On Sun, Sep 22, 2013 at 5:17 PM, "Paweł Hajdan, Jr."
<phajdan...@gentoo.org> wrote:
> I'd like to get your feedback and opinion about removing shared v8
> library package from Gentoo.
The three "inside the box" options require hope:
1. Use share lib. Hope upstream package devs code to whichever V8 API
is used by Gentoo.
2. Bundle. When security problems are fixed, hope upstream package
devs update to the API used in the latest V8.
3. Use slots. Hope V8 security problems are "back ported".
When packages use V8 they put security conscious people in an awkward
"hope" position. It would be nice if packages recognized this and
added switches to disable V8. Then we could use option 1 or 2 and
fail ("disable v8 use flag") when upstream doesn't stay on top of
things.
An "outside the box" option might be to bundle... but somewhere tag
insecure versions of V8. Packages that only work with insecure
versions of V8 require the user to assert an "insecure" use flag or
keyword.
Chris
