[Pkg-javascript-devel] V8 depends from outdated and unmaintained libv8 with security issues

Dominique Dumont dod at debian.org
Mon Feb 11 08:10:54 GMT 2019


Hi

On Friday, 8 February 2019 12:10:01 CET Jérémy Lal wrote:
> > I suppose i need to ask a removal of libv8 from unstable (it's removed
> > from testing) to
> > be able to "take" libv8-dev. Or maybe declare a libv8-in-nodejs-dev
> > package ?
> > In any case i don't know if i should make a libv8-xx package (which would
> > basically be
> > symlinks to libnode).
> > Any advice is welcome...

I think the following should happen:
* update libv8 from new upstream source. [1]
* build nodejs for Debian using the updated libv8 packages as required by 
Debian policy [2]

Rakudo packaging team faced a similar issue with moarvm [3] which includes a 
convenience copy of libtommath and libuv1. We had to:
* take over and update libuv1, libtommath packages that were outdated
* add a Files-Excluded: line in marvm's debian/copyright to remove the 
convenience copies of libuv and libtommath
* use options provided by moarvm build tools to use system libraries instead 
of the convenience copy.

Hope this helps

[1] Either  https://chromium.googlesource.com/v8/v8.git or its "official" mirror 
https://github.com/v8/v8.
[2] https://www.debian.org/doc/debian-policy/ch-source.html#convenience-copies-of-code
[3] https://salsa.debian.org/perl6-team/moarvm





More information about the Pkg-javascript-devel mailing list