[Pkg-javascript-devel] v8js, Debian and Ubuntu
Jérémy Lal
kapouer at melix.org
Tue Jun 24 23:01:22 UTC 2014
Hi,
cc-ing you, tell me if you are subscribed to this list.
Le mardi 24 juin 2014 à 15:32 +0100, Greg Bowler a écrit :
> Hi,
>
> I'd like to help bring libv8 up to date in Debian based systems by helping
> maintain the package. I would like to see version 3.17 shipped in the next
> versions of Devian based systems.
>
> How could I go about helping, or is this version planned any time soon?
Updating the debian package to the latest version of libv8 is, in
itself, a relatively quick and easy job. Multiple source package
versions can even coexist - we can have libv8-3.14.5 and libv8-3.26.33
in debian right now, but...
But maintaining a given version is way harder:
v8 upstream doesn't maintain API and even less ABI compatibility between
releases. Even patch-level releases can break API [0].
The current practice is to set libv8 soname to Branch.Major.Minor
version, but blindly following it would lead to soname breakage.
The good new is that `dh_acc` can help tracking API/ABI changes,
though i'm pretty sure it cannot guarantee compatibility.
That's a first task: make the package use dh_acc to improve soname
maintenance.
A second task is to backport security patches for current libv8 versions
that are in debian, starting with updating the status of current CVE
issues [1].
Some security patches are already backported by upstream nodejs or by
fedora maintainer of libv8.
An important aspect of those security patches is to make sure they do
not break api/abi... that's why dh_acc can help here.
So we want to avoid multiplying the number of v8 versions in debian -
each one is difficult to maintain. A reasonable approach is to keep a
common version usable by most of reverse dependencies:
- chromium depends tightly on latest v8 - but chromium in debian bundles
many of its dependencies.
- nodejs 0.10.x stable branch depends on libv8-3.14
nodejs 0.12.x branch will depend on libv8-3.26 or higher
- mongodb 2.4 stable branch depends on libv8-3.14
mongodb 2.8 branch will depend on libv8-3.25 or higher
- postgresql-9.3-plv8 is compatible with libv8-3.20... but it might be
easy to port it, as well as other software like mupdf, osmjs (&al)
that seem to be less coupled to v8.
As you can see, it will require much less work to update libv8 when
nodejs 0.12 / mongodb 2.8 are released. I am not very optimistic that
it's going to happen soon enough before the debian release freeze.
It is nonetheless possible to upload a more up-to-date version to
experimental - that version won't have to be maintained.
Jérémy.
[0]
http://www.upstream-tracker.org/versions/v8.html
[1]
https://security-tracker.debian.org/tracker/source-package/libv8
https://security-tracker.debian.org/tracker/source-package/libv8-3.14
More information about the Pkg-javascript-devel
mailing list