-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/11/13 12:22 AM, "Paweł Hajdan, Jr." wrote: > For some context of this please see > <http://thread.gmane.org/gmane.linux.gentoo.devel/88222> > > v8-3.20.17.7 fixes a memory corruption vulnerability, see > <http://googlechromereleases.blogspot.com/2013/10/stable-channel-update.html> > > However, we still have v8-3.19 and even 3.18 in portage - this is > probably an oversight when stabilizing new versions. > > Problem #1 is that sci-geosciences/osgearth-2.4 depends on > =dev-lang/v8-3.18.5.14 (see > <https://bugs.gentoo.org/show_bug.cgi?id=484786> for context). It > doesn't work with more recent v8, but it can be made to not depend > on v8. > > Problem #2 is dev-db/drizzle having a v8 USE flag. The ebuild is > actually broken for other reasons, see > <https://bugs.gentoo.org/show_bug.cgi?id=490216>. I'd like that USE > flag to be removed and v8 to always be disabled in drizzle. > > With that I'd like to proceed with hard masking v8. I'm working > with upstream on better API stability, it seems to be working > pretty well. That's still a very long way to ABI stability, if at > all possible. > > Please comment on possible solutions for removing known vulnerable > v8 versions from the tree. > > Paweł >
So, you're saying, drop v8 USE flags and deps from these two packages, and hard-mask? Makes sense to me... I'm still a little concerned about the potential security issues caused by embedded V8's in projects, but as we've already concluded in that other thread, there's no other way until the API stabilizes.. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlJ8+EcACgkQ2ugaI38ACPDZvwEAhQHhSovgSouf+TMnZrus1I4v svWFshpj9ZR6/EhvzH4A/izLFwlxfwcNrkwEkzOY7FBBAxh9zMPiOLZFGbcxtqKx =Tooi -----END PGP SIGNATURE-----
