On Mon, Apr 03, 2017 at 09:13:56PM +0300, Adrian Bunk wrote:
> On Mon, Apr 03, 2017 at 08:03:16PM +0200, Moritz Muehlenhoff wrote:
> > On Tue, Feb 28, 2017 at 02:28:28PM +0200, Adrian Bunk wrote:
> > > Control: severity -1 serious
> > >
> > > Dozens of unfixed CVEs, the oldest unfixed CVEs will be more than
> > > 4 years old when stretch gets released.
> > >
> > > In the current state the package is really too buggy for shipping
> > > in a new stable release.
> >
> > Note that nodejs will not be covered by security support in stretch (as it
> > was
> > done for jessie already). We had initially considered it, but with
> > nodejs 6 not having it made into stretch, that's not realistic.
> >
> > So these can be downgraded to non-RC (or if the release team thinks
> > nodejs should rather be remove from testing, removal is also an option
> > of course).
>
> This is not even the normal Node.js, this is a version of V8 from an
> upstream branch that is dead for 4 years already.
Right. Initially there was some plan to provide a supported libv8
from src:nodejs, though.
libv8 has never been covered by security support in any Debian release
so far, upstream does no real security support apart from what lands
in Chrome.
Cheers,
Moritz
