Re: [Pkg-javascript-devel] On nodejs use of embedded libraries
Jérémy Lal wrote: > On 12/01/2012 04:50, Trent W. Buck wrote: > "the Debian packaging should ensure that binary packages reference the > libraries already in Debian and the convenience copy is not used" > The nodejs debian package does exactly this. > The v8 source code is not stripped out of the orig tarball, but that does not > mean it's used. OK. Apologies for bothering you before checking that. >> I don't know much about nodejs except someone was saying "hey >> this won't compile on arm due to my CPU lacking BLX instruction" >> and I went "WTF?! How can that happen with *javascript*?" > > This is just ignorance. > v8 is fast because it compiles javascript to machine code on the fly. Granted. My reaction was because the project is called "node.js" but included a js interpreter (before I realized it was v8). Which to my mind was like having an foo.el include a whole Emacs. ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] On nodejs use of embedded libraries
On 12/01/2012 04:50, Trent W. Buck wrote: > I'm not formally reporting this as a bug because 1) nodejs is not my > area of expertise; and 2) it "feels" like this is an issue that can't > be solved. Neverthelesss, I'm bringing it to your attention. Thank you. My comments follows apply to nodejs 0.4.12 that is available in debian/sid, and libv8 in testing/sid. > So I have just discovered that the "nodejs" package basically includes > a courtesy copy of Google V8 js VM > That sounds like something Not Cool > quite, http://wiki.debian.org/EmbeddedCodeCopies Policy 4.13 states : "the Debian packaging should ensure that binary packages reference the libraries already in Debian and the convenience copy is not used" The nodejs debian package does exactly this. The v8 source code is not stripped out of the orig tarball, but that does not mean it's used. > even worse if its a fork > it's a very heavy fork in the case of v8 > it's based on v8, but it's stripped and rewritten in a lot of ways > (duh) Nodejs upstream team try to *not* patch its v8 copy, unless for cases like the one talked after, where they patched their copy of v8 before it was done upstream, just to get the security fix applied and released as fast as possible. Many patches brought by nodejs have been applied to v8, too. > paultag: so I shouldn't report it? > from a client side dom bastardization to a fairly nice serverside > impl > I've just uploaded a signed .changes file for isdnutils but it's > being rejected as unsigned?! http://paste.debian.net/151964/ > ouch, v8 had lots of security issues: > http://security-tracker.debian.org/tracker/source-package/libv8 > twb: I don't know. I don't know if it counts as v8, since it's so > hacked The security issues they are talking about apply to an old version of v8, 2.2.24-6, that is in squeeze and is not used by nodejs nor by chromium. Up-to-date version are in testing/sid, as well as nodejs. > I don't know much about nodejs except someone was saying "hey this > won't compile on arm due to my CPU lacking BLX instruction" and I went "WTF?! > How can that happen with *javascript*?" This is just ignorance. v8 is fast because it compiles javascript to machine code on the fly. The arm issue (missing blx on armv4t) is worked around in the libv8 debian package, by using adequate compile flags, so that libv8 is available on armel and armhf architectures. By the way, nodejs 0.6.x is not yet in debian just because its dependencies are less obvious to separate (the uv backend *is* using patched versions of its dependencies). Regards Jérémy. ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] On nodejs use of embedded libraries
I'm not formally reporting this as a bug because 1) nodejs is not my area of expertise; and 2) it "feels" like this is an issue that can't be solved. Neverthelesss, I'm bringing it to your attention. So I have just discovered that the "nodejs" package basically includes a courtesy copy of Google V8 js VM That sounds like something Not Cool quite, http://wiki.debian.org/EmbeddedCodeCopies even worse if its a fork it's a very heavy fork in the case of v8 it's based on v8, but it's stripped and rewritten in a lot of ways (duh) paultag: so I shouldn't report it? from a client side dom bastardization to a fairly nice serverside impl I've just uploaded a signed .changes file for isdnutils but it's being rejected as unsigned?! http://paste.debian.net/151964/ ouch, v8 had lots of security issues: http://security-tracker.debian.org/tracker/source-package/libv8 twb: I don't know. I don't know if it counts as v8, since it's so hacked I don't know much about nodejs except someone was saying "hey this won't compile on arm due to my CPU lacking BLX instruction" and I went "WTF?! How can that happen with *javascript*?" pabs: yeah, +1, but how many are there after you remove DOM / link to a browser remember, it's only exec'ing local files so remove vulns are less of an issue, still serious though remote * twb: yeah, you can report it, but it's a very very hacked up fork of v8, to the point of it not being exposed to the same issues but I guess security should keep an eye on it [pabs is reminded of the recent hash DoS in various languages, including nodejs] ++ >From #debian-mentors on irc.oftc.org at Thu, 12 Jan 2012 14:46:46 +1100 (unfortunately that channel isn't publicly logged) ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel