[Pkg-javascript-devel] V8 depends from outdated and unmaintained libv8 with security issues
Jeroen Ooms
jeroen at berkeley.edu
Wed Jan 30 21:44:04 GMT 2019
On Tue, Jan 29, 2019 at 1:04 AM Andreas Tille <andreas at an3as.eu> wrote:
>
> The problem is that the CRAN V8 package has some reverse dependencies
> which all are affected and can not migrate to the next Debian stable
> release which would be a real shame. Do you see any chance to adapt V8
> to some more recent implementation of the library? Finally R
> applications like Shiny etc might suffer from security issues of that
> old and unmaintained V8 implementation.
I'm making good progress with porting the R bindings to the new libv8
API that is part of libnode-dev.
However I'm not sure how to write a portable configure script to
actually find headers/libs from libnode-dev. The script currently
looks for -lv8 and v8.h in the standard locations. I'm a bit reluctant
to hardcode a hack case for Debian to include headers from
/usr/include/nodejs/deps/v8/include and link to -lnode instead of
-lv8. People will be installing the same R package in
stretch/ubuntu/fedora where we do need to link to actual libv8, it
will get messy to special case Buster.
One solution would be if someone could upload a transition libv8-dev
package in Debian that creates symlinks in the expected locations:
/usr/lib/libv8.so -> /usr/lib/libnode.so
/usr/include/v8*.h -> /usr/include/nodejs/deps/v8/include/ (10 files)
/usr/include/libplatfrom -> /usr/include/nodejs/deps/v8/include/libplatform
I think this can prevent a lot of downstream breakage and confusion
where it is assumed and documented that the V8 R package depends on
libv8-dev.
Thanks for your help all!
More information about the Pkg-javascript-devel
mailing list