Le ven. 18 janv. 2019 à 11:37, Andreas Tille <andr...@an3as.eu> a écrit :
> Hi, > > I just realised that one of my packages does not migrate to testing due > to its dependency from r-cran-v8 and in turn from libv8-devel. I > realised that while libv8 has 3 security bugs which are set to > stretch-ignore (#760385, #773623, #773671 - should this somehow also be > set to buster-ignore??? - I had no idea that we ignore CVEs at all but > anyway) it probably can not migrate to testing since it does not even > build: > > #853512 libv8-3.14: ftbfs with GCC-7 > > This bug is RC since 6 months but there is no response from any > uploader. So I tried to clone the repository from Salsa and realised > that there is none at the place I would have expected > (https://salsa.debian.org/js-team/libv8). Is there any other place > (besides digging into Alioth archives where I could find the > repository?) I admit I'm not motivated to find out how to restore > old repositories but would rather use > > gbp import-dscs --ignore-repo-config --debsnap --pristine-tar libv8 > > instead. Any information about the status of this package would be > really welcome. > > However, when reading > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773671#59 > > it might rather the best idea to remove this lib from Debian at all and > I need to see how I can avoid depending from this package. > Indeed, i am sorry for this bad state of things; i thought i could handle it, but obviously i couldn't. Possible solutions (besides not using it at all): - bundle it - nodejs bundles it - change nodejs to build its v8 as a shared lib, and provide it it makes sense because upstream nodejs do all the work of keeping ABI stability, backporting security fixes, choosing the right version, and so on. - take over maintenance and distribute it independently of nodejs Jérémy
