[Pkg-javascript-devel] Bug#853512: Status of libv8?
Jérémy Lal
kapouer at melix.org
Fri Jan 18 10:51:38 GMT 2019
Le ven. 18 janv. 2019 à 11:37, Andreas Tille <andreas at an3as.eu> a écrit :
> Hi,
>
> I just realised that one of my packages does not migrate to testing due
> to its dependency from r-cran-v8 and in turn from libv8-devel. I
> realised that while libv8 has 3 security bugs which are set to
> stretch-ignore (#760385, #773623, #773671 - should this somehow also be
> set to buster-ignore??? - I had no idea that we ignore CVEs at all but
> anyway) it probably can not migrate to testing since it does not even
> build:
>
> #853512 libv8-3.14: ftbfs with GCC-7
>
> This bug is RC since 6 months but there is no response from any
> uploader. So I tried to clone the repository from Salsa and realised
> that there is none at the place I would have expected
> (https://salsa.debian.org/js-team/libv8). Is there any other place
> (besides digging into Alioth archives where I could find the
> repository?) I admit I'm not motivated to find out how to restore
> old repositories but would rather use
>
> gbp import-dscs --ignore-repo-config --debsnap --pristine-tar libv8
>
> instead. Any information about the status of this package would be
> really welcome.
>
> However, when reading
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773671#59
>
> it might rather the best idea to remove this lib from Debian at all and
> I need to see how I can avoid depending from this package.
>
Indeed, i am sorry for this bad state of things; i thought i could handle
it,
but obviously i couldn't.
Possible solutions (besides not using it at all):
- bundle it - nodejs bundles it
- change nodejs to build its v8 as a shared lib, and provide it
it makes sense because upstream nodejs do all the work of keeping ABI
stability,
backporting security fixes, choosing the right version, and so on.
- take over maintenance and distribute it independently of nodejs
Jérémy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20190118/b5f6d377/attachment-0004.html>
More information about the Pkg-javascript-devel
mailing list