Re: V8 depends from outdated and unmaintained libv8 with security issues
- Date: Mon, 11 Feb 2019 09:10:54 +0100
- From: Dominique Dumont <dod@xxxxxxxxxx>
- Subject: Re: V8 depends from outdated and unmaintained libv8 with security issues
On Friday, 8 February 2019 12:10:01 CET Jérémy Lal wrote:
> > I suppose i need to ask a removal of libv8 from unstable (it's removed
> > from testing) to
> > be able to "take" libv8-dev. Or maybe declare a libv8-in-nodejs-dev
> > package ?
> > In any case i don't know if i should make a libv8-xx package (which would
> > basically be
> > symlinks to libnode).
> > Any advice is welcome...
I think the following should happen:
* update libv8 from new upstream source. 
* build nodejs for Debian using the updated libv8 packages as required by
Debian policy 
Rakudo packaging team faced a similar issue with moarvm  which includes a
convenience copy of libtommath and libuv1. We had to:
* take over and update libuv1, libtommath packages that were outdated
* add a Files-Excluded: line in marvm's debian/copyright to remove the
convenience copies of libuv and libtommath
* use options provided by moarvm build tools to use system libraries instead
of the convenience copy.
Hope this helps
 Either https://chromium.googlesource.com/v8/v8.git or its "official" mirror