Re: V8 depends from outdated and unmaintained libv8 with security issues
- To: Jérémy Lal <kapouer@melix.org>
- Cc: Jeroen Ooms <jeroen@berkeley.edu>, debian-r@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
- Subject: Re: V8 depends from outdated and unmaintained libv8 with security issues
- From: Jeroen Ooms <jeroen@berkeley.edu>
- Date: Tue, 23 Jul 2019 16:22:17 +0200
- Message-id: <[🔎] CABFfbXsWxNbXve-KGx4WH6v0Rx8Oa6R70HggGAPR7n47MkBXNw@mail.gmail.com>
- In-reply-to: <CAJxTCxxfHfVbiDJYFE6PcS_tXvuwr94ZmdpDbyT2-nyFL4me5g@mail.gmail.com>
- References: <20190118103730.3yji326g7lavwhz5@an3as.eu> <CAJxTCxxfCQnUS6czfdsFAL5Y-bJpTf0hfjYy-vB9F8W9MejT5Q@mail.gmail.com> <20190118120430.5j65cl447uvvwqn2@an3as.eu> <CAJxTCxzwdsv4H9zs+myeET4OgqBx_UgqKX021Sw4Qy884QaV1A@mail.gmail.com> <20190118173934.xhd5j3zln4in7lw2@an3as.eu> <154783827303.1962.3796423061358403993@auryn.jones.dk> <20190121090821.r2v24zrdbwnx6hye@an3as.eu> <CAJxTCxxkPYqMsT7Zi6wdwi5zFtnCA5kW1ZsaF8NtvAX_0dcdBw@mail.gmail.com> <20190129090440.w7qmybckqd6ols3o@an3as.eu> <CABFfbXts46j0ds0sfCF-0ezgud4J8wNd2QX-5htTNsdg_rR+_g@mail.gmail.com> <CAJxTCxyK-UWK25iaa9CXgip+5GXDTQ0gTNmeQ=27H0rNqgjNdg@mail.gmail.com> <CABFfbXtWNDXvPm6=ULKn70gjuKiB8yZXRxiW-rVOK49Gf7bPxw@mail.gmail.com> <CAJxTCxx_zDkJHcVTkght50a79NZJ8Lvu4YUzn8HV1EbsmUBYdg@mail.gmail.com> <CABFfbXsPXyXsFKKYB5AZJrsnbaSY=eZO2HY8WedYTA=qmyad9g@mail.gmail.com> <CAJxTCxzhA=Ao8Cnc4+gXpgbwmjDcfS6mSoeFyoaRNS_Swd_w+Q@mail.gmail.com> <CABFfbXuO09Bc=y=3H+xt_5vH_i5Z+FJk9twH+LboUx+wNo3ZKg@mail.gmail.com> <CAJxTCxyOf_2+d-sD4rBDQ6Tsk5UpF6eAxNT3vj5WNEQjs5oTJg@mail.gmail.com> <CABFfbXtQfyVMnWgXgsSTv8D6t-G2mZ=0+nkSxupUGh4X9gh0Fw@mail.gmail.com> <CAJxTCxxWn+y58W5L+5CMn8171cG+95mWV9Uca-zBtRFtUq7a=w@mail.gmail.com> <CABFfbXt8QJka=_wcV0kKFzJiUcQNaUcZvCgUYacN=iegCmpRww@mail.gmail.com> <CAJxTCxwmUE4iGX5YsAhe4fZmAcu=nVvBw9F=rtsvZCBKRacYCw@mail.gmail.com> <CABFfbXv=Dwm1tHnPHft_CrG96xksEwS7WdXx3gvM7=8=BsgEBw@mail.gmail.com> <CAJxTCxwJQxcjb6dtWxHFwUZ+-aag8YQr4Yk8ygtw+QdB_usUiQ@mail.gmail.com> <CABFfbXvLswXjxT9eZKNLFCHM_XRfyocja2W5c8aaiirEfms-YA@mail.gmail.com> <CAJxTCxxYpKb96XS6YFQnpQX-OFFXL8HNBfdSkAPWXBgs02daGQ@mail.gmail.com> <CABFfbXumumRnZjnD_6ygZ+8SSVD6G7a+1WUHhWuKBy54KxpX=g@mail.gmail.com> <CAJxTCxyMEWTQ_XduFKaBzFJmouFdU4AWgXca4QekkuSm-i0+5Q@mail.gmail.com> <CABFfbXuS0VuQ7D7h8Lr=sX5Ju1L8zCFFdOsKBfpk8_0orjmWvA@mail.gmail.com> <CAJxTCxwkvF-2wAuMmvE9vwO7AsQVi8Wb2vHzD_ytE96imwjf4Q@mail.gmail.com> <CAJxTCxxfHfVbiDJYFE6PcS_tXvuwr94ZmdpDbyT2-nyFL4me5g@mail.gmail.com>
On Wed, May 22, 2019 at 11:06 AM Jérémy Lal <kapouer@melix.org> wrote:
>>> Hi Jérémy
>>>
>>> Now that r-cran-v8 seems to be working great with libnode-dev, perhaps
>>> the old libv8 should be removed from sid? Today I was working in sid
>>> and I noticed that apt still prefers the old v8 over the libnode-dev
>>> virtual package when installing libv8-dev as a dependency.
>>>
>>> Alternatively, instead of removing the old libv8 alltogether, you
>>> could push a mini-update for the old package such that libv8-3.14-dev
>>> no longer provides libv8-dev, but libv8-3.14-dev keeps existing in
>>> sid. Thereby there will only be one libv8-dev in sid, which is the
>>> libnode-dev virtual package. However if people really want the old
>>> package for whatever reason, they could still install libv8-3.14-dev.
>>
>>
>> Thanks for the tip, i'll do that !
>
>
> In the process of doing that, i realized libv8-3.14 is no longer building from source
> and may require a lot of work to get it to.
> There is now only one package depending on libv8-3.14: uwsgi-plugin-v8
> so i'd rather remove libv8-3.14 entirely.
FYI I asked the Ubuntu maintainers to have a look at dropping
libv8-3.14 from stable releases too:
https://bugs.launchpad.net/ubuntu/+source/libv8-3.14/+bug/1837038
Reply to: