Re: [Pkg-javascript-devel] nodejs / LTS
2016-04-27 17:36 GMT+02:00 Luca BRUNO: > On Tuesday, April 26, 2016 11:32:54 PM Jérémy Lal wrote: > > > Update: > > https://nodejs.org/en/blog/announcements/v6-release > > """ > > In October 2016, Node.js v6 will become the LTS release and the LTS > release > > line (version 4) > > will go under maintenance mode in April 2017, meaning only critical bugs, > > critical security fixes and documentation updates will be permitted. > > Users should begin transitioning from v4 to v6 in October when v6 goes > into > > LTS. > > """ > > > > I guess it will be too late for next debian release - still, it's good to > > know. > > Just double-checking, I'm not sure if our existing plans already take into > account the revised freeze schedule (slightly delayed): > https://lists.debian.org/debian-devel-announce/2016/03/msg0.html This might be worth a shot... let's reevaluate this summer. Jérémy ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] nodejs / LTS
On Tuesday, April 26, 2016 11:32:54 PM Jérémy Lal wrote: > Update: > https://nodejs.org/en/blog/announcements/v6-release > """ > In October 2016, Node.js v6 will become the LTS release and the LTS release > line (version 4) > will go under maintenance mode in April 2017, meaning only critical bugs, > critical security fixes and documentation updates will be permitted. > Users should begin transitioning from v4 to v6 in October when v6 goes into > LTS. > """ > > I guess it will be too late for next debian release - still, it's good to > know. Just double-checking, I'm not sure if our existing plans already take into account the revised freeze schedule (slightly delayed): https://lists.debian.org/debian-devel-announce/2016/03/msg0.html Ciao, Luca -- .''`. ** Debian GNU/Linux ** | Luca Bruno (kaeso) : :' : The Universal O.S.| lucab (AT) debian.org `. `'` | GPG: 0xBB1A3A854F3BBEBF `- http://www.debian.org | Debian GNU/Linux Developer signature.asc Description: This is a digitally signed message part. ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] nodejs / LTS
2015-10-27 19:29 GMT+01:00 Jérémy Lal: > > > 2015-10-27 18:45 GMT+01:00 Florian Weimer : > >> * Jérémy Lal: >> >> > But nodejs isn't actually the only rdep, you should check libv8-dev >> > rdeps as well: weechat, uwsgi, mongodb, osmium, plv8. The mess came >> > from lack of v8 LTS and version ABI support. Now that nodejs LTS is >> > just doing that work, a shared v8 would benefit from it. >> >> Hi Jérémy, >> >> we certainly won't object to any reduction in bundling. But it seems >> I lack sufficient context. What is the controversial aspect of this >> proposal? That the required work on other reverse dependencies may >> make it un-implementable? >> >> > nodejs 0.10 in stable is using libv8-3.14. > Both packages had/have no long term support from upstream. > Also upstream nodejs wasn't trying to keep any sort of abi compatibility > ("a mess" because i couldn't come up with a good idea to cope with it). > > Now upstream nodejs >= 4 minds abi breakage, provides > process.versions.modules > (which is 46 at the moment) and debian nodejs 4.2.1 package provides a > virtual > nodejs-abi-, and c++ modules will depend on that > virtual package (only node-iconv at the moment). > This means nodejs abi is tracked by upstream, and they commit to not change > it during the LTS period. > Also when it changes it will be simpler to rebuild all debian packages > affected by > that change, thanks to the dependency on the virtual package (thanks to > Jonas). > > What's also new is that upstream nodejs will support version 4.2.x for > three years, > starting this month, and will backport security patches to their copy of > v8 4.5.103 > during that time. > I say it's a nice opportunity for reverse dependencies of v8, and i think > using > nodejs 4.2 upstream tarball as a source for v8 4.5 during that time will > be a > straightforward way to maintain a libv8 debian package. > > Update: https://nodejs.org/en/blog/announcements/v6-release """ In October 2016, Node.js v6 will become the LTS release and the LTS release line (version 4) will go under maintenance mode in April 2017, meaning only critical bugs, critical security fixes and documentation updates will be permitted. Users should begin transitioning from v4 to v6 in October when v6 goes into LTS. """ I guess it will be too late for next debian release - still, it's good to know. Regards, Jérémy ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] nodejs / LTS
