Your message dated Tue, 25 Dec 2018 12:00:11 +0000
with message-id <e1gblnb-0001nt...@fasolo.debian.org>
and subject line Bug#904274: fixed in nodejs 10.12.0~dfsg-1
has caused the Debian Bug report #904274,
regarding nodejs: Debian nodejs is not ABI-compatible with upstream nodejs
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
904274: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904274
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: nodejs
Version: 8.10.0~dfsg-2
Severity: important
This bug was initially reported downstream against Ubuntu in
https://bugs.launchpad.net/ubuntu/+source/nodejs/+bug/1779863 by the
upstream GRPC maintainer.
Summary of the issue: upstream nodejs vendors its openssl dependency and
exports the openssl symbols as part of its ABI for native extensions.
Node 8.x depends on openssl 1.0.2. However, Node 8.x in Debian depends
on the default openssl, version 1.1.0. As a result, the Debian nodejs
package provides an incompatible ABI for compiled native node
extensions, resulting in subtle and confusing bugs for end users.
Note that Ubuntu is using an unpatched upstream Debian package in
Bionic/18.04. Hence, this bug really affects the Debian build, not just
Ubuntu. IMO we should not diverge from the ABI contract that upstream
provides. Typical nodejs development practices involve downloading
dependencies with npm, which may include precompiled native dependencies
that rely on a stable node ABI. It is very confusing for end users to
install a system nodejs, download these deps as normal, and then
encounter subtle incompatibilities with scary error messages, like this:
node: symbol lookup error:
/home/pixel/node-openssl-addon-example/build/Release/openssl_example.node:
undefined symbol: SSL_library_init
This seriously impacts the user experience for nodejs users. And I'm
worried that because this is an openssl 1.0.x issue, this problem is
even uglier. I imagine nodejs vendored upstream openssl, which lacks
symbol versions altogether (which could potentially mitigate the issue a
little bit, for systems that have both openssl version .so's installed).
Ubuntu Bionic will need to patch their builddeps downstream to use the
right version of openssl, and I'm going to comment on their bug along
those lines. This is also an option for us in Debian, but given that we
want to drop openssl 1.0.2 in buster, I'd suggest we could also fix this
bug by upgrading node to 10.x, available in experimental, which depends
on openssl 1.1.0 upstream.
- e
--- End Message ---
--- Begin Message ---
Source: nodejs
Source-Version: 10.12.0~dfsg-1
We believe that the bug you reported is fixed in the latest version of
nodejs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 904...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jérémy Lal <kapo...@melix.org> (supplier of updated nodejs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 17 Oct 2018 11:24:28 +0200
Source: nodejs
Binary: nodejs-dev libnode-dev nodejs libnode64 nodejs-doc
Architecture: source amd64 all
Version: 10.12.0~dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Jérémy Lal <kapo...@melix.org>
Description:
libnode-dev - evented I/O for V8 javascript (development files)
libnode64 - evented I/O for V8 javascript - runtime library
nodejs - evented I/O for V8 javascript - runtime executable
nodejs-dev - evented I/O for V8 javascript (debhelper files)
nodejs-doc - API documentation for Node.js, the javascript platform
Closes: 901297 901474 904274 905415 905886
Changes:
nodejs (10.12.0~dfsg-1) experimental; urgency=medium
.
* New upstream version 10.11.0~dfsg
* openssl: use bundled copy because node is not compatible
with openssl 1.1.1 right now (and there is no upstream fix).
On the plus side:
+ this avoids ABI breakage for C++ addons (Closes: #904274)
+ upstream have security support for openssl vulns
On the down side, it's a policy 4.13 violation.
* copyright:
+ no longer exclude marked since it is removed
+ drop paragraph for pthread-barrier.h
* Multiarch and DFHS:
+ patch adding --node-relative-path configuration variable
+ "/usr/lib/<$DEB_HOST_MULTIARCH>/nodejs" for c++ addons
+ "/usr/share/nodejs" for pure javascript modules
+ "/usr/lib/nodejs" for smooth migration of current modules
+ Expose those configuration variables in
process.config.variables.node_relative_path
process.config.variables.arch_triplet
+ In particular, if prefix is /usr/local all paths move there.
