Re: [Pkg-javascript-devel] V8 depends from outdated and unmaintained libv8 with security issues
On Tue, Jan 29, 2019 at 12:15 PM Jonas Smedegaard <jonas@jones.dk> wrote:
>
> Quoting Jeroen Ooms (2019-01-29 20:11:20)
> > On Tue, Jan 29, 2019 at 10:56 AM Jérémy Lal <kapouer@melix.org> wrote:
> > >
> > >
> > >
> > > Le mar. 29 janv. 2019 à 19:41, Jeroen Ooms <jeroen@berkeley.edu> a écrit :
> > >>
> > >> Is there another version of libv8 available on Debian? I'm willing to
> > >> try to port it to a newer version of V8. The issue with libv8 has
> > >> always been that Google refuses to define a stable API, and they do a
> > >> new release every day (no joke). So it's very hard to program against
> > >> that.
> > >>
> > >> That said, Fedora is now shipping v8 6.7.17
> > >> https://apps.fedoraproject.org/packages/v8 (in addition to
> > >> https://apps.fedoraproject.org/packages/v8-314). So if Debian would
> > >> ship a version of V8 with a similar version, I will try to update the
> > >> R package to support this API.
> > >
> > >
> > > Please read the full bug report, and TL;DR:
> > > the best thing to do that i don't do because i lack time, is to package the v8 version
> > > that is in nodejs (10.15 at the moment, soon in testing).
> > >
> > > It will profit from the hard work upstream nodejs do to keep ABI-compatibility across
> > > nodejs versions, with the bonus of having security fixes backported.
> >
> > OK I'll have a look. So the full libv8.so and libv8 headers will be in
> > libnode-dev now? Why not separate out an actual libv8-dev package as
> > part of the 'nodejs' source package, so we can install just libv8
> > without all the node stuff?
>
> I believe you quoted the answer to your question. ;-)
You mean the time constraint?
If there is going to be no libv8 package anymore, and libnode-dev
doesn't have a pkg-config file or /usr/lib/v8.h or libv8.so, how are
the bindings supposed to find the proper include and linker path to
libv8 ?
Reply to: