Обсуждение: PLV8 yum packages
Hi, I’m the maintainer of PLV8, and I’m wondering what it will take to get the postgres yum repositories up to date. There are a couple of things that you need to know: 1) V8 was affected by Spectre/Meltdown, and the version that has the remediation is 6.4.388.40 2) the version of v8 that the official postgres yum repos use is 3.14, which is 5 years out of date, and only compiles againstthe unsupported 1.4 branch of plv8 (current is 2.3.0) 3) the v8 build system no longer supports shared object creation under linux (this is a big one), and thus plv8 has movedto a static build by default, leaving a make shared for platforms that can still build (I believe they have managedto not break the older build system for macOS, but that seems to be it) So, given all of that, I’m hoping we can work together to get plv8 updated on the yum repos. There have been a huge amountof changes over the last 5 years, ranging from major speed increases, updated language for es6/es7, and bug fixes (Iback port any security issues to the 1.4 and 1.5 branches, but the v8 api is no longer compatible). Please let me know how I can help, it would be great to see plv8 in the modern world. Thanks!
Вложения
Hi Herry, On Mon, 2018-02-26 at 11:03 -0800, Jerry Sievert wrote: > I’m the maintainer of PLV8, Nice to e-meet you! > and I’m wondering what it will take to get the postgres yum repositories up > to date. Well, see below: > There are a couple of things that you need to know: > > 1) V8 was affected by Spectre/Meltdown, and the version that has the > remediation is 6.4.388.40 Wow, even Fedora 27 has 6.2.91 :-( (Even more, Fedora rawhide also has the same version) EPEL has 3.14 :( > 2) the version of v8 that the official postgres yum repos use is 3.14, which > is 5 years out of date, and only compiles against the unsupported 1.4 branch > of plv8 (current is 2.3.0) Unfortunately, the packaging policy is to use OS libraries to build or install the packages. This is why I got stuck. > 3) the v8 build system no longer supports shared object creation under linux > (this is a big one), and thus plv8 has moved to a static build by default, > leaving a make shared for platforms that can still build (I believe they have > managed to not break the older build system for macOS, but that seems to be > it) I think that explains why I cannot build 2.3.0 on my build machines anymore. We have 2.1.0 at the moment. So in short: Unless EPEL and Fedora updates v8, we are unlikely to update the plv8 package :( Regards, -- Devrim Gündüz EnterpriseDB: https://www.enterprisedb.com PostgreSQL Consultant, Red Hat Certified Engineer Twitter: @DevrimGunduz , @DevrimGunduzTR
Вложения
There are a couple of things that you need to know:
1) V8 was affected by Spectre/Meltdown, and the version that has the
remediation is 6.4.388.40
Wow, even Fedora 27 has 6.2.91 :-( (Even more, Fedora rawhide also has the same
version)
EPEL has 3.14 :(
And fedora’s package is broken for embedding - I’ve had to guide plenty of people through getting plv8 built on fedora because of that.
The biggest issue is that it’s not possible to even compile a version as a shared object any longer (see notes below). And the version shipping with fedora is susceptible to meltdown and spectre, and thus are major security risks at this point.
2) the version of v8 that the official postgres yum repos use is 3.14, which
is 5 years out of date, and only compiles against the unsupported 1.4 branch
of plv8 (current is 2.3.0)
Unfortunately, the packaging policy is to use OS libraries to build or install
the packages. This is why I got stuck.
hm. How does this affect a project that simply cannot be compiled into a library any longer (v8)? Not only does google themselves specifically say not to do it, but it’s not supported at all in the build system any longer. I suspect if someone were to spend a few weeks going through the build system, they may be able to get a custom build script written to create shared libraries, but this would likely break with a minor version update (one of the pains of supporting plv8 is that v8 makes major breaking changes without warning on minor version updates).
I’m trying to find some sort of middle ground.
3) the v8 build system no longer supports shared object creation under linux
(this is a big one), and thus plv8 has moved to a static build by default,
leaving a make shared for platforms that can still build (I believe they have
managed to not break the older build system for macOS, but that seems to be
it)
I think that explains why I cannot build 2.3.0 on my build machines anymore. We
have 2.1.0 at the moment.
Yes - you have to use ninja and v8gen.py at this point (check out the Makefile for the examples, including the specific configuration to get it working - you can make modifications to compile with ICU, it’s off by default due to spotty ubuntu support).
So in short: Unless EPEL and Fedora updates v8, we are unlikely to update the
plv8 package :(
As noted, that’s not even possible at this point - that option no longer exists, and google themselves (via the v8 team) keep saying not to do it. For more context, see: https://github.com/plv8/plv8/issues/251 - there are some links to some tweets by the v8 team in there, as well as some comments from Christoph (who I’ve contacted today as well, to try to work through this issue again).
Thanks much!
Regards,
--
Devrim Gündüz
EnterpriseDB: https://www.enterprisedb.com
PostgreSQL Consultant, Red Hat Certified Engineer
Twitter: @DevrimGunduz , @DevrimGunduzTR