[Pkg-javascript-devel] V8 depends from outdated and unmaintained libv8 with security issues
Jérémy Lal
kapouer at melix.org
Wed May 22 10:05:35 BST 2019
Le mer. 22 mai 2019 à 09:36, Jérémy Lal <kapouer at melix.org> a écrit :
>
>
> Le mer. 22 mai 2019 à 01:32, Jeroen Ooms <jeroen at berkeley.edu> a écrit :
>
>> Hi Jérémy
>>
>> Now that r-cran-v8 seems to be working great with libnode-dev, perhaps
>> the old libv8 should be removed from sid? Today I was working in sid
>> and I noticed that apt still prefers the old v8 over the libnode-dev
>> virtual package when installing libv8-dev as a dependency.
>>
>> Alternatively, instead of removing the old libv8 alltogether, you
>> could push a mini-update for the old package such that libv8-3.14-dev
>> no longer provides libv8-dev, but libv8-3.14-dev keeps existing in
>> sid. Thereby there will only be one libv8-dev in sid, which is the
>> libnode-dev virtual package. However if people really want the old
>> package for whatever reason, they could still install libv8-3.14-dev.
>>
>
> Thanks for the tip, i'll do that !
>
In the process of doing that, i realized libv8-3.14 is no longer building
from source
and may require a lot of work to get it to.
There is now only one package depending on libv8-3.14: uwsgi-plugin-v8
so i'd rather remove libv8-3.14 entirely.
Jérémy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20190522/508aab58/attachment.html>
More information about the Pkg-javascript-devel
mailing list