[Pkg-javascript-devel] V8 depends from outdated and unmaintained libv8 with security issues

Jeroen Ooms jeroen at berkeley.edu
Tue Jan 29 18:41:34 GMT 2019


Is there another version of libv8 available on Debian? I'm willing to
try to port it to a newer version of V8. The issue with libv8 has
always been that Google refuses to define a stable API, and they do a
new release every day (no joke). So it's very hard to program against
that.

That said, Fedora is now shipping v8 6.7.17
https://apps.fedoraproject.org/packages/v8 (in addition to
https://apps.fedoraproject.org/packages/v8-314). So if Debian would
ship a version of V8 with a similar version, I will try to update the
R package to support this API.


On Tue, Jan 29, 2019 at 1:04 AM Andreas Tille <andreas at an3as.eu> wrote:
>
> Hi Jeroen,
>
> I realised that the Debian package of V8 has de facto no chance to make
> it into the next stable Debian release if it depends from V8 version
> 3.14 or 3.15 (as it is enforced in its configuration step).  The reason
> is that it depends from libv8-3.14 package which is suffering from
> several security bugs[1].  I've started a discussion[2] with the
> JavaScript maintainers which leaded to the suggestion to use the current
> V8 library which is part of the libnode-dev package.  However, the
> explicit version checks are preventing this.  I even tried to remove
> these checks but later (not unexpected) the code failed to build.
>
> The problem is that the CRAN V8 package has some reverse dependencies
> which all are affected and can not migrate to the next Debian stable
> release which would be a real shame.  Do you see any chance to adapt V8
> to some more recent implementation of the library?  Finally R
> applications like Shiny etc might suffer from security issues of that
> old and unmaintained V8 implementation.
>
> Kind regards
>
>       Andreas.
>
>
> [1] https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libv8-3.14
> [2] https://alioth-lists.debian.net/pipermail/pkg-javascript-devel/2019-January/030787.html
>
> On Mon, Jan 21, 2019 at 10:15:44AM +0100, Jérémy Lal wrote:
> > Le lun. 21 janv. 2019 à 10:08, Andreas Tille <andreas at an3as.eu> a écrit :
> >
> > > Hi Jonas,
> > >
> > > On Fri, Jan 18, 2019 at 08:04:33PM +0100, Jonas Smedegaard wrote:
> > > > Quoting Andreas Tille (2019-01-18 18:39:34)
> > > > > I'd prefer
> > > > >
> > > > >  - change nodejs to build its v8 as a shared lib, and provide it it
> > > > >    makes sense because upstream nodejs do all the work of keeping ABI
> > > > >    stability,
> > > >
> > > > The libv8 part of Nodejs is currently included in Debian as a _private_
> > > > shared library part of libnode.
> > > >
> > > > I guess you can try link with that private library - as an alternative
> > > > to waiting for someone to refactor packages, have ftpmasters approve new
> > > > package names, and then have it available in experimental.
> > >
> > > I admit I do not understand what exactly I need to do to use that
> > > private shared library.  I checked the content of the packages
> > > libnode-dev and libnode64 and did not found anything that looks
> > > like libv8.  Could you give any more verbose hint how I can link
> > > against the private shared library you mentioned?
> > >
> >
> > The headers are in libnode-dev
> >  /usr/include/nodejs/deps/v8/include/
> > and the link flag is
> > -lnode
> > (v8 being inside node). But can that work ?
> >
> > Jérémy
>
> --
> http://fam-tille.de



More information about the Pkg-javascript-devel mailing list