Hi Jeroen, thanks for contacting us! I'm not speaking for the team, this is my personal opinion on this:
V8 3.14 is a really really old branch. Given that it has been unmaintained for so long, I seriously doubt that we will ever officially support it. I'm also against merging fixes to the 3.14 branch on the official V8 repository. That would give it an appearance of being maintained and secure, while it certainly is not. May I ask you what your use cases are? What are the security requirements? How serious are information leaks, code execution vulnerabilities etc? If we are looking at merging crash bugs that cause issues for the embedder, we can probably arrange code reviews, and I would volunteer. But if you are thinking about looking at every single security fix since 3.14, checking whether 3.14 is vulnerable, and merging them back, then I would say that that's a bigger task than simply updating to the latest V8. We are recently starting to cooperate with node.js on their LTS branch, so the 5.1 branch will likely receive security fixes for quite some time. Aside from that, how likely is it for distros to pick up updates to 3.14 in a timely manner? Cheers, Yang On Thu, Jun 30, 2016 at 8:42 PM Jeroen Ooms <[email protected]> wrote: > TLDR: I was wondering if I could propose a (semi) official effort to do a > patch release in the 3.14 branch. I know, legacy maintenance is not > exciting but it would be incredibly helpful for the many > users/projects/distributions relying on this version for their > tools/infrastructure. > > A starting point based off v3.14.5.10 with 25 additional patches (as > collected by Tom Callaway; see below) is available from: > > https://github.com/v8-314/v8/commits/3.14 > > It would be fantastic if this could be reviewed by someone familiar with > the v8 codebase, and perhaps adopted in some form or another in the main > repository. > > Background: > > We are aware that the priority of V8 is to move Chromium forward and there > is no official 'stable' API. But for many other applications, bundling > libv8 sources is not an option. I personally maintain V8 bindings for the R > programming language. These are in use by many statisticians, scientists, > and ecologists (5k+ downloads per month from the main mirror alone) who > have developed an infrastructure on top of this for e.g. working with > geojson data. > > For license and portability reasons, we cannot bundle libv8 and instead > need to dynamically link to libv8 on the system. Because R packages are > supposed to work across platforms, we rely on some sort of consensus > between distributions on the API version. For years, the de-facto stable > API has been the 3.14 / 3.15 branch which is provided by all major > distributions: > > - https://aur.archlinux.org/packages/v8-3.14 > - https://packages.debian.org/sid/libv8-3.14.5 > - http://packages.ubuntu.com/xenial/libv8-3.14-dev > - https://apps.fedoraproject.org/packages/v8-devel > - https://www.opencsw.org/packages/CSWlibv8-dev > - https://github.com/Homebrew/homebrew-versions/blob/master/v8-315.rb > > Therefore applications and bindings typically target this version of the > API. Distributions want to keep providing this version (possibly in > addition to libv8 v4 or v5) to prevent everything downstream from breaking > down with a forced upgrade. > > However the latest release in 3.14 is about 3 years old, forcing > maintainers to start manually patching CVE's and compiler problems. This > fragmentation of efforts is unfortunate and probably unsustainable. It > would be super nice if the V8 team would be willing to help out with an > official patch release in the 3.14 branch to get everyone on the same page > and keep all those tools working a bit longer. > > Tom Callaway from Redhat has recently done a great job of collecting 25 > important patches for a new 'v8-314' package in Fedora/EPEL. These include > fixes for CVE's, gcc5 and MIPS/PowerPC. > > https://bugzilla.redhat.com/show_bug.cgi?id=1344415 > > Patches with comments and building steps are available from his spec/rpm > file. > > https://spot.fedorapeople.org/v8-314.spec > https://spot.fedorapeople.org/v8-314-3.14.5.10-1.fc24.src.rpm > > For those unfamiliar with rpm, exactly the same patches have been applied > in the same order in the Github repository linked above. It would be really > great if we could take some of this effort upstream so that all > distributions can sync with the official 3.14 branch. > > Thank you! > > Jeroen Ooms > UCLA / UC Berkeley > > -- > -- > v8-dev mailing list > [email protected] > http://groups.google.com/group/v8-dev > --- > You received this message because you are subscribed to the Google Groups > "v8-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
