[Pkg-javascript-devel] V8 depends from outdated and unmaintained libv8 with security issues
Jérémy Lal
kapouer at melix.org
Mon Feb 11 08:51:11 GMT 2019
Le lun. 11 févr. 2019 à 09:11, Dominique Dumont <dod at debian.org> a écrit :
> Hi
>
> On Friday, 8 February 2019 12:10:01 CET Jérémy Lal wrote:
> > > I suppose i need to ask a removal of libv8 from unstable (it's removed
> > > from testing) to
> > > be able to "take" libv8-dev. Or maybe declare a libv8-in-nodejs-dev
> > > package ?
> > > In any case i don't know if i should make a libv8-xx package (which
> would
> > > basically be
> > > symlinks to libnode).
> > > Any advice is welcome...
>
> I think the following should happen:
> * update libv8 from new upstream source. [1]
> * build nodejs for Debian using the updated libv8 packages as required by
> Debian policy [2]
>
> Rakudo packaging team faced a similar issue with moarvm [3] which includes
> a
> convenience copy of libtommath and libuv1. We had to:
> * take over and update libuv1, libtommath packages that were outdated
> * add a Files-Excluded: line in marvm's debian/copyright to remove the
> convenience copies of libuv and libtommath
> * use options provided by moarvm build tools to use system libraries
> instead
> of the convenience copy.
>
Hi Dominique,
that's what i tried to do in the first place.
However, the lack of v8 soname and abi stability across versions gave me so
much
additional work that i ended up not doing it at all, leading to v8 being
unmaintained.
The solution here is purely practical, it offers a way to get a maintained
v8 in debian,
for very low additional time cost, because nodejs 10 will be maintained up
until april 2021 [2]
[2]
https://github.com/nodejs/Release#release-schedule
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20190211/207a6aab/attachment.html>
More information about the Pkg-javascript-devel
mailing list