| 1 |
On Sun, Sep 22, 2013 at 5:17 PM, "Paweł Hajdan, Jr." |
| 2 |
<phajdan.jr@g.o> wrote: |
| 3 |
> I'd like to get your feedback and opinion about removing shared v8 |
| 4 |
> library package from Gentoo. |
| 5 |
|
| 6 |
The three "inside the box" options require hope: |
| 7 |
|
| 8 |
1. Use share lib. Hope upstream package devs code to whichever V8 API |
| 9 |
is used by Gentoo. |
| 10 |
|
| 11 |
2. Bundle. When security problems are fixed, hope upstream package |
| 12 |
devs update to the API used in the latest V8. |
| 13 |
|
| 14 |
3. Use slots. Hope V8 security problems are "back ported". |
| 15 |
|
| 16 |
When packages use V8 they put security conscious people in an awkward |
| 17 |
"hope" position. It would be nice if packages recognized this and |
| 18 |
added switches to disable V8. Then we could use option 1 or 2 and |
| 19 |
fail ("disable v8 use flag") when upstream doesn't stay on top of |
| 20 |
things. |
| 21 |
|
| 22 |
An "outside the box" option might be to bundle... but somewhere tag |
| 23 |
insecure versions of V8. Packages that only work with insecure |
| 24 |
versions of V8 require the user to assert an "insecure" use flag or |
| 25 |
keyword. |
| 26 |
|
| 27 |
Chris |
Archives