1 |
On 10/6/13 12:05 AM, Chris Stankevitz wrote: |
2 |
> On Sun, Sep 22, 2013 at 5:17 PM, "Paweł Hajdan, Jr." |
3 |
> <phajdan.jr@g.o> wrote: |
4 |
>> I'd like to get your feedback and opinion about removing shared v8 |
5 |
>> library package from Gentoo. |
6 |
> |
7 |
> The three "inside the box" options require hope: |
8 |
> |
9 |
> 1. Use share lib. Hope upstream package devs code to whichever V8 API |
10 |
> is used by Gentoo. |
11 |
|
12 |
This is not happening, and there is a good history and evidence of it. |
13 |
Upstream package devs code to the V8 API they bundle. |
14 |
|
15 |
Even then, V8 API changes every 6 weeks. It's pretty short time for most |
16 |
projects to adapt. And it's not like they only change 1-2 things, |
17 |
sometimes fundamental parts of the API are almost rewritten. |
18 |
|
19 |
For an example read |
20 |
<https://groups.google.com/d/msg/v8-users/MUq5WrC2kcE/Z3LyOmELzD0J>. |
21 |
|
22 |
Note that I'm working with upstream and it seems to slowly make some |
23 |
improvements, e.g. |
24 |
<https://groups.google.com/d/msg/v8-users/jq8k9s4xEu8/N-es0or3uz4J>. |
25 |
|
26 |
> 2. Bundle. When security problems are fixed, hope upstream package |
27 |
> devs update to the API used in the latest V8. |
28 |
|
29 |
I think this is where we're at. Actually it's more tricky since I know |
30 |
e.g. node.js developers sometimes say the security holes don't apply to |
31 |
them and don't update. They may be right, but upstream V8 says only |
32 |
latest stable V8 is security supported, which makes sense to me. |
33 |
|
34 |
> 3. Use slots. Hope V8 security problems are "back ported". |
35 |
|
36 |
How is that different from bundling? When an old version of V8 has known |
37 |
vulnerabilities it has to be removed from the tree. |
38 |
|
39 |
Feel free to "try" to backport, it's just not that easy with project |
40 |
moving as fast as V8. You'd pretty much have to have the same |
41 |
understanding of the code that V8 upstream developers have, and at that |
42 |
point you could probably help solve the API/ABI stability problems in a |
43 |
more direct way. |
44 |
|
45 |
Paweł |