1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA256 |
3 |
|
4 |
On 08/11/13 12:22 AM, "Paweł Hajdan, Jr." wrote: |
5 |
> For some context of this please see |
6 |
> <http://thread.gmane.org/gmane.linux.gentoo.devel/88222> |
7 |
> |
8 |
> v8-3.20.17.7 fixes a memory corruption vulnerability, see |
9 |
> <http://googlechromereleases.blogspot.com/2013/10/stable-channel-update.html> |
10 |
> |
11 |
> However, we still have v8-3.19 and even 3.18 in portage - this is |
12 |
> probably an oversight when stabilizing new versions. |
13 |
> |
14 |
> Problem #1 is that sci-geosciences/osgearth-2.4 depends on |
15 |
> =dev-lang/v8-3.18.5.14 (see |
16 |
> <https://bugs.gentoo.org/show_bug.cgi?id=484786> for context). It |
17 |
> doesn't work with more recent v8, but it can be made to not depend |
18 |
> on v8. |
19 |
> |
20 |
> Problem #2 is dev-db/drizzle having a v8 USE flag. The ebuild is |
21 |
> actually broken for other reasons, see |
22 |
> <https://bugs.gentoo.org/show_bug.cgi?id=490216>. I'd like that USE |
23 |
> flag to be removed and v8 to always be disabled in drizzle. |
24 |
> |
25 |
> With that I'd like to proceed with hard masking v8. I'm working |
26 |
> with upstream on better API stability, it seems to be working |
27 |
> pretty well. That's still a very long way to ABI stability, if at |
28 |
> all possible. |
29 |
> |
30 |
> Please comment on possible solutions for removing known vulnerable |
31 |
> v8 versions from the tree. |
32 |
> |
33 |
> Paweł |
34 |
> |
35 |
|
36 |
So, you're saying, drop v8 USE flags and deps from these two packages, |
37 |
and hard-mask? Makes sense to me... |
38 |
|
39 |
I'm still a little concerned about the potential security issues |
40 |
caused by embedded V8's in projects, but as we've already concluded in |
41 |
that other thread, there's no other way until the API stabilizes.. |
42 |
|
43 |
|
44 |
-----BEGIN PGP SIGNATURE----- |
45 |
Version: GnuPG v2.0.22 (GNU/Linux) |
46 |
|
47 |
iF4EAREIAAYFAlJ8+EcACgkQ2ugaI38ACPDZvwEAhQHhSovgSouf+TMnZrus1I4v |
48 |
svWFshpj9ZR6/EhvzH4A/izLFwlxfwcNrkwEkzOY7FBBAxh9zMPiOLZFGbcxtqKx |
49 |
=Tooi |
50 |
-----END PGP SIGNATURE----- |