+ Fix test expecting lib/node, should be lib/nodejs.
(Closes: #901474)
* Build using shared libuv1 again (Closes: #905415)
* Standards-Version 4.2.1
* Add support for mips64r6el arch (Closes: #905886)
* Drop libnodeXX-dev in favor of libnode-dev (Closes: #901297)
* Patch tools/doc to restore old dependencies on marked,
while waiting for remarked/rehyped modules to be available.
* sequential/test-http2-session-timeout is a flaky test
* Add lintian override for test/fixtures/assert-long-line.js,
false source-is-missing positive.
* Build using LANG=C
* Stop excluding tools/gyp because upstream patches it
* Tighten dependency on nghttp2 >= 1.34.0
Checksums-Sha1:
f533af4a5c04e2cc14f6484778d33d7c23319667 3173 nodejs_10.12.0~dfsg-1.dsc
4795a37b95df8ce2e8401933a9cc523f4186e502 26782668
nodejs_10.12.0~dfsg.orig.tar.gz
9471e1302241c091591e6a49049e3c9427b9ec8c 91464
nodejs_10.12.0~dfsg-1.debian.tar.xz
ce6f09b7194115603f64555ed3b513a3fa903c19 386676
libnode-dev_10.12.0~dfsg-1_amd64.deb
9d3835e40433726e5868f49b95e27e7b16ab2130 297433324
libnode64-dbgsym_10.12.0~dfsg-1_amd64.deb
adb074a870d4381122c3274351ac5edbd00c49c7 6593648
libnode64_10.12.0~dfsg-1_amd64.deb
44e3ec8f6938c523f0699ccaaadc4cbc2b02eb21 12992
nodejs-dbgsym_10.12.0~dfsg-1_amd64.deb
4368b97d7fae586ec22ba7b3fc4824e8100179f2 81404
nodejs-dev_10.12.0~dfsg-1_amd64.deb
0d68aadaaaa3d83f59bda1ed2f7bc42819786ddf 940340
nodejs-doc_10.12.0~dfsg-1_all.deb
31323eb4cb1f35e29ea499f70b1dc2e501cd86b3 10271
nodejs_10.12.0~dfsg-1_amd64.buildinfo
e8f4d7ff0c8cd980f28b24b8418dc3ebdfefc462 85464 nodejs_10.12.0~dfsg-1_amd64.deb
Checksums-Sha256:
bc9ee11b88e89438a588b27d611b4532629f85975f43743721b79fc31a2c59cc 3173
nodejs_10.12.0~dfsg-1.dsc
dd00a61e94a1e8a2b1346f9743f952be4d7e4d10fd9b82775d211a10e5f1d789 26782668
nodejs_10.12.0~dfsg.orig.tar.gz
0baf035c5e40c3f2a9f8a590e2f9b78b1609ed345d6138d0dc2ef38ca942f23e 91464
nodejs_10.12.0~dfsg-1.debian.tar.xz
b61e170cbfe35c9cb478d59e6cf9b2bb5975c31488d2b6168c15ddcb93f9cfb9 386676
libnode-dev_10.12.0~dfsg-1_amd64.deb
03f436971f22b3b5ac1a0a8ac0d0698cedd3276df5ea88d65bbfd381fe5bf3b3 297433324
libnode64-dbgsym_10.12.0~dfsg-1_amd64.deb
fb80bdb4d96c1a9c9866353e78fe27205ee053ee298e3e1029ff73f0ad171df6 6593648
libnode64_10.12.0~dfsg-1_amd64.deb
9d02743ee3f5c40dcb575155cd8bd24704b0d8f64d20f4237d55a33ad2c4af98 12992
