[Bug 1187262] Re: [MIR] mongodb, libv8, snowball, gyp

James Page james.page at ubuntu.com
Tue Jul 2 08:13:49 UTC 2013 

Hi Jamie

On 28/06/13 12:32, Jamie Strandboge wrote:
> libv8 is something we've considered in the past as part of our webkit
> work and Ubuntu SDK audits. We can't effectively support libv8 because
> it is constantly changing. Therefore, backporting patches becomes
> infeasible very quickly and we are faced with having to use a new
> upstream release-- which would likely break anything that depends on it.
> NAK on libv8 in the archive.

OK - sounds entirely reasonable and this was something I was concerned 
about.

> What we did for the Ubuntu SDK is allow an embedded version of libv8--
> this is guaranteed to always match with its consumer, but for this to
> work it must be demonstrated that libv8 does not process untrusted
> javascript. If it doesn't, there is no attack surface for the embedded
> libv8 and therefore it doesn't have to be kept up to date. If it does
> processed untrusted javascript, NAK.

mongodb ships an embedded version of libv8 within the upstream tarball; 
we can switch back to using this so that we avoid libv8 being a 
standalone library.

Re: it must be demonstrated that libv8 does not process untrusted
javascript

libv8 is used to provide the scriptable shell in mongodb; access to the 
shell is via the mongo client application.  By default, authentication 
is turned off in the packaging - so its possible to access the db and 
setup authentication - see 
http://docs.mongodb.org/manual/tutorial/enable-authentication/.  That 
said the default bind ip is 127.0.0.1 so only users with access to the 
system running mongod have unauthenticated access to the database - 
allowing a configuration to be bootstrapped securely.

Hopefully that clarifies use of v8 sufficiently to support embedded 
inclusion in mongodb.

-- 
James Page
Ubuntu Core Developer
Debian Maintainer
james.page at ubuntu.com

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1187262

Title:
  [MIR] mongodb, libv8, snowball, gyp

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gyp/+bug/1187262/+subscriptions

More information about the Ubuntu-server-bugs mailing list