On Thu, Jun 30, 2016 at 9:41 PM, Yang Guo <[email protected]> wrote: > May I ask you what your use cases are? What are the security requirements? > How serious are information leaks, code execution vulnerabilities etc?
As application developer, my main concern is simply to meet the requirements for distributions to keep shipping this version so that our applications remain supported. I think this mainly involves fixing gcc 5/6, and (for debian) mips / ppc. Perhaps also the dead gyp dependency url in the build script which is now 404. For our applications security is not an issue but I suppose every CVE patch is an improvement over the status quo for most distros. > I'm also against merging fixes to the 3.14 branch on the official V8 > repository. That would give it an appearance of being maintained and secure, > while it certainly is not. That is understandable. Perhaps we can find a form to release in a way that emphasizes this branch is legacy/deprecated, yet still shows this is a serious effort to fix urgent problems and has been reviewed, such that downstream maintainers can find and trust it? Maybe a branch repo named '3.14-legacy-unsupported' or so? I am afraid that if I release this under my personal name it probably be ignored :-) > We are recently starting to cooperate with node.js on their LTS branch, so > the 5.1 branch will likely receive security fixes for quite some time. That is great to hear. Does that mean the API will be stable? It would be great if this would be communicated or coordinated with downstream libv8 maintainers. For example Fedora seems to be planning to jump to 5.2.258 which is not LTS I suppose? As an application developer I want to encourage the various distributions to agree on which version of the v8 api they want to support so that we can write software that works across platforms. Still it would be really great if we can patch up 3.14 to keep it working at least until this new LTS release is stable and has landed in most distributions. > Aside from that, how likely is it for distros to pick up updates to 3.14 in a > timely manner? Assuming patches introduce no breaking changes, I expect they might be adopted easily, especially if they fix urgent problems with gcc 5/6 which most distributions will need. -- -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
