[Pkg-javascript-devel] V8 depends from outdated and unmaintained libv8 with security issues
Jonas Smedegaard
jonas at jones.dk
Tue Jan 29 20:15:11 GMT 2019
Quoting Jeroen Ooms (2019-01-29 20:11:20)
> On Tue, Jan 29, 2019 at 10:56 AM Jérémy Lal <kapouer at melix.org> wrote:
> >
> >
> >
> > Le mar. 29 janv. 2019 à 19:41, Jeroen Ooms <jeroen at berkeley.edu> a écrit :
> >>
> >> Is there another version of libv8 available on Debian? I'm willing to
> >> try to port it to a newer version of V8. The issue with libv8 has
> >> always been that Google refuses to define a stable API, and they do a
> >> new release every day (no joke). So it's very hard to program against
> >> that.
> >>
> >> That said, Fedora is now shipping v8 6.7.17
> >> https://apps.fedoraproject.org/packages/v8 (in addition to
> >> https://apps.fedoraproject.org/packages/v8-314). So if Debian would
> >> ship a version of V8 with a similar version, I will try to update the
> >> R package to support this API.
> >
> >
> > Please read the full bug report, and TL;DR:
> > the best thing to do that i don't do because i lack time, is to package the v8 version
> > that is in nodejs (10.15 at the moment, soon in testing).
> >
> > It will profit from the hard work upstream nodejs do to keep ABI-compatibility across
> > nodejs versions, with the bonus of having security fixes backported.
>
> OK I'll have a look. So the full libv8.so and libv8 headers will be in
> libnode-dev now? Why not separate out an actual libv8-dev package as
> part of the 'nodejs' source package, so we can install just libv8
> without all the node stuff?
I believe you quoted the answer to your question. ;-)
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20190129/5225de27/attachment.sig>
More information about the Pkg-javascript-devel
mailing list