For those following this discussion: there is now a version of r-cran-v8 that uses libnode-dev in sid. Is there anything we need to do to get r-cran-v8 back in buster?
On Tue, Jan 29, 2019 at 10:04 AM Andreas Tille <andr...@an3as.eu> wrote: > > Hi Jeroen, > > I realised that the Debian package of V8 has de facto no chance to make > it into the next stable Debian release if it depends from V8 version > 3.14 or 3.15 (as it is enforced in its configuration step). The reason > is that it depends from libv8-3.14 package which is suffering from > several security bugs[1]. I've started a discussion[2] with the > JavaScript maintainers which leaded to the suggestion to use the current > V8 library which is part of the libnode-dev package. However, the > explicit version checks are preventing this. I even tried to remove > these checks but later (not unexpected) the code failed to build. > > The problem is that the CRAN V8 package has some reverse dependencies > which all are affected and can not migrate to the next Debian stable > release which would be a real shame. Do you see any chance to adapt V8 > to some more recent implementation of the library? Finally R > applications like Shiny etc might suffer from security issues of that > old and unmaintained V8 implementation. > > Kind regards > > Andreas. > > > [1] https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libv8-3.14 > [2] > https://alioth-lists.debian.net/pipermail/pkg-javascript-devel/2019-January/030787.html > > On Mon, Jan 21, 2019 at 10:15:44AM +0100, Jérémy Lal wrote: > > Le lun. 21 janv. 2019 à 10:08, Andreas Tille <andr...@an3as.eu> a écrit : > > > > > Hi Jonas, > > > > > > On Fri, Jan 18, 2019 at 08:04:33PM +0100, Jonas Smedegaard wrote: > > > > Quoting Andreas Tille (2019-01-18 18:39:34) > > > > > I'd prefer > > > > > > > > > > - change nodejs to build its v8 as a shared lib, and provide it it > > > > > makes sense because upstream nodejs do all the work of keeping ABI > > > > > stability, > > > > > > > > The libv8 part of Nodejs is currently included in Debian as a _private_ > > > > shared library part of libnode. > > > > > > > > I guess you can try link with that private library - as an alternative > > > > to waiting for someone to refactor packages, have ftpmasters approve new > > > > package names, and then have it available in experimental. > > > > > > I admit I do not understand what exactly I need to do to use that > > > private shared library. I checked the content of the packages > > > libnode-dev and libnode64 and did not found anything that looks > > > like libv8. Could you give any more verbose hint how I can link > > > against the private shared library you mentioned? > > > > > > > The headers are in libnode-dev > > /usr/include/nodejs/deps/v8/include/ > > and the link flag is > > -lnode > > (v8 being inside node). But can that work ? > > > > Jérémy > > -- > http://fam-tille.de -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel