1 |
On Sun, Sep 22, 2013 at 5:17 PM, "Paweł Hajdan, Jr." |
2 |
<phajdan.jr@g.o> wrote: |
3 |
> I'd like to get your feedback and opinion about removing shared v8 |
4 |
> library package from Gentoo. |
5 |
|
6 |
The three "inside the box" options require hope: |
7 |
|
8 |
1. Use share lib. Hope upstream package devs code to whichever V8 API |
9 |
is used by Gentoo. |
10 |
|
11 |
2. Bundle. When security problems are fixed, hope upstream package |
12 |
devs update to the API used in the latest V8. |
13 |
|
14 |
3. Use slots. Hope V8 security problems are "back ported". |
15 |
|
16 |
When packages use V8 they put security conscious people in an awkward |
17 |
"hope" position. It would be nice if packages recognized this and |
18 |
added switches to disable V8. Then we could use option 1 or 2 and |
19 |
fail ("disable v8 use flag") when upstream doesn't stay on top of |
20 |
things. |
21 |
|
22 |
An "outside the box" option might be to bundle... but somewhere tag |
23 |
insecure versions of V8. Packages that only work with insecure |
24 |
versions of V8 require the user to assert an "insecure" use flag or |
25 |
keyword. |
26 |
|
27 |
Chris |