On 10/6/13 12:05 AM, Chris Stankevitz wrote: > On Sun, Sep 22, 2013 at 5:17 PM, "Paweł Hajdan, Jr." > <phajdan...@gentoo.org> wrote: >> I'd like to get your feedback and opinion about removing shared v8 >> library package from Gentoo. > > The three "inside the box" options require hope: > > 1. Use share lib. Hope upstream package devs code to whichever V8 API > is used by Gentoo.
This is not happening, and there is a good history and evidence of it. Upstream package devs code to the V8 API they bundle. Even then, V8 API changes every 6 weeks. It's pretty short time for most projects to adapt. And it's not like they only change 1-2 things, sometimes fundamental parts of the API are almost rewritten. For an example read <https://groups.google.com/d/msg/v8-users/MUq5WrC2kcE/Z3LyOmELzD0J>. Note that I'm working with upstream and it seems to slowly make some improvements, e.g. <https://groups.google.com/d/msg/v8-users/jq8k9s4xEu8/N-es0or3uz4J>. > 2. Bundle. When security problems are fixed, hope upstream package > devs update to the API used in the latest V8. I think this is where we're at. Actually it's more tricky since I know e.g. node.js developers sometimes say the security holes don't apply to them and don't update. They may be right, but upstream V8 says only latest stable V8 is security supported, which makes sense to me. > 3. Use slots. Hope V8 security problems are "back ported". How is that different from bundling? When an old version of V8 has known vulnerabilities it has to be removed from the tree. Feel free to "try" to backport, it's just not that easy with project moving as fast as V8. You'd pretty much have to have the same understanding of the code that V8 upstream developers have, and at that point you could probably help solve the API/ABI stability problems in a more direct way. Paweł
signature.asc
Description: OpenPGP digital signature
