Hi Jamie On 28/06/13 12:32, Jamie Strandboge wrote: > libv8 is something we've considered in the past as part of our webkit > work and Ubuntu SDK audits. We can't effectively support libv8 because > it is constantly changing. Therefore, backporting patches becomes > infeasible very quickly and we are faced with having to use a new > upstream release-- which would likely break anything that depends on it. > NAK on libv8 in the archive.
OK - sounds entirely reasonable and this was something I was concerned about. > What we did for the Ubuntu SDK is allow an embedded version of libv8-- > this is guaranteed to always match with its consumer, but for this to > work it must be demonstrated that libv8 does not process untrusted > javascript. If it doesn't, there is no attack surface for the embedded > libv8 and therefore it doesn't have to be kept up to date. If it does > processed untrusted javascript, NAK. mongodb ships an embedded version of libv8 within the upstream tarball; we can switch back to using this so that we avoid libv8 being a standalone library. Re: it must be demonstrated that libv8 does not process untrusted javascript libv8 is used to provide the scriptable shell in mongodb; access to the shell is via the mongo client application. By default, authentication is turned off in the packaging - so its possible to access the db and setup authentication - see http://docs.mongodb.org/manual/tutorial/enable-authentication/. That said the default bind ip is 127.0.0.1 so only users with access to the system running mongod have unauthenticated access to the database - allowing a configuration to be bootstrapped securely. Hopefully that clarifies use of v8 sufficiently to support embedded inclusion in mongodb. -- James Page Ubuntu Core Developer Debian Maintainer james.p...@ubuntu.com -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1187262 Title: [MIR] mongodb, libv8, snowball, gyp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gyp/+bug/1187262/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
