[Pkg-javascript-devel] On nodejs use of embedded libraries

[Trent W. Buck]

I'm not formally reporting this as a bug because 1) nodejs is not my
area of expertise; and 2) it "feels" like this is an issue that can't
be solved.  Neverthelesss, I'm bringing it to your attention.

<twb> So I have just discovered that the "nodejs" package basically includes a courtesy copy of Google V8 js VM
<twb> That sounds like something Not Cool
<pabs> quite, http://wiki.debian.org/EmbeddedCodeCopies
<pabs> even worse if its a fork
<paultag> it's a very heavy fork in the case of v8
<paultag> it's based on v8, but it's stripped and rewritten in a lot of ways (duh)
<twb> paultag: so I shouldn't report it?
<paultag> from a client side dom bastardization to a fairly nice serverside impl
<Laibsch> I've just uploaded a signed .changes file for isdnutils but it's being rejected as unsigned?! http://paste.debian.net/151964/
<pabs> ouch, v8 had lots of security issues: http://security-tracker.debian.org/tracker/source-package/libv8
<paultag> twb: I don't know. I don't know if it counts as v8, since it's so hacked
<twb> I don't know much about nodejs except someone was saying "hey this won't compile on arm due to my CPU lacking BLX instruction" and I went "WTF?!  How can that happen with *javascript*?"
<paultag> pabs: yeah, +1, but how many are there after you remove DOM / link to a browser
<paultag> remember, it's only exec'ing local files
<paultag> so remove vulns are less of an issue, still serious though
<paultag> remote *
<paultag> twb: yeah, you can report it, but it's a very very hacked up fork of v8, to the point of it not being exposed to the same issues
<paultag> but I guess security should keep an eye on it
[pabs is reminded of the recent hash DoS in various languages, including nodejs]
<paultag> ++

>From #debian-mentors on irc.oftc.org at Thu, 12 Jan 2012 14:46:46 +1100
(unfortunately that channel isn't publicly logged)