Package: nodejs Version: 8.10.0~dfsg-2 Severity: important
This bug was initially reported downstream against Ubuntu in https://bugs.launchpad.net/ubuntu/+source/nodejs/+bug/1779863 by the upstream GRPC maintainer.
Summary of the issue: upstream nodejs vendors its openssl dependency and exports the openssl symbols as part of its ABI for native extensions. Node 8.x depends on openssl 1.0.2. However, Node 8.x in Debian depends on the default openssl, version 1.1.0. As a result, the Debian nodejs package provides an incompatible ABI for compiled native node extensions, resulting in subtle and confusing bugs for end users.
Note that Ubuntu is using an unpatched upstream Debian package in Bionic/18.04. Hence, this bug really affects the Debian build, not just Ubuntu. IMO we should not diverge from the ABI contract that upstream provides. Typical nodejs development practices involve downloading dependencies with npm, which may include precompiled native dependencies that rely on a stable node ABI. It is very confusing for end users to install a system nodejs, download these deps as normal, and then encounter subtle incompatibilities with scary error messages, like this:
node: symbol lookup error: /home/pixel/node-openssl-addon-example/build/Release/openssl_example.node: undefined symbol: SSL_library_init
This seriously impacts the user experience for nodejs users. And I'm worried that because this is an openssl 1.0.x issue, this problem is even uglier. I imagine nodejs vendored upstream openssl, which lacks symbol versions altogether (which could potentially mitigate the issue a little bit, for systems that have both openssl version .so's installed).
Ubuntu Bionic will need to patch their builddeps downstream to use the right version of openssl, and I'm going to comment on their bug along those lines. This is also an option for us in Debian, but given that we want to drop openssl 1.0.2 in buster, I'd suggest we could also fix this bug by upgrading node to 10.x, available in experimental, which depends on openssl 1.1.0 upstream.
- e
