I'm not formally reporting this as a bug because 1) nodejs is not my area of expertise; and 2) it "feels" like this is an issue that can't be solved. Neverthelesss, I'm bringing it to your attention.
<twb> So I have just discovered that the "nodejs" package basically includes a courtesy copy of Google V8 js VM <twb> That sounds like something Not Cool <pabs> quite, http://wiki.debian.org/EmbeddedCodeCopies <pabs> even worse if its a fork <paultag> it's a very heavy fork in the case of v8 <paultag> it's based on v8, but it's stripped and rewritten in a lot of ways (duh) <twb> paultag: so I shouldn't report it? <paultag> from a client side dom bastardization to a fairly nice serverside impl <Laibsch> I've just uploaded a signed .changes file for isdnutils but it's being rejected as unsigned?! http://paste.debian.net/151964/ <pabs> ouch, v8 had lots of security issues: http://security-tracker.debian.org/tracker/source-package/libv8 <paultag> twb: I don't know. I don't know if it counts as v8, since it's so hacked <twb> I don't know much about nodejs except someone was saying "hey this won't compile on arm due to my CPU lacking BLX instruction" and I went "WTF?! How can that happen with *javascript*?" <paultag> pabs: yeah, +1, but how many are there after you remove DOM / link to a browser <paultag> remember, it's only exec'ing local files <paultag> so remove vulns are less of an issue, still serious though <paultag> remote * <paultag> twb: yeah, you can report it, but it's a very very hacked up fork of v8, to the point of it not being exposed to the same issues <paultag> but I guess security should keep an eye on it [pabs is reminded of the recent hash DoS in various languages, including nodejs] <paultag> ++ >From #debian-mentors on irc.oftc.org at Thu, 12 Jan 2012 14:46:46 +1100 (unfortunately that channel isn't publicly logged) _______________________________________________ Pkg-javascript-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
