subject:"Re\: \[Pkg\-javascript\-devel\] nodejs \/ LTS"

Re: [Pkg-javascript-devel] nodejs / LTS

2016-04-27 Thread Jérémy Lal

2016-04-27 17:36 GMT+02:00 Luca BRUNO :

> On Tuesday, April 26, 2016 11:32:54 PM Jérémy Lal wrote:
>
> > Update:
> > https://nodejs.org/en/blog/announcements/v6-release
> > """
> > In October 2016, Node.js v6 will become the LTS release and the LTS
> release
> > line (version 4)
> > will go under maintenance mode in April 2017, meaning only critical bugs,
> > critical security fixes and documentation updates will be permitted.
> > Users should begin transitioning from v4 to v6 in October when v6 goes
> into
> > LTS.
> > """
> >
> > I guess it will be too late for next debian release - still, it's good to
> > know.
>
> Just double-checking, I'm not sure if our existing plans already take into
> account the revised freeze schedule (slightly delayed):
> https://lists.debian.org/debian-devel-announce/2016/03/msg0.html


This might be worth a shot... let's reevaluate this summer.

Jérémy
___
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] nodejs / LTS

2016-04-27 Thread Luca BRUNO

On Tuesday, April 26, 2016 11:32:54 PM Jérémy Lal wrote:

> Update:
> https://nodejs.org/en/blog/announcements/v6-release
> """
> In October 2016, Node.js v6 will become the LTS release and the LTS release
> line (version 4)
> will go under maintenance mode in April 2017, meaning only critical bugs,
> critical security fixes and documentation updates will be permitted.
> Users should begin transitioning from v4 to v6 in October when v6 goes into
> LTS.
> """
> 
> I guess it will be too late for next debian release - still, it's good to
> know.

Just double-checking, I'm not sure if our existing plans already take into 
account the revised freeze schedule (slightly delayed):
https://lists.debian.org/debian-devel-announce/2016/03/msg0.html

Ciao, Luca

-- 
 .''`.  ** Debian GNU/Linux **  | Luca Bruno (kaeso)
: :'  :   The Universal O.S.| lucab (AT) debian.org
`. `'`  | GPG: 0xBB1A3A854F3BBEBF
  `- http://www.debian.org  | Debian GNU/Linux Developer


signature.asc
Description: This is a digitally signed message part.
___
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] nodejs / LTS

2016-04-26 Thread Jérémy Lal

2015-10-27 19:29 GMT+01:00 Jérémy Lal :

>
>
> 2015-10-27 18:45 GMT+01:00 Florian Weimer :
>
>> * Jérémy Lal:
>>
>> > But nodejs isn't actually the only rdep, you should check libv8-dev
>> > rdeps as well: weechat, uwsgi, mongodb, osmium, plv8.  The mess came
>> > from lack of v8 LTS and version ABI support.  Now that nodejs LTS is
>> > just doing that work, a shared v8 would benefit from it.
>>
>> Hi Jérémy,
>>
>> we certainly won't object to any reduction in bundling.  But it seems
>> I lack sufficient context.  What is the controversial aspect of this
>> proposal?  That the required work on other reverse dependencies may
>> make it un-implementable?
>>
>>
> nodejs 0.10 in stable is using libv8-3.14.
> Both packages had/have no long term support from upstream.
> Also upstream nodejs wasn't trying to keep any sort of abi compatibility
> ("a mess" because i couldn't come up with a good idea to cope with it).
>
> Now upstream nodejs >= 4 minds abi breakage, provides
> process.versions.modules
> (which is 46 at the moment) and debian nodejs 4.2.1 package provides a
> virtual
> nodejs-abi-, and c++ modules will depend on that
> virtual package (only node-iconv at the moment).
> This means nodejs abi is tracked by upstream, and they commit to not change
> it during the LTS period.
> Also when it changes it will be simpler to rebuild all debian packages
> affected by
> that change, thanks to the dependency on the virtual package (thanks to
> Jonas).
>
> What's also new is that upstream nodejs will support version 4.2.x for
> three years,
> starting this month, and will backport security patches to their copy of
> v8 4.5.103
> during that time.
> I say it's a nice opportunity for reverse dependencies of v8, and i think
> using
> nodejs 4.2 upstream tarball as a source for v8 4.5 during that time will
> be a
> straightforward way to maintain a libv8 debian package.
>
>

Update:
https://nodejs.org/en/blog/announcements/v6-release
"""
In October 2016, Node.js v6 will become the LTS release and the LTS release
line (version 4)
will go under maintenance mode in April 2017, meaning only critical bugs,
critical security
fixes and documentation updates will be permitted.
Users should begin transitioning from v4 to v6 in October when v6 goes into
LTS.
"""

I guess it will be too late for next debian release - still, it's good to
know.

Regards,
Jérémy
___
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] nodejs / LTS

2015-10-27 Thread Jérémy Lal

2015-10-27 18:45 GMT+01:00 Florian Weimer :

> * Jérémy Lal:
>
> > But nodejs isn't actually the only rdep, you should check libv8-dev
> > rdeps as well: weechat, uwsgi, mongodb, osmium, plv8.  The mess came
> > from lack of v8 LTS and version ABI support.  Now that nodejs LTS is
> > just doing that work, a shared v8 would benefit from it.
>
> Hi Jérémy,
>
> we certainly won't object to any reduction in bundling.  But it seems
> I lack sufficient context.  What is the controversial aspect of this
> proposal?  That the required work on other reverse dependencies may
> make it un-implementable?
>
>
nodejs 0.10 in stable is using libv8-3.14.
Both packages had/have no long term support from upstream.
Also upstream nodejs wasn't trying to keep any sort of abi compatibility
("a mess" because i couldn't come up with a good idea to cope with it).

