[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

V8 depends from outdated and unmaintained libv8 with security issues



Hi Jeroen,

I realised that the Debian package of V8 has de facto no chance to make
it into the next stable Debian release if it depends from V8 version
3.14 or 3.15 (as it is enforced in its configuration step).  The reason
is that it depends from libv8-3.14 package which is suffering from
several security bugs[1].  I've started a discussion[2] with the
JavaScript maintainers which leaded to the suggestion to use the current
V8 library which is part of the libnode-dev package.  However, the
explicit version checks are preventing this.  I even tried to remove
these checks but later (not unexpected) the code failed to build.

The problem is that the CRAN V8 package has some reverse dependencies
which all are affected and can not migrate to the next Debian stable
release which would be a real shame.  Do you see any chance to adapt V8
to some more recent implementation of the library?  Finally R
applications like Shiny etc might suffer from security issues of that
old and unmaintained V8 implementation.

Kind regards

      Andreas.


[1] https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libv8-3.14
[2] https://alioth-lists.debian.net/pipermail/pkg-javascript-devel/2019-January/030787.html

On Mon, Jan 21, 2019 at 10:15:44AM +0100, Jérémy Lal wrote:
> Le lun. 21 janv. 2019 à 10:08, Andreas Tille <andreas@an3as.eu> a écrit :
> 
> > Hi Jonas,
> >
> > On Fri, Jan 18, 2019 at 08:04:33PM +0100, Jonas Smedegaard wrote:
> > > Quoting Andreas Tille (2019-01-18 18:39:34)
> > > > I'd prefer
> > > >
> > > >  - change nodejs to build its v8 as a shared lib, and provide it it
> > > >    makes sense because upstream nodejs do all the work of keeping ABI
> > > >    stability,
> > >
> > > The libv8 part of Nodejs is currently included in Debian as a _private_
> > > shared library part of libnode.
> > >
> > > I guess you can try link with that private library - as an alternative
> > > to waiting for someone to refactor packages, have ftpmasters approve new
> > > package names, and then have it available in experimental.
> >
> > I admit I do not understand what exactly I need to do to use that
> > private shared library.  I checked the content of the packages
> > libnode-dev and libnode64 and did not found anything that looks
> > like libv8.  Could you give any more verbose hint how I can link
> > against the private shared library you mentioned?
> >
> 
> The headers are in libnode-dev
>  /usr/include/nodejs/deps/v8/include/
> and the link flag is
> -lnode
> (v8 being inside node). But can that work ?
> 
> Jérémy

-- 
http://fam-tille.de


Reply to: