** Tags added: bionic-openssl-1.1
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1779863
Title:
Ubuntu nodejs package isn't ABI compatible with mainline nodejs.
To manage notifications about this bu
** Changed in: nodejs (Debian)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1779863
Title:
Ubuntu nodejs package isn't ABI compatible with mainline nodejs.
To ma
This bug was fixed in the package nodejs - 8.10.0~dfsg-2ubuntu0.3
---
nodejs (8.10.0~dfsg-2ubuntu0.3) bionic; urgency=medium
* Force dependency on openssl1.0
The newer openssl has ABI change, and this version of nodejs
requires building with the older 1.0.2 version of openss
Verification for bionic-proposed is successful.
Changing verification-needed{-bionic} tags to done.
The last autopkgtest failure in nodejs rdeps for bionic
(node-tap) had a patch submitted in LP #1793612, and
since it's a test-server problem, not code/runtime,
Steve kindly marked it as non-block
The 2 fixes from yesterday were uploaded, and resolved the pending test-
case failures for nodejs rdeps on Cosmic, which allowed the migration
from cosmic-proposed to cosmic-release.
Now nodejs w/ OpenSSL 1.0 is in Cosmic (version 8.11.2~dfsg-1ubuntu2).
--
You received this bug notification beca
This bug was fixed in the package nodejs - 8.11.2~dfsg-1ubuntu2
---
nodejs (8.11.2~dfsg-1ubuntu2) cosmic; urgency=medium
[ Dan Streetman ]
* Force dependency on openssl1.0
The newer openssl has ABI change, and this version of nodejs
requires building with the older 1.0.2 v
> - Second, the nodejs reverse deps for cosmic-proposed
>From yesterday -- node-gulp autopkgtests are now green on all archs.
Today -- submitted 2 more fixes
- node-mime-types on LP 1793367 (applied fix from Debian)
- node-unicode-data on LP 1793392 (submitted fix to Debian, BTS 909222)
These la
Today looked more at the autopkgtest failures with ddstreet.
> - Second, the nodejs reverse deps for cosmic-proposed (reproduced some
of them yesterday, and they were intermittent)
Several intermittent. Dan triggered retests for many of them. Checking
tomorrow.
node-gulp had a permanent issue, u
> - First, the new libuv1 failing in cosmic-proposed only for armhf
(related to udp/tcp bind(), so apparently unrelated)
Confirmed by asking for a re-test of cosmic-release version, on which the same
tests fail as in cosmic-proposed.
The failures will be marked as badtests and the libuv1 package
Good news as of this morning.
The nodejs in cosmic-proposed now builds correctly on all architectures,
as s390x now passes due to the libuv1 fix uploaded to cosmic-proposed yesterday
(LP #1792647).
Now there's the autopkgtest failures to look at:
- First, the new libuv1 failing in cosmic-propose
uploaded to cosmic.
** Changed in: nodejs (Ubuntu Cosmic)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1779863
Title:
Ubuntu nodejs package isn't ABI co
Patch for Cosmic nodejs to build with openssl 1.0.2
and fix test-case regression seen on libuv 1.22.0-3
(which is unrelated to the openssl version change.)
This built successfully on LP PPA; build log [1].
On previous builds there was one test-case timeout
on parallel/test-net-listen-after-destro
Yes - this is expected behavior for not passing down proper SSL
certificates to the constructor.
On Sat, Sep 8, 2018 at 12:27 PM, Elana Hashman
wrote:
> I have tested the steps with nodejs and nodejs-dev in bionic-proposed,
> however I get a different error. I am guessing that there is something
I have tested the steps with nodejs and nodejs-dev in bionic-proposed,
however I get a different error. I am guessing that there is something
wrong with the credential initializing:
ubuntu@ubuntu-bionic:~$ node
> const grpc = require('grpc')
undefined
> const creds = grpc.ServerCredentials.createS
The official list of library dependency versions can be found here:
https://nodejs.org/dist/index.json
8.11.4 is listed as linked against OpenSSL 1.0.2p.
On Fri, Aug 31, 2018 at 12:37 PM, Dan Streetman wrote:
> re: cosmic debdiff, debian appears to have added code to 8.11 version
> that breaks
re: cosmic debdiff, debian appears to have added code to 8.11 version
that breaks the build with openssl 1.0.2, so i'll need to look into
that.
@grumpycoder, or anyone else, can you confirm that nodejs version 8.11
still "requires" openssl 1.0?
--
You received this bug notification because you a
** Patch added: "lp1779863-cosmic.debdiff"
https://bugs.launchpad.net/ubuntu/+source/nodejs/+bug/1779863/+attachment/5183085/+files/lp1779863-cosmic.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net
The failure is due to unfortunate timing of one of the test cert's crl
expiry (Next Update date):
$ openssl crl -inform PEM -text -noout -in test/fixtures/keys/ca2-crl.pem
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha512WithRSAEncryption
Issuer:
** Changed in: nodejs (Ubuntu Bionic)
Assignee: (unassigned) => Dan Streetman (ddstreet)
** Changed in: nodejs (Ubuntu Cosmic)
Assignee: (unassigned) => Dan Streetman (ddstreet)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu
I'll take a look at the FTBFS for this today - it didn't fail when built
in my ppa so not sure what happened yet.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1779863
Title:
Ubuntu nodejs package i
Hi Steve,
I have completed the first half of the testing process and confirmed the
bug. (Transcript attached.)
However, nodejs is not yet available in bionic-proposed as it seems the
build failed. Please let me know when a successfully built package is
available to test.
Cheers,
- e
** Attachm
Hello Nicolas, or anyone else affected,
Accepted nodejs into bionic-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/nodejs/8.10.0~dfsg-
2ubuntu0.1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
ht
Apologies for the late reply.
My github repository is a quick effort in trying to expose the ABI problem,
but a more thorough (and straightforward) way to actually reproduce would
be to do the following:
First case, when using a module that ships with prebuilt binaries. With the
"nodejs" and "npm
On Tue, Aug 07, 2018 at 05:51:56PM -, Robie Basak wrote:
> For example: it's not really "node-debian-v57" either; it's
> "node-openssl1.1-v57". Ubuntu, Debian and all other distributions that
You'd probably also like this to enumerate all libraries that node
re-exports, if you choose to go thi
Nicolas, I accept your correction regarding the risk of binary
incompatibility with locally-built binaries referencing the Ubuntu 18.04
nodejs ABI. I have clarified the 'regression potential' in the bug
description, and am willing to accept the SRU given my current
understanding; however, the bug
** Description changed:
[impact]
Pre-built addons for nodejs built against the 8.10 version, which is
what is included in Bionic, will fail to load on Bionic because the
version of nodejs there is built using a newer ABI-incompatible openssl
version.
[test case]
see comment
My current schedule will make IRC being difficult, sorry.
The problem is that users are *already* split into two factions. They
expect apt-get to work, but they also expect npm install to work too. The
former is fine on your end, because you control the whole ecosystem here,
but it's perfectly rea
Also, I am but a simple npm package maintainer whose users are currently
reporting weird issues when using Ubuntu packages. I did the thorough
investigation of what the actual issue is, but I am not a nodejs developer.
I have strictly no power whatsoever in resolving this issue one way or
another.
On Tue, Aug 07, 2018 at 03:59:27AM -, Nicolas Noble wrote:
> So one another solution I'd then see would be for you to bite the
> bullet, and stop calling your runtime "nodejs", because, well, it's not
> really nodejs.
Sure. This falls under correctly "declaring binary compatibility" in my
anal
I must specify something from your statements. The fact the native
module doesn't load really is undesired behavior. The normal nodejs
behavior is make sure that the module is going to load while installing
it, by checking ABI compatibility using various tags. It is expected and
supported that node
On Sat, Aug 04, 2018 at 04:44:05PM -, Elana Hashman wrote:
> The ABI incompatibility with upstream is not just "regrettable", but an
> actual bug. It's not supported behaviour; it's an undocumented ABI
> deviation, and as soon as upstream became aware of it, they filed an
> issue.
The problem
I also disagree with the assessment of "wontfix".
The ABI incompatibility with upstream is not just "regrettable", but an
actual bug. It's not supported behaviour; it's an undocumented ABI
deviation, and as soon as upstream became aware of it, they filed an
issue. The SRU policy states that it cov
While it's theorically possible to bypass node-gyp, I'm not aware of any
actively used method that would do so. The node-gyp is a bundled dependency
of npm, and is the code that parses the native module information (the
bindings.gyp file that is), in order to generate the Makefile that will
build t
Nicolas, thanks for the clarification. Just to be sure, is node-gyp the
*only* way to build binary add-ons for node, or is it possible that some
users have built add-ons using some other build system?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscri
> In other words, you can't break existing native modules built by
people, because people can't build native modules *due to this bug*.
Thank you for explaining that. It's not currently what the bug
description currently says. Please could those interested in this bug
work on getting that accurate
I'm sorry, but I must heavily disagree with the assessment here, and I
am asking you to reconsider your "won't fix". No breakage is possible
since there can't be existing native modules built manually by people
due to this other bug, which is the corollary of this present one:
https://github.com/no
> I think this should also be wontfix for the devel series
cosmic is currently nodejs 8.11, and debian still has nodejs 10.4 in
-experiemental; @kapouer indicated he hopes to promote nodejs 10.4 to
-unstable at some point (soon) but it's unclear if that will be in time
to make it into cosmic (prob
>From the regression potential analysis:
> Any external nodejs addons that were built specifically for the
> current Bionic nodejs will also start failing, until rebuilt against
> the upstream nodejs 8.10 version, or the new Bionic nodejs package.
I consider this a blocker for SRU. We do not gu
(I think this should also be wontfix for the devel series since we
should not make bionic and cosmic incompatible with one another, until
such time as nodejs is updated to a later version that does openssl 1.1
upstream; but I'll let someone else handle that bug task.)
--
You received this bug not
If the SRU team decides to make this change, I think it's worth making
it clear to the wider community whether we're just making this change on
this occasion because everything has aligned to make it possible easily
in this specific case (openssl 1.0 remains in Bionic, etc), or if this
ABI stabilit
$ for f in $( find * -type f ) ; do file "$f" | grep ELF | cut -d ':' -f
1 ; done > file-list
Assuming that the openssl init symbol will be included:
$ for f in $( cat file-list ) ; do objdump -T "$f" | grep OPENSSL_init_ssl ;
done
$ for f in $( cat file-list ) ; do objdump -T "$f" | grep SSL_li
$ for d in *.deb ; do dpkg -x $d ${d%_amd64.deb} ; done
$ for f in $( find * -type f ) ; do file "$f" | grep ELF | cut -d ':' -f 1 ;
done | cut -d '/' -f 1 | sort | uniq
codelite-plugins_10.0+dfsg-2
libkf5purpose-bin_5.44.0-0ubuntu1
netdata_1.9.0+dfsg-1
node-groove_2.5.0-2ubuntu1
node-iconv_2.3.0
$ lsb_release -c
Codename: bionic
$ apt download $( reverse-depends -r bionic -l nodejs )
...
$ ls *.deb | wc -l
1296
$ rm *all.deb
$ ls *.deb | wc -l
20
So of the 1296 debs that Depends: nodejs, only 20 of them actually
create binary debs:
$ ls -1
codelite-plugins_10.0+dfsg-2_amd64.deb
@ddstreet: Can we get the rdep analysis now, rather than later? I think
that's critical to understanding if we should or shouldn't accept the
node upload and go through with this madness.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu
I've uploaded the patched nodejs to the Bionic queue, as well as
discussed it in #ubuntu-release; the SRU approvers will either accept or
reject it now, and I (or someone) will still need to go through all the
Ubuntu packages that have a dependency on nodejs, to check which (if
any) will need to be
The template changes look good to me.
On Wed, Jul 25, 2018 at 9:21 AM, Ubuntu Foundations Team Bug Bot <
1779...@bugs.launchpad.net> wrote:
> ** Tags added: patch
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1779863
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1779863
Title:
Ubuntu nodejs package isn't ABI compatible with mainline nodejs.
To manage notifications about this bug go to:
http
$ reverse-depends -r bionic -b -l nodejs | wc -l
1090
I think we'll have to rebuild all 1090 of these Ubuntu-provided packages
after updating Bionic's nodejs openssl dep.
** Description changed:
[impact]
Pre-built addons for nodejs built against the 8.10 version, which is
what is includ
Since nodejs isn't maintained by the security team, we have no comment
on the switch to openssl1.0 from a security point of view.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1779863
Title:
Ubuntu
@grumpycoder, I added the SRU-required template to the bug description;
please correct my statements in the template if needed.
** Description changed:
+ [impact]
+
+ Pre-built addons for nodejs built against the 8.10 version, which is
+ what is included in Bionic, will fail to load on Bionic be
Jérémy (@kapouer), as the maintainer of nodejs for Debian, what's your
opinion on Ubuntu changing nodejs's build and runtime deps specifically
(and only) for Ubuntu Bionic, to use the openssl1.0 (currently version
1.0.2n-1ubuntu5.1) instead of openssl (currently version 1.1.0g-
2ubuntu4.1)? It see
@ubuntu-security, since this proposed change to nodejs involves altering
its build/runtime deps to use openssl 1.0 instead of the newer openssl
1.1, please review the details and comment if you have any concerns.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
** Patch added: "lp1779863-bionic.debdiff"
https://bugs.launchpad.net/ubuntu/+source/nodejs/+bug/1779863/+attachment/5167616/+files/lp1779863-bionic.debdiff
** Tags added: sts-sponsor-ddstreet
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
I can confirm that your nodejs from your ppa makes prebuilt binaries work
fine again, yes.
On Tue, Jul 24, 2018 at 2:35 PM, Dan Streetman
wrote:
> @ehashman, @grumpycoder, let me know if you're able to test with the deb
> from my ppa, so we can at least confirm it does fix this issue.
>
> --
>
@ehashman, @grumpycoder, let me know if you're able to test with the deb
from my ppa, so we can at least confirm it does fix this issue.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1779863
Title:
There's also a "documentation" in nodejs' release database:
https://nodejs.org/dist/index.json
On Mon, Jul 23, 2018, 15:56 Elana Hashman <1779...@bugs.launchpad.net>
wrote:
> Oops, GitHub expanded that link to the full commit when I copied it.
> Here's demonstrating it's the same one as the 8.10.
Oops, GitHub expanded that link to the full commit when I copied it.
Here's demonstrating it's the same one as the 8.10.0 tag:
https://github.com/nodejs/node/blob/v8.10.0/deps/openssl/openssl/README#L2
Release notes are here
https://github.com/nodejs/node/releases/tag/v8.10.0
--
You received thi
>> NodeJS 8.10.0 officially comes with OpenSSL 1.0.2n
>
> I think this is an important piece of info here, and I wasn't able to find
> any "official"
> documentation that clearly states this - can you provide a link to any docs
> for this?
I don't know if this is officially documented anywhere b
>From reading the debian bug report, it seems like there is considerable
discussion that still needs to happen separate from debian or ubuntu
packaging. Additionally, this seems to not be an issue in debian, once
they update nodejs in the debian repository to the latest version.
So, I'll ignore u
** Also affects: nodejs (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904274
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1779863
Tit
** Changed in: nodejs (Debian)
Status: Unknown => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1779863
Title:
Ubuntu nodejs package isn't ABI compatible with mainline nodejs.
To manage
Hi all,
Because this bug was filed against the unmodified package version from
Debian, I also filed this bug against Debian upstream:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904274
@ddstreet it is pretty common for end users to install a language
runtime (e.g. python, nodejs, etc.) and
Also if you want to reproduce it, you simply need to npm install grpc on
Ubuntu using Ubuntu's nodejs. Loading and using gRPC (I can build a
quick nodejs demo project if you want) will then fail with the symbol
mismatch I described initially.
Or you can also use the reproduction case I linked init
I've created an issue on nodejs' tracker to discuss this also:
https://github.com/nodejs/node/issues/21897
Let me rephrase what you just said a bit, because I think you're getting
it a bit incorrectly.
People are distributing binaries through npm, and these binaries are
expected to work directly
I think I don't quite understand the use case fully - the problem here
is some binary packages, provided not by Ubuntu but through NPM, aren't
binary-compatible with nodejs due to openssl lib ABI differences with
the NPM-built binary? If you can provide a bit more detail on this,
maybe with a spec
65 matches
Mail list logo
