Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: "Paweł Hajdan
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] does v8 shared library make sense with current upstream approach?
Date: Sun, 06 Oct 2013 16:11:17
Message-Id: 52518B02.8050104@gentoo.org
In Reply to: Re: [gentoo-dev] does v8 shared library make sense with current upstream approach? by Chris Stankevitz
1 On 10/6/13 12:05 AM, Chris Stankevitz wrote:
2 > On Sun, Sep 22, 2013 at 5:17 PM, "Paweł Hajdan, Jr."
3 > <phajdan.jr@g.o> wrote:
4 >> I'd like to get your feedback and opinion about removing shared v8
5 >> library package from Gentoo.
6 >
7 > The three "inside the box" options require hope:
8 >
9 > 1. Use share lib. Hope upstream package devs code to whichever V8 API
10 > is used by Gentoo.
11
12 This is not happening, and there is a good history and evidence of it.
13 Upstream package devs code to the V8 API they bundle.
14
15 Even then, V8 API changes every 6 weeks. It's pretty short time for most
16 projects to adapt. And it's not like they only change 1-2 things,
17 sometimes fundamental parts of the API are almost rewritten.
18
19 For an example read
20 <https://groups.google.com/d/msg/v8-users/MUq5WrC2kcE/Z3LyOmELzD0J>.
21
22 Note that I'm working with upstream and it seems to slowly make some
23 improvements, e.g.
24 <https://groups.google.com/d/msg/v8-users/jq8k9s4xEu8/N-es0or3uz4J>.
25
26 > 2. Bundle. When security problems are fixed, hope upstream package
27 > devs update to the API used in the latest V8.
28
29 I think this is where we're at. Actually it's more tricky since I know
30 e.g. node.js developers sometimes say the security holes don't apply to
31 them and don't update. They may be right, but upstream V8 says only
32 latest stable V8 is security supported, which makes sense to me.
33
34 > 3. Use slots. Hope V8 security problems are "back ported".
35
36 How is that different from bundling? When an old version of V8 has known
37 vulnerabilities it has to be removed from the tree.
38
39 Feel free to "try" to backport, it's just not that easy with project
40 moving as fast as V8. You'd pretty much have to have the same
41 understanding of the code that V8 upstream developers have, and at that
42 point you could probably help solve the API/ABI stability problems in a
43 more direct way.
44
45 Paweł

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups