| 1 |
On 9/25/13 1:16 AM, Peter Volkov wrote: |
| 2 |
> But could you comment on how hard it'll be to slot v8 shared library? |
| 3 |
> Keeping libraries bundled is a security nightmare. |
| 4 |
|
| 5 |
Slotting v8 would be hugely impractical and rather a misuse of SLOTs. |
| 6 |
|
| 7 |
Slotting makes sense when there are at most 2-3 major versions, each |
| 8 |
with its own release series, that are incompatible, but packages can |
| 9 |
depend on one or another series. Thing gtk2 vs. gtk3 for example, or |
| 10 |
maybe some Java libraries. |
| 11 |
|
| 12 |
With v8 API and ABI breaks can (and we've seen that) be introduced even |
| 13 |
between patch version increments like a.b.c.x vs. a.b.c.y. Trying to |
| 14 |
slot that would be totally equivalent to bundling at the cost of |
| 15 |
increased complexity (more custom changes compared to upstream - also |
| 16 |
headers would need to be handled somehow, currently we don't have a good |
| 17 |
way for that, especially one that would be consistent across distros). |
| 18 |
|
| 19 |
Finally, note that v8 upstream only supports the latest stable v8. |
| 20 |
Slotting would require us to keep old, _known_ to be vulnerable versions |
| 21 |
of v8 in the tree. Backporting of patches isn't always |
| 22 |
possible/feasible, and even then for complex and fast moving software |
| 23 |
it's not guaranteed to fix all the issues (some security bugs might have |
| 24 |
been fixed in more recent versions without realizing security implications). |
| 25 |
|
| 26 |
At least with bundling upstream _may_ track v8 security vulnerabilities |
| 27 |
and do something with their copy. With slotting we'd have _known_ |
| 28 |
vulnerable v8 versions right there in the tree. That'd be a security |
| 29 |
nightmare. |
| 30 |
|
| 31 |
Please let me know if you have more questions. At this moment I'm |
| 32 |
confident slotting does not address the problem. More deeper, upstream |
| 33 |
changes should be made, and I'll be working on that but it's going to |
| 34 |
take time. |
| 35 |
|
| 36 |
Paweł |
Archives