On 12/01/2012 04:50, Trent W. Buck wrote:
> I'm not formally reporting this as a bug because 1) nodejs is not my
> area of expertise; and 2) it "feels" like this is an issue that can't
> be solved. Neverthelesss, I'm bringing it to your attention.
Thank you. My comments follows apply to nodejs 0.4.12 that is available in
and libv8 in testing/sid.
> <twb> So I have just discovered that the "nodejs" package basically includes
> a courtesy copy of Google V8 js VM
> <twb> That sounds like something Not Cool
> <pabs> quite, http://wiki.debian.org/EmbeddedCodeCopies
Policy 4.13 states :
"the Debian packaging should ensure that binary packages reference the
libraries already in Debian and the convenience copy is not used"
The nodejs debian package does exactly this.
The v8 source code is not stripped out of the orig tarball, but that does not
mean it's used.
> <pabs> even worse if its a fork
> <paultag> it's a very heavy fork in the case of v8
> <paultag> it's based on v8, but it's stripped and rewritten in a lot of ways
Nodejs upstream team try to *not* patch its v8 copy,
unless for cases like the one talked after, where they patched their copy of v8
before it was done upstream, just to get the security fix applied and released
as fast as possible.
Many patches brought by nodejs have been applied to v8, too.
> <twb> paultag: so I shouldn't report it?
> <paultag> from a client side dom bastardization to a fairly nice serverside
> <Laibsch> I've just uploaded a signed .changes file for isdnutils but it's
> being rejected as unsigned?! http://paste.debian.net/151964/
> <pabs> ouch, v8 had lots of security issues:
> <paultag> twb: I don't know. I don't know if it counts as v8, since it's so
The security issues they are talking about apply to an old version of v8,
2.2.24-6, that is in squeeze and is not used by nodejs nor by chromium.
Up-to-date version are in testing/sid, as well as nodejs.
> <twb> I don't know much about nodejs except someone was saying "hey this
> won't compile on arm due to my CPU lacking BLX instruction" and I went "WTF?!
This is just ignorance.
The arm issue (missing blx on armv4t) is worked around in the libv8 debian
by using adequate compile flags, so that libv8 is available on armel and armhf
By the way, nodejs 0.6.x is not yet in debian just because its dependencies are
obvious to separate (the uv backend *is* using patched versions of its