[Pkg-javascript-devel] V8 depends from outdated and unmaintained libv8 with security issues
Dominique Dumont
dod at debian.org
Mon Feb 11 08:10:54 GMT 2019
Hi
On Friday, 8 February 2019 12:10:01 CET Jérémy Lal wrote:
> > I suppose i need to ask a removal of libv8 from unstable (it's removed
> > from testing) to
> > be able to "take" libv8-dev. Or maybe declare a libv8-in-nodejs-dev
> > package ?
> > In any case i don't know if i should make a libv8-xx package (which would
> > basically be
> > symlinks to libnode).
> > Any advice is welcome...
I think the following should happen:
* update libv8 from new upstream source. [1]
* build nodejs for Debian using the updated libv8 packages as required by
Debian policy [2]
Rakudo packaging team faced a similar issue with moarvm [3] which includes a
convenience copy of libtommath and libuv1. We had to:
* take over and update libuv1, libtommath packages that were outdated
* add a Files-Excluded: line in marvm's debian/copyright to remove the
convenience copies of libuv and libtommath
* use options provided by moarvm build tools to use system libraries instead
of the convenience copy.
Hope this helps
[1] Either https://chromium.googlesource.com/v8/v8.git or its "official" mirror
https://github.com/v8/v8.
[2] https://www.debian.org/doc/debian-policy/ch-source.html#convenience-copies-of-code
[3] https://salsa.debian.org/perl6-team/moarvm
More information about the Pkg-javascript-devel
mailing list