libv8 is something we've considered in the past as part of our webkit
work and Ubuntu SDK audits. We can't effectively support libv8 because
it is constantly changing. Therefore, backporting patches becomes
infeasible very quickly and we are faced with having to use a new
upstream release-- which would likely break anything that depends on it.
NAK on libv8 in the archive.
What we did for the Ubuntu SDK is allow an embedded version of libv8--
this is guaranteed to always match with its consumer, but for this to
work it must be demonstrated that libv8 does not process untrusted
javascript. If it doesn't, there is no attack surface for the embedded
libv8 and therefore it doesn't have to be kept up to date. If it does
processed untrusted javascript, NAK.
** Changed in: libv8 (Ubuntu)
Assignee: Canonical Security Team (canonical-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1187262
Title:
[MIR] mongodb, libv8, snowball, gyp
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gyp/+bug/1187262/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
