install a system nodejs, download these deps as normal, and then encounter
> subtle incompatibilities with scary error messages, like this:
>
> node: symbol lookup error: /home/pixel/node-openssl-addon
> -example/build/Release/openssl_example.node: undefined symbol:
> SSL_library_init
>
> This seriously impacts the user experience for nodejs users. And I'm
> worried that because this is an openssl 1.0.x issue, this problem is even
> uglier. I imagine nodejs vendored upstream openssl, which lacks symbol
> versions altogether (which could potentially mitigate the issue a little
> bit, for systems that have both openssl version .so's installed).
>
I agree there is a problem. I disagree the problem is only on the
distributor side.
The bug is reported upstream (see forwarded url above).
Complaining that the distributor is not doing the right thing is a wrong
approach to the problem.
You should instead try to understand more deeply the situation and see what
other languages do about that.
TLDR; the pratical solution is to promote compilation of addons - which is
*straightforward* on debian/ubuntu/fedora and derivatives
(you just need to explain which development packages must be installed).
Ubuntu Bionic will need to patch their builddeps downstream to use the
> right version of openssl, and I'm going to comment on their bug along those
> lines. This is also an option for us in Debian, but given that we want to
> drop openssl 1.0.2 in buster, I'd suggest we could also fix this bug by
> upgrading node to 10.x, available in experimental, which depends on openssl
> 1.1.0 upstream.
Agreed ! As the main nodejs maintainer the only reason it is not already
the case is because i did not have time to handle it.
I do that on free time, and it's a rare thing these days...
Jérémy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20180722/77f16988/attachment.html>
More information about the Pkg-javascript-devel
mailing list