I'd recommend including your own version of V8 instead of relying on whatever the OS provides. That also allows you to keep upgrading the version of V8 whenever new stability or security fixes are released.
best -jochen On Fri, Jul 1, 2016 at 9:06 AM Michael Hablich <habl...@chromium.org> wrote: > Hi Jeroen, > > answers inline. > > On Friday, July 1, 2016 at 12:51:49 AM UTC+2, Jeroen Ooms wrote: > >> On Thu, Jun 30, 2016 at 9:41 PM, Yang Guo <yan...@chromium.org> wrote: >> > May I ask you what your use cases are? What are the security >> requirements? How serious are information leaks, code execution >> vulnerabilities etc? >> >> As application developer, my main concern is simply to meet the >> requirements for distributions to keep shipping this version so that >> our applications remain supported. I think this mainly involves fixing >> gcc 5/6, and (for debian) mips / ppc. Perhaps also the dead gyp >> dependency url in the build script which is now 404. For our >> applications security is not an issue but I suppose every CVE patch is >> an improvement over the status quo for most distros. >> >> > I'm also against merging fixes to the 3.14 branch on the official V8 >> repository. That would give it an appearance of being maintained and >> secure, while it certainly is not. >> >> That is understandable. Perhaps we can find a form to release in a way >> that emphasizes this branch is legacy/deprecated, yet still shows this >> is a serious effort to fix urgent problems and has been reviewed, such >> that downstream maintainers can find and trust it? Maybe a branch repo >> named '3.14-legacy-unsupported' or so? I am afraid that if I release >> this under my personal name it probably be ignored :-) >> > > Creating your own fork and maintaining it should be the way to go. > Currently all the release branches on the V8 repo are tested to a certain > degree up until the point they got abandoned. When new patches land on > abandoned branches we cannot test those patches anymore because our infra > evolves heavily too. This means your requirement "... and trust it." would > not be met. > > >> >> > We are recently starting to cooperate with node.js on their LTS branch, >> so the 5.1 branch will likely receive security fixes for quite some time. >> >> That is great to hear. Does that mean the API will be stable? > > > Likely, because Node wants to keep ABI compatibility AFAIK. Please keep in > mind that the we are talking about a Node.js LTS release. V8 is currently > *not* offering an LTS release. We are simply trying to help Node with > theirs. > > >> It would >> be great if this would be communicated or coordinated with downstream >> libv8 maintainers. For example Fedora seems to be planning to jump to >> 5.2.258 which is not LTS I suppose? > > > 5.1 (+Node.js relevant patches and features) is going to be in the next > Node.js LTS. I would suggest you get in contact with the Node.js LTS WG > <https://github.com/nodejs/LTS>. They should know best what their plans > are. > > >> As an application developer I want >> to encourage the various distributions to agree on which version of >> the v8 api they want to support so that we can write software that >> works across platforms. >> >> Still it would be really great if we can patch up 3.14 to keep it >> working at least until this new LTS release is stable and has landed >> in most distributions. >> >> > Aside from that, how likely is it for distros to pick up updates to >> 3.14 in a timely manner? >> >> Assuming patches introduce no breaking changes, I expect they might be >> adopted easily, especially if they fix urgent problems with gcc 5/6 >> which most distributions will need. >> > > > -- > -- > v8-dev mailing list > v8-dev@googlegroups.com > http://groups.google.com/group/v8-dev > --- > You received this message because you are subscribed to the Google Groups > "v8-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to v8-dev+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- -- v8-dev mailing list v8-dev@googlegroups.com http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to v8-dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
