On Wed, Nov 12, 2014 at 08:35:18AM -0500, Monty Taylor wrote: > Just for the record, I believe that we should chose the tools that make > sense for making our software, as long as it's not physically impossible > for them to be packaged. This means we should absolutely not use things > that require multiple versions of node to be needed. The nodejs that's > in trusty is new enough to work with all of the modern javascript tool > chain things needed for this, so other than the various javascript tools > and libraries not being packaged in the distros yet, it should be fine.
Agreed. We're in the position to describe or define, what we'd like to use or to see in the future. That may require us to create required tools. You're not concerned about node.js? Most probably, since you're not distributing it. Looking at the changelog, I'm a bit worried[1]: - 2014.10.20: openssl (addressing multiple CVEs) - 2014.09.16: v8: fix a crash introduced by previous release - 2014.08.19: v8: backport CVE-2013-6668 (they shouldn't bundle v8 at all) - 2014.06.05: openssl: to 1.0.1h (CVE-2014-0224) - 2013.12.18: v8: backport fix for CVE-2013-{6639|6640} etc., etc. This leads immediately to two questions: Why is openssl bundled there? Why is v8 bundled there? It's not about flaws in implementation of software, it's more about bad design. Since we don't require node.js on the server (yet), but only for the development process: did anyone look at node's competitors? Like CommonJS, Rhino, or SpiderMonkey? [1] http://nodejs.org/changelog.html -- Matthias Runge <mru...@redhat.com> _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev