On Sat, Aug 04, 2018 at 04:44:05PM -0000, Elana Hashman wrote: > The ABI incompatibility with upstream is not just "regrettable", but an > actual bug. It's not supported behaviour; it's an undocumented ABI > deviation, and as soon as upstream became aware of it, they filed an > issue.
The problem is wider than this. Distributions aren't set up to maintain binary compatibility in the way that you expect. I appreciate the difficulties that this causes the ecosystem. However, binary compatibility with elements not shipped with the distribution is not a guarantee that binary distributions (like Debian, Ubuntu and others) have traditionally ever made. *Declaring* binary compatibility/incompatibility correctly is a separate matter and is possibly a bug here. For example: if I grab a binary built elsewhere and try to run it on my system, I may receive an error telling me that the linker cannot find "libc.so.5". It would correctly be reporting that binary dependencies that are expected to be provided by my system are not present. The equivalent should be happening with Node.js and third party modules affected by this issue, and if it isn't, that's a bug. This bug report says "will fail to load" though, so perhaps binary compatibility checks are working as expected. In this specific case it looks like it is possible to rebuild nodejs against openssl1.0 to resolve the problem for now. However, this is only possible because openssl1.0 happens to also be packaged in Bionic. This is a lucky coincidence. Had it been removed by the time of Bionic's release, we'd be far more stuck than we are now. I want to make sure that everybody involved understands this, because this demonstrates how the current expectations of the Node.js ecosystem mismatches the way distributions actually work. In the general case, distributions, in a particular release, may well not package the particular versions of dependencies that you declare to be part of your ABI. They may use other versions because it minimises distribution maintenance work to only package one version, and dependencies are used by other projects, too. It has been suggested that this would be the responsibility of distribution nodejs maintainers to resolve. However, in the general case it cannot be resolved. Other packaged projects may require a newer version of the dependency. That Node.js considers the dependency part of its "official ABI" is currently neither a reason to hold those projects back, nor a reason to package multiple versions of dependencies just for nodejs' sake. Distribution maintainers will patch nodejs as required to get it building against the newer version of the dependency so that the distribution can ship on schedule. That this might break binaries built outside the distribution has never been considered within the scope of general distribution development workflow, except to the extent that distribution binaries correctly declare their own ABIs and that diverging on ABI in a distribution-specific way that is not upstream (in this case upstream means OpenSSL, not Node.js) is generally undesirable. I hope this explains the actual problem: it's not as simple as just expecting/requiring downstream distributions to link against the version of the dependency that you want. So how do we resolve this properly? I don't know. Further discussion is needed. I hope my explanation of the problem above will help to frame this discussion. To be clear, I'm not attempting to block this current SRU. I just want it to be absolutely clear to everyone that it would be a stop-gap for 18.04 only. It will not stop the problem happening again in the future. And if the problem does recur in the future, the solution may not be as simple because the nodejs-upstream-required version of the dependency may not be available in the distribution release next time. I do think it's dangerous to just SRU this time and then forget about the problem. This would reinforce unrealistic/incorrect expectations, leading to bigger issues when the problem recurs at a point when the simple workaround won't be available. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1779863 Title: Ubuntu nodejs package isn't ABI compatible with mainline nodejs. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nodejs/+bug/1779863/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
