Web lists-archives.com

Re: V8 depends from outdated and unmaintained libv8 with security issues

Le lun. 11 févr. 2019 à 09:11, Dominique Dumont <dod@xxxxxxxxxx> a écrit :

On Friday, 8 February 2019 12:10:01 CET Jérémy Lal wrote:
> > I suppose i need to ask a removal of libv8 from unstable (it's removed
> > from testing) to
> > be able to "take" libv8-dev. Or maybe declare a libv8-in-nodejs-dev
> > package ?
> > In any case i don't know if i should make a libv8-xx package (which would
> > basically be
> > symlinks to libnode).
> > Any advice is welcome...

I think the following should happen:
* update libv8 from new upstream source. [1]
* build nodejs for Debian using the updated libv8 packages as required by
Debian policy [2]

Rakudo packaging team faced a similar issue with moarvm [3] which includes a
convenience copy of libtommath and libuv1. We had to:
* take over and update libuv1, libtommath packages that were outdated
* add a Files-Excluded: line in marvm's debian/copyright to remove the
convenience copies of libuv and libtommath
* use options provided by moarvm build tools to use system libraries instead
of the convenience copy.

Hi Dominique,

that's what i tried to do in the first place.
However, the lack of v8 soname and abi stability across versions gave me so much
additional work that i ended up not doing it at all, leading to v8 being unmaintained.
The solution here is purely practical, it offers a way to get a maintained v8 in debian,
for very low additional time cost, because nodejs 10 will be maintained up
until april 2021 [2]