1 |
On 9/25/13 1:16 AM, Peter Volkov wrote: |
2 |
> But could you comment on how hard it'll be to slot v8 shared library? |
3 |
> Keeping libraries bundled is a security nightmare. |
4 |
|
5 |
Slotting v8 would be hugely impractical and rather a misuse of SLOTs. |
6 |
|
7 |
Slotting makes sense when there are at most 2-3 major versions, each |
8 |
with its own release series, that are incompatible, but packages can |
9 |
depend on one or another series. Thing gtk2 vs. gtk3 for example, or |
10 |
maybe some Java libraries. |
11 |
|
12 |
With v8 API and ABI breaks can (and we've seen that) be introduced even |
13 |
between patch version increments like a.b.c.x vs. a.b.c.y. Trying to |
14 |
slot that would be totally equivalent to bundling at the cost of |
15 |
increased complexity (more custom changes compared to upstream - also |
16 |
headers would need to be handled somehow, currently we don't have a good |
17 |
way for that, especially one that would be consistent across distros). |
18 |
|
19 |
Finally, note that v8 upstream only supports the latest stable v8. |
20 |
Slotting would require us to keep old, _known_ to be vulnerable versions |
21 |
of v8 in the tree. Backporting of patches isn't always |
22 |
possible/feasible, and even then for complex and fast moving software |
23 |
it's not guaranteed to fix all the issues (some security bugs might have |
24 |
been fixed in more recent versions without realizing security implications). |
25 |
|
26 |
At least with bundling upstream _may_ track v8 security vulnerabilities |
27 |
and do something with their copy. With slotting we'd have _known_ |
28 |
vulnerable v8 versions right there in the tree. That'd be a security |
29 |
nightmare. |
30 |
|
31 |
Please let me know if you have more questions. At this moment I'm |
32 |
confident slotting does not address the problem. More deeper, upstream |
33 |
changes should be made, and I'll be working on that but it's going to |
34 |
take time. |
35 |
|
36 |
Paweł |