[Pkg-javascript-devel] V8 depends from outdated and unmaintained libv8 with security issues
Jeroen Ooms
jeroen at berkeley.edu
Tue Jan 29 19:11:20 GMT 2019
On Tue, Jan 29, 2019 at 10:56 AM Jérémy Lal <kapouer at melix.org> wrote:
>
>
>
> Le mar. 29 janv. 2019 à 19:41, Jeroen Ooms <jeroen at berkeley.edu> a écrit :
>>
>> Is there another version of libv8 available on Debian? I'm willing to
>> try to port it to a newer version of V8. The issue with libv8 has
>> always been that Google refuses to define a stable API, and they do a
>> new release every day (no joke). So it's very hard to program against
>> that.
>>
>> That said, Fedora is now shipping v8 6.7.17
>> https://apps.fedoraproject.org/packages/v8 (in addition to
>> https://apps.fedoraproject.org/packages/v8-314). So if Debian would
>> ship a version of V8 with a similar version, I will try to update the
>> R package to support this API.
>
>
> Please read the full bug report, and TL;DR:
> the best thing to do that i don't do because i lack time, is to package the v8 version
> that is in nodejs (10.15 at the moment, soon in testing).
>
> It will profit from the hard work upstream nodejs do to keep ABI-compatibility across
> nodejs versions, with the bonus of having security fixes backported.
OK I'll have a look. So the full libv8.so and libv8 headers will be in
libnode-dev now? Why not separate out an actual libv8-dev package as
part of the 'nodejs' source package, so we can install just libv8
without all the node stuff?
More information about the Pkg-javascript-devel
mailing list