Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

plv8 NEEDS to be updated to V8 ver 6.4.388.18 or later #251

Closed
drady opened this issue Jan 10, 2018 · 15 comments

Comments

Projects
None yet
6 participants
@drady
Copy link

commented Jan 10, 2018

Need to update plv8 for the recent, widely publicized, Speculative Side-Channel Attacks vulnerabilities.
https://github.com/v8/v8/wiki/Untrusted-code-mitigations

@JerrySievert

This comment has been minimized.

Copy link
Contributor

commented Jan 10, 2018

a PR would be welcome, but I'm needing to wait for a data cap to reset in order to be able to download anything as large as v8, not to mention its build tools, so I'm a few days away from being able to start this currently.

@JerrySievert

This comment has been minimized.

Copy link
Contributor

commented Jan 11, 2018

@christophberg do you how Debian is handling this? wondering if this is a good opportunity to get Debian moved to something more modern.

@df7cb

This comment has been minimized.

Copy link

commented Jan 11, 2018

For some value of "handle": https://bugs.debian.org/cgi-bin/pkgreport.cgi?archive=0;dist=unstable;ordering=normal;repeatmerged=0;src=libv8-3.14
v8 was already explicitly excluded from security support in the last Debian release(s?), which we very rarely do: https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#libv8
The state now is that the packge is so buggy that it and all reverse dependencies got removed from Debian/testing, which of course includes plv8.

It's a mess, but unless some volunteers to step in maintaining V8 in Debian, it will stay that way :(

@JerrySievert: thanks for your patience so far and supporting this old V8 version, I can totally understand if you decide not to continue riding this dead horse...

@JerrySievert

This comment has been minimized.

Copy link
Contributor

commented Jan 18, 2018

I have it compiling and running in MacOS, but still struggling with linux:

https://travis-ci.org/JerrySievert/plv8/builds/330557430

@nileshtrivedi

This comment has been minimized.

Copy link

commented Feb 5, 2018

I asked V8 devs about it: https://twitter.com/bmeurer/status/960584003148505088

TLDR: V8 is not supposed to be packaged as a library and API / ABI stability is not guaranteed.

@JerrySievert

This comment has been minimized.

Copy link
Contributor

commented Feb 5, 2018

Yes. That’s been known for years.

@bendiy

This comment has been minimized.

Copy link
Contributor

commented Feb 9, 2018

So from Debian, we have:
#220 (comment)

statically linking v8 is a no-go on Debian.

And from Google we have:
https://twitter.com/bmeurer/status/960584003148505088

V8 is not meant to be packaged separately

Is the future of apt-get install postgresql-9.6-plv8 dead?
We've pretty much switched to distributing our own builds and installer for plv8. Still missing decent Windows support.

@JerrySievert

This comment has been minimized.

Copy link
Contributor

commented Feb 9, 2018

I don't know - I had been trying not to get in the package distribution business, but may have to.

my biggest concern is rds, not sure how to broach that, as I'm not working at a company with an extremely close aws relationship anymore.

@JerrySievert

This comment has been minimized.

Copy link
Contributor

commented Feb 12, 2018

I'm getting closer:

  • I have the build system changed for linux (only make works correctly under macOS, and only ninja works under linux)
  • I have the new allocator constructs written
  • I have rewritten the makefile to handle all of the library changes

but am still having issues with linking and it missing some of the stdlib constructs with g++, specifically std::__1::__shared_weak_count::__get_deleter(std::type_info const&) const

@JerrySievert JerrySievert referenced this issue Feb 13, 2018

Closed

V8 6.0 #226

@JerrySievert

This comment has been minimized.

Copy link
Contributor

commented Feb 13, 2018

for those feeling adventurous, I'd love it if you'd try compiling/running master, which has been updated to 6.4.388.40.

some major changes:

  • make downloads and compiles v8
  • make shared compiles against a shared version of v8
  • build system for v8 now uses ninja/gn instead of make/gyp
  • libc++-dev needs to be installed (ubuntu), or the equivalent for other linux distributions
  • icu is turned off by default, as it seems to have issues on some distributions, to enable it, compile with make -DUSE_ICU

I will be releasing this as 2.3.0 in the coming days.

@JerrySievert

This comment has been minimized.

Copy link
Contributor

commented Feb 13, 2018

see #253 for more info

@davidbeauchamp

This comment has been minimized.

Copy link

commented Feb 14, 2018

I was able to build master without issue on 14.04.5 after installing libc++-dev. I did not build with ICU. Initial testing seems to be going well, I will add another comment if I run into any trouble.

@JerrySievert

This comment has been minimized.

Copy link
Contributor

commented Feb 16, 2018

released as 2.3.0. closing this issue.

@nileshtrivedi

This comment has been minimized.

Copy link

commented Mar 8, 2018

my biggest concern is rds, not sure how to broach that, as I'm not working at a company with an extremely close aws relationship anymore.

@JerrySievert PostgreSQL 10 on AWS RDS now supports an upgraded version of PL/v8 (2.1.0). https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.FeatureSupport.Extensions.101x

@JerrySievert

This comment has been minimized.

Copy link
Contributor

commented Mar 8, 2018

@nileshtrivedi that's great news! now we just need to get them to 2.3.0!

thanks much for the update

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.