nodejs-dbgsym_10.12.0~dfsg-1_amd64.deb
e4ed3815d2c146d4ab423b4bb85b6cd75817ec8027dc1275ddcd8858ae5dc7cf 81404
nodejs-dev_10.12.0~dfsg-1_amd64.deb
55f53bfe62c1d76a747e666a0a6fa156e4050e92cd410ccb33a46b475291b076 940340
nodejs-doc_10.12.0~dfsg-1_all.deb
d34482785b489e208d87731ede83a8d74eaf7efb70860590205b6e543fa4f264 10271
nodejs_10.12.0~dfsg-1_amd64.buildinfo
c6f7bc3607c154563376d5ee5e74a2747c174a1768d3539c8481e196e2fddd83 85464
nodejs_10.12.0~dfsg-1_amd64.deb
Files:
15c06e3681211478b7fc51cfb64d8d3b 3173 javascript optional
nodejs_10.12.0~dfsg-1.dsc
1d9a6fc9a62f8d160e55847bb2489004 26782668 javascript optional
nodejs_10.12.0~dfsg.orig.tar.gz
9195c1da0606fcb8cf67259c84876dde 91464 javascript optional
nodejs_10.12.0~dfsg-1.debian.tar.xz
259f64630b0700e0871b4076404061b6 386676 libdevel optional
libnode-dev_10.12.0~dfsg-1_amd64.deb
fcad6d37923773624286fb160413614c 297433324 debug optional
libnode64-dbgsym_10.12.0~dfsg-1_amd64.deb
e01f84cfaf4bc09b79783803fb609085 6593648 libs optional
libnode64_10.12.0~dfsg-1_amd64.deb
20a46300c1d9c188ef174ea40761a300 12992 debug optional
nodejs-dbgsym_10.12.0~dfsg-1_amd64.deb
0b7e1746c52fd764dab577478e499bea 81404 devel optional
nodejs-dev_10.12.0~dfsg-1_amd64.deb
f1ab71fbed76348b5a7827c93d5a55df 940340 doc optional
nodejs-doc_10.12.0~dfsg-1_all.deb
2c710eb82448b2922d66c2d0018e14a9 10271 javascript optional
nodejs_10.12.0~dfsg-1_amd64.buildinfo
fd5a70d025b07f523a0dadc6edcd1ff2 85464 javascript optional
nodejs_10.12.0~dfsg-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAlvHa44SHGthcG91ZXJA
bWVsaXgub3JnAAoJEGYRwF7dOfN0O2EP/Rpc/bAw/hhTKqJSToa8EELQyLdeiI8g
j6uHEvWcr7pTJRbKAGy8eovD37VVvwJVWDCFSR2vseptKx6bLDbRScGZgI+lvAOF
txKY6e8vUE9Oea6JBS3xBzl9zdkAbV8VYY/mLC6XK+3MWxV02hlNmxitwl6uSQeE
IQam5ZwhRM4Y3EwhIYDKBmtSZH1pSon4oHTr7LmuFX9sAdpKhuZctthOxMNWbj35
qg8cGx0alKRwHTZOmh2zH9q/DadA8kf2b94xdTtRj3yYtynOfRNBfcJVCQDTWo/G
mq3ih8GJvMHECcnCC/xE14Pd2N8m+0OxQKHtYs2nGGqTOcBfZxizkeIQ4Hj+4Mh+
O49jHhC62YdzsAQ2HRboSmDM4J6CM/c8mwZNX1fEbfRBWWI8VF6CSePph1zgSfnC
R/UrD+5FyzhYqPkHaDl2o1J1A2ezKCzoywNm2ltkVHPUC5nROU/uQxhIWZ/bNIPP
GZNJDMrhDz/PLr5AK/IHRxshKBUrO8Ua1qyiXjOizXA6JXdMS4sJ6MX4Nj6woTqQ
uxoV1w5hZN8pPanJ074nTjA/503VXwqbsjZqhfVIQIJ2jo2WfCWN6LvcDDaDXE6G
QaMXlEfIIpl/w84ivttorFjEIBZRCLLGkyzr9PTt0ysVAQEFpnGVwvfVnAkwrl+L
yvwCGsT8VS+3
=ujFM
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
