| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA256 |
| 3 |
|
| 4 |
On 08/11/13 12:22 AM, "Paweł Hajdan, Jr." wrote: |
| 5 |
> For some context of this please see |
| 6 |
> <http://thread.gmane.org/gmane.linux.gentoo.devel/88222> |
| 7 |
> |
| 8 |
> v8-3.20.17.7 fixes a memory corruption vulnerability, see |
| 9 |
> <http://googlechromereleases.blogspot.com/2013/10/stable-channel-update.html> |
| 10 |
> |
| 11 |
> However, we still have v8-3.19 and even 3.18 in portage - this is |
| 12 |
> probably an oversight when stabilizing new versions. |
| 13 |
> |
| 14 |
> Problem #1 is that sci-geosciences/osgearth-2.4 depends on |
| 15 |
> =dev-lang/v8-3.18.5.14 (see |
| 16 |
> <https://bugs.gentoo.org/show_bug.cgi?id=484786> for context). It |
| 17 |
> doesn't work with more recent v8, but it can be made to not depend |
| 18 |
> on v8. |
| 19 |
> |
| 20 |
> Problem #2 is dev-db/drizzle having a v8 USE flag. The ebuild is |
| 21 |
> actually broken for other reasons, see |
| 22 |
> <https://bugs.gentoo.org/show_bug.cgi?id=490216>. I'd like that USE |
| 23 |
> flag to be removed and v8 to always be disabled in drizzle. |
| 24 |
> |
| 25 |
> With that I'd like to proceed with hard masking v8. I'm working |
| 26 |
> with upstream on better API stability, it seems to be working |
| 27 |
> pretty well. That's still a very long way to ABI stability, if at |
| 28 |
> all possible. |
| 29 |
> |
| 30 |
> Please comment on possible solutions for removing known vulnerable |
| 31 |
> v8 versions from the tree. |
| 32 |
> |
| 33 |
> Paweł |
| 34 |
> |
| 35 |
|
| 36 |
So, you're saying, drop v8 USE flags and deps from these two packages, |
| 37 |
and hard-mask? Makes sense to me... |
| 38 |
|
| 39 |
I'm still a little concerned about the potential security issues |
| 40 |
caused by embedded V8's in projects, but as we've already concluded in |
| 41 |
that other thread, there's no other way until the API stabilizes.. |
| 42 |
|
| 43 |
|
| 44 |
-----BEGIN PGP SIGNATURE----- |
| 45 |
Version: GnuPG v2.0.22 (GNU/Linux) |
| 46 |
|
| 47 |
iF4EAREIAAYFAlJ8+EcACgkQ2ugaI38ACPDZvwEAhQHhSovgSouf+TMnZrus1I4v |
| 48 |
svWFshpj9ZR6/EhvzH4A/izLFwlxfwcNrkwEkzOY7FBBAxh9zMPiOLZFGbcxtqKx |
| 49 |
=Tooi |
| 50 |
-----END PGP SIGNATURE----- |
Archives