On 12/01/2012 04:50, Trent W. Buck wrote:
> I'm not formally reporting this as a bug because 1) nodejs is not my
> area of expertise; and 2) it "feels" like this is an issue that can't
> be solved.  Neverthelesss, I'm bringing it to your attention.

Thank you. My comments follows apply to nodejs 0.4.12 that is available in 
debian/sid,
and libv8 in testing/sid.
 
> <twb> So I have just discovered that the "nodejs" package basically includes 
> a courtesy copy of Google V8 js VM
> <twb> That sounds like something Not Cool
> <pabs> quite, http://wiki.debian.org/EmbeddedCodeCopies

Policy 4.13 states :
"the Debian packaging should ensure that binary packages reference the 
libraries already in Debian and the convenience copy is not used"
The nodejs debian package does exactly this.
The v8 source code is not stripped out of the orig tarball, but that does not 
mean it's used.

> <pabs> even worse if its a fork
> <paultag> it's a very heavy fork in the case of v8
> <paultag> it's based on v8, but it's stripped and rewritten in a lot of ways 
> (duh)

Nodejs upstream team try to *not* patch its v8 copy,
unless for cases like the one talked after, where they patched their copy of v8
before it was done upstream, just to get the security fix applied and released 
as fast as possible.
Many patches brought by nodejs have been applied to v8, too.


> <twb> paultag: so I shouldn't report it?
> <paultag> from a client side dom bastardization to a fairly nice serverside 
> impl
> <Laibsch> I've just uploaded a signed .changes file for isdnutils but it's 
> being rejected as unsigned?! http://paste.debian.net/151964/
> <pabs> ouch, v8 had lots of security issues: 
> http://security-tracker.debian.org/tracker/source-package/libv8
> <paultag> twb: I don't know. I don't know if it counts as v8, since it's so 
> hacked

The security issues they are talking about apply to an old version of v8,
2.2.24-6, that is in squeeze and is not used by nodejs nor by chromium.
Up-to-date version are in testing/sid, as well as nodejs.

> <twb> I don't know much about nodejs except someone was saying "hey this 
> won't compile on arm due to my CPU lacking BLX instruction" and I went "WTF?! 
>  How can that happen with *javascript*?"

This is just ignorance.
v8 is fast because it compiles javascript to machine code on the fly.
The arm issue (missing blx on armv4t) is worked around in the libv8 debian 
package,
by using adequate compile flags, so that libv8 is available on armel and armhf 
architectures.

By the way, nodejs 0.6.x is not yet in debian just because its dependencies are 
less
obvious to separate (the uv backend *is* using patched versions of its 
dependencies).

Regards
Jérémy.

_______________________________________________
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

Reply via email to