2015-10-27 18:45 GMT+01:00 Florian Weimer: > * Jérémy Lal: > > > But nodejs isn't actually the only rdep, you should check libv8-dev > > rdeps as well: weechat, uwsgi, mongodb, osmium, plv8. The mess came > > from lack of v8 LTS and version ABI support. Now that nodejs LTS is > > just doing that work, a shared v8 would benefit from it. > > Hi Jérémy, > > we certainly won't object to any reduction in bundling. But it seems > I lack sufficient context. What is the controversial aspect of this > proposal? That the required work on other reverse dependencies may > make it un-implementable? > > nodejs 0.10 in stable is using libv8-3.14. Both packages had/have no long term support from upstream. Also upstream nodejs wasn't trying to keep any sort of abi compatibility ("a mess" because i couldn't come up with a good idea to cope with it). Now upstream nodejs >= 4 minds abi breakage, provides process.versions.modules (which is 46 at the moment) and debian nodejs 4.2.1 package provides a virtual nodejs-abi-, and c++ modules will depend on that virtual package (only node-iconv at the moment). This means nodejs abi is tracked by upstream, and they commit to not change it during the LTS period. Also when it changes it will be simpler to rebuild all debian packages affected by that change, thanks to the dependency on the virtual package (thanks to Jonas). What's also new is that upstream nodejs will support version 4.2.x for three years, starting this month, and will backport security patches to their copy of v8 4.5.103 during that time. I say it's a nice opportunity for reverse dependencies of v8, and i think using nodejs 4.2 upstream tarball as a source for v8 4.5 during that time will be a straightforward way to maintain a libv8 debian package. Jérémy ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] nodejs / LTS
* Jérémy Lal: > But nodejs isn't actually the only rdep, you should check libv8-dev > rdeps as well: weechat, uwsgi, mongodb, osmium, plv8. The mess came > from lack of v8 LTS and version ABI support. Now that nodejs LTS is > just doing that work, a shared v8 would benefit from it. Hi Jérémy, we certainly won't object to any reduction in bundling. But it seems I lack sufficient context. What is the controversial aspect of this proposal? That the required work on other reverse dependencies may make it un-implementable? Thanks, Florian (Debian security team) ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] nodejs / LTS
2015-10-01 10:45 GMT+02:00 Jérémy Lal: > Hi Security Team and pkg-javascript-devel team, > > may i have your opinion on this discussion about having a shared v8 package > maintained by nodejs LTS support ? > > Please CC all. > > 2015-10-01 10:25 GMT+02:00 Moritz Mühlenhoff : > >> Hi, >> >> yes i'm in favor of getting latest nodejs LTS into next debian release >> (be it 4.1 or 4.2, >>> >>> but certainly not 5.0). >>> >> >> >> 4.1.1 is the next LTS: https://github.com/nodejs/LTS/ >> > > I'm not reading anything on that page regarding version 4.1.1 ? The > documentation there > is a bit outdated and doesn't reflect current choices - they mention > versions and dates as > mere examples to explain their plans. > Update: v4.2.0 will be our LTS release https://github.com/nodejs/node/issues/3000#issuecomment-144894835 Jérémy ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] nodejs / LTS
Hi Security Team and pkg-javascript-devel team, may i have your opinion on this discussion about having a shared v8 package maintained by nodejs LTS support ? Please CC all. 2015-10-01 10:25 GMT+02:00 Moritz Mühlenhoff: > Hi, > > yes i'm in favor of getting latest nodejs LTS into next debian release (be > it 4.1 or 4.2, >> >> but certainly not 5.0). >> > > > 4.1.1 is the next LTS: https://github.com/nodejs/LTS/ > I'm not reading anything on that page regarding version 4.1.1 ? The documentation there is a bit outdated and doesn't reflect current choices - they mention versions and dates as mere examples to explain their plans. The next LTS might not be released in time for stretch: > https://wiki.debian.org/DebianStretch > > Do you plan to stick with one version for the nodejs packages or to make > them co-installable? > One version. If there is a new nodejs LTS several months before Stretch transition freeze, then considering an update is reasonable. Future transitions are likely to be less painful than the nodejs 0.10 -> 4 one: - pure js modules are mostly forward-compatible - c++ addons API compatibility is getting better with node-nan 2.x - most of the time updating node-nan and rebuilding addons will be fine. I'm thinking of updating v8 debian package and linking against it in nodejs >> 4 - as you know >> that wasn't a good idea for libv8-3.14 / nodejs 0.10 as it required too >> much work. >> It could be more successful and maintainable if we directly use the >> nodejs v8 bundled copy, >> thus taking advantage of nodejs LTS security patches and enlightened >> choices. >> > > Currently nodejs is the only rdep of libv8-3.14-dev (chromium uses the > bundled version as well). > Given that libv8 is an unmaintainable mess I'm personally in favour of > abandoning the packaged > libv8 in favour of nodejs using the bundled version (since currently > nodejs is essentially > security-unmaintained in jessie) > But nodejs isn't actually the only rdep, you should check libv8-dev rdeps as well: weechat, uwsgi, mongodb, osmium, plv8. The mess came from lack of v8 LTS and version ABI support. Now that nodejs LTS is just doing that work, a shared v8 would benefit from it. But I can't/won't decide on this on my own, please contact > t...@security.debian.org for a broader > discussion. > CC-ing > PS: could we bring this discussion to pkg-javascript-devel for their >> information ? >> > > Sure, please CC me, I'm not CCed. > CC-ing Jérémy ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel