Web lists-archives.com

libnode *might* need abi bump related to openssl 1.1.1 api break... or not...




hi !

Nodejs c++ addons (modules) in buster are built using libnode-dev - a great improvement
over previous "situation".
However upstream libnode embeds its dependencies, whereas almost all debian libnode
dependencies are shared.
Modules authors expect a given node ABI to offer the same versions, or versions
abi-compatible with, of these dependencies: uv, v8, openssl.
In the case of distributions, upstream acknowledged the fact distributors were building
nodejs against shared libraries, thus the versions might now be the same, breaking
their module ABI contract.
So upstream started working on a registry to keep track of ABI changes mandated
by distributors conditions. It's a work-in-progress but it's due:
https://github.com/nodejs/node/blob/9adf1fbe/doc/node_module_versions.json#L6

In Debian case, the api-break comes from openssl 1.1.1 where upstream used to
embed openssl 1.1.0:
[upstream view]
(https://github.com/nodejs/node/issues/18770#issuecomment-456918214)
[openssl discussion]
(https://mta.openssl.org/pipermail/openssl-project/2019-January/thread.html#1204)

It happens that that api breakage has been reverted and is merged in
openssl 1.1.1 stable branch:
https://github.com/openssl/openssl/commit/37857e9b5258da148e5d3699b6acdf8787417eb2

If openssl releases this and the release goes to buster, then all is fine in nodejs land.

If it doesn't, debian should ship libnode65, not libnode64, to make sure foreign node modules
will be able to know they're not installed on a compatible version of libnode.
The change in itself is trivial (just changing the soname) and should end up being
an automated transition.

However it's a special case that needs release team approval and coordination,
between openssl and nodejs.

Thanks for the feedback,
Jérémy