Now upstream nodejs >= 4 minds abi breakage, provides
process.versions.modules
(which is 46 at the moment) and debian nodejs 4.2.1 package provides a
virtual
nodejs-abi-, and c++ modules will depend on that
virtual package (only node-iconv at the moment).
This means nodejs abi is tracked by upstream, and they commit to not change
it during the LTS period.
Also when it changes it will be simpler to rebuild all debian packages
affected by
that change, thanks to the dependency on the virtual package (thanks to
Jonas).

What's also new is that upstream nodejs will support version 4.2.x for
three years,
starting this month, and will backport security patches to their copy of v8
4.5.103
during that time.
I say it's a nice opportunity for reverse dependencies of v8, and i think
using
nodejs 4.2 upstream tarball as a source for v8 4.5 during that time will be
a
straightforward way to maintain a libv8 debian package.

Jérémy
___
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] nodejs / LTS

2015-10-27 Thread Florian Weimer

* Jérémy Lal:

> But nodejs isn't actually the only rdep, you should check libv8-dev
> rdeps as well: weechat, uwsgi, mongodb, osmium, plv8.  The mess came
> from lack of v8 LTS and version ABI support.  Now that nodejs LTS is
> just doing that work, a shared v8 would benefit from it.

Hi Jérémy,

we certainly won't object to any reduction in bundling.  But it seems
I lack sufficient context.  What is the controversial aspect of this
proposal?  That the required work on other reverse dependencies may
make it un-implementable?

Thanks,
Florian
(Debian security team)

___
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] nodejs / LTS

2015-10-02 Thread Jérémy Lal

2015-10-01 10:45 GMT+02:00 Jérémy Lal :

> Hi Security Team and pkg-javascript-devel team,
>
> may i have your opinion on this discussion about having a shared v8 package
> maintained by nodejs LTS support ?
>
> Please CC all.
>
> 2015-10-01 10:25 GMT+02:00 Moritz Mühlenhoff :
>
>> Hi,
>>
>> yes i'm in favor of getting latest nodejs LTS into next debian release
>> (be it 4.1 or 4.2,
>>>
>>> but certainly not 5.0).
>>>
>>
>>
>> 4.1.1 is the next LTS: https://github.com/nodejs/LTS/
>>
>
> I'm not reading anything on that page regarding version 4.1.1 ? The
> documentation there
> is a bit outdated and doesn't reflect current choices - they mention
> versions and dates as
> mere examples to explain their plans.
>

Update:

v4.2.0 will be our LTS release


https://github.com/nodejs/node/issues/3000#issuecomment-144894835

Jérémy
___
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] nodejs / LTS

2015-10-01 Thread Jérémy Lal

Hi Security Team and pkg-javascript-devel team,

may i have your opinion on this discussion about having a shared v8 package
maintained by nodejs LTS support ?

Please CC all.

2015-10-01 10:25 GMT+02:00 Moritz Mühlenhoff :

> Hi,
>
> yes i'm in favor of getting latest nodejs LTS into next debian release (be
> it 4.1 or 4.2,
>>
>> but certainly not 5.0).
>>
>
>
> 4.1.1 is the next LTS: https://github.com/nodejs/LTS/
>

I'm not reading anything on that page regarding version 4.1.1 ? The
documentation there
is a bit outdated and doesn't reflect current choices - they mention
versions and dates as
mere examples to explain their plans.

The next LTS might not be released in time for stretch:
> https://wiki.debian.org/DebianStretch
>
> Do you plan to stick with one version for the nodejs packages or to make
> them co-installable?
>

One version.
If there is a new nodejs LTS several months before Stretch transition
freeze,
then considering an update is reasonable. Future transitions are likely to
be less painful
than the nodejs 0.10 -> 4 one:
- pure js modules are mostly forward-compatible
- c++ addons API compatibility is getting better with node-nan 2.x - most
of the time
  updating node-nan and rebuilding addons will be fine.

I'm thinking of updating v8 debian package and linking against it in nodejs
>> 4 - as you know
>> that wasn't a good idea for libv8-3.14 / nodejs 0.10 as it required too
>> much work.
>> It could be more successful and maintainable if we directly use the
>> nodejs v8 bundled copy,
>> thus taking advantage of nodejs LTS security patches and enlightened
>> choices.
>>
>
> Currently nodejs is the only rdep of libv8-3.14-dev (chromium uses the
> bundled version as well).
> Given that libv8 is an unmaintainable mess I'm personally in favour of
> abandoning the packaged
> libv8 in favour of nodejs using the bundled version (since currently
> nodejs is essentially
> security-unmaintained in jessie)
>

But nodejs isn't actually the only rdep, you should check libv8-dev rdeps
as well:
weechat, uwsgi, mongodb, osmium, plv8.
The mess came from lack of v8 LTS and version ABI support.
Now that nodejs LTS is just doing that work, a shared v8 would benefit from
it.

But I can't/won't decide on this on my own, please contact
> t...@security.debian.org for a broader
>
discussion.
>

CC-ing


> PS: could we bring this discussion to pkg-javascript-devel for their
>> information ?
>>
>
> Sure, please CC me, I'm not CCed.
>

CC-ing

Jérémy
___
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] nodejs / LTS

Re: [Pkg-javascript-devel] nodejs / LTS

Re: [Pkg-javascript-devel] nodejs / LTS

Re: [Pkg-javascript-devel] nodejs / LTS

Re: [Pkg-javascript-devel] nodejs / LTS

Re: [Pkg-javascript-devel] nodejs / LTS

Re: [Pkg-javascript-devel] nodejs / LTS

7 matches

Site Navigation

Mail list logo

Footer information