[Pkg-javascript-devel] On nodejs use of embedded libraries

Thu Jan 12 09:24:39 UTC 2012

On 12/01/2012 04:50, Trent W. Buck wrote:
> I'm not formally reporting this as a bug because 1) nodejs is not my
> area of expertise; and 2) it "feels" like this is an issue that can't
> be solved.  Neverthelesss, I'm bringing it to your attention.

Thank you. My comments follows apply to nodejs 0.4.12 that is available in debian/sid,
and libv8 in testing/sid.

> <twb> So I have just discovered that the "nodejs" package basically includes a courtesy copy of Google V8 js VM
> <twb> That sounds like something Not Cool
> <pabs> quite, http://wiki.debian.org/EmbeddedCodeCopies

Policy 4.13 states :
"the Debian packaging should ensure that binary packages reference the libraries already in Debian and the convenience copy is not used"
The nodejs debian package does exactly this.
The v8 source code is not stripped out of the orig tarball, but that does not mean it's used.

> <pabs> even worse if its a fork
> <paultag> it's a very heavy fork in the case of v8
> <paultag> it's based on v8, but it's stripped and rewritten in a lot of ways (duh)

Nodejs upstream team try to *not* patch its v8 copy,
unless for cases like the one talked after, where they patched their copy of v8
before it was done upstream, just to get the security fix applied and released as fast as possible.
Many patches brought by nodejs have been applied to v8, too.

> <twb> paultag: so I shouldn't report it?
> <paultag> from a client side dom bastardization to a fairly nice serverside impl
> <Laibsch> I've just uploaded a signed .changes file for isdnutils but it's being rejected as unsigned?! http://paste.debian.net/151964/
> <pabs> ouch, v8 had lots of security issues: http://security-tracker.debian.org/tracker/source-package/libv8
> <paultag> twb: I don't know. I don't know if it counts as v8, since it's so hacked

The security issues they are talking about apply to an old version of v8,
2.2.24-6, that is in squeeze and is not used by nodejs nor by chromium.
Up-to-date version are in testing/sid, as well as nodejs.

> <twb> I don't know much about nodejs except someone was saying "hey this won't compile on arm due to my CPU lacking BLX instruction" and I went "WTF?!  How can that happen with *javascript*?"

This is just ignorance.
v8 is fast because it compiles javascript to machine code on the fly.
The arm issue (missing blx on armv4t) is worked around in the libv8 debian package,
by using adequate compile flags, so that libv8 is available on armel and armhf architectures.

By the way, nodejs 0.6.x is not yet in debian just because its dependencies are less
obvious to separate (the uv backend *is* using patched versions of its dependencies).

Regards
Jérémy.