Re: PLV8 yum packages

From: Jerry Sievert <jerry(at)legitimatesounding(dot)com>
To: Devrim Gündüz <devrim(at)gunduz(dot)org>
Cc: pgsql-pkg-yum(at)postgresql(dot)org
Subject: Re: PLV8 yum packages
Date: 2018-02-26 21:39:28
Message-ID: 6F69BD5A-2507-4FEE-8014-55BBBE3409CB@legitimatesounding.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-pkg-yum

>> There are a couple of things that you need to know:
>>
>> 1) V8 was affected by Spectre/Meltdown, and the version that has the
>> remediation is 6.4.388.40
>
> Wow, even Fedora 27 has 6.2.91 :-( (Even more, Fedora rawhide also has the same
> version)
>
> EPEL has 3.14 :(
>

And fedora’s package is broken for embedding - I’ve had to guide plenty of people through getting plv8 built on fedora because of that.

The biggest issue is that it’s not possible to even compile a version as a shared object any longer (see notes below). And the version shipping with fedora is susceptible to meltdown and spectre, and thus are major security risks at this point.

>> 2) the version of v8 that the official postgres yum repos use is 3.14, which
>> is 5 years out of date, and only compiles against the unsupported 1.4 branch
>> of plv8 (current is 2.3.0)
>
> Unfortunately, the packaging policy is to use OS libraries to build or install
> the packages. This is why I got stuck.
>

hm. How does this affect a project that simply cannot be compiled into a library any longer (v8)? Not only does google themselves specifically say not to do it, but it’s not supported at all in the build system any longer. I suspect if someone were to spend a few weeks going through the build system, they may be able to get a custom build script written to create shared libraries, but this would likely break with a minor version update (one of the pains of supporting plv8 is that v8 makes major breaking changes without warning on minor version updates).

I’m trying to find some sort of middle ground.

>> 3) the v8 build system no longer supports shared object creation under linux
>> (this is a big one), and thus plv8 has moved to a static build by default,
>> leaving a make shared for platforms that can still build (I believe they have
>> managed to not break the older build system for macOS, but that seems to be
>> it)
>
> I think that explains why I cannot build 2.3.0 on my build machines anymore. We
> have 2.1.0 at the moment.
>

Yes - you have to use ninja and v8gen.py at this point (check out the Makefile for the examples, including the specific configuration to get it working - you can make modifications to compile with ICU, it’s off by default due to spotty ubuntu support).

> So in short: Unless EPEL and Fedora updates v8, we are unlikely to update the
> plv8 package :(
>

As noted, that’s not even possible at this point - that option no longer exists, and google themselves (via the v8 team) keep saying not to do it. For more context, see: https://github.com/plv8/plv8/issues/251 <https://github.com/plv8/plv8/issues/251> - there are some links to some tweets by the v8 team in there, as well as some comments from Christoph (who I’ve contacted today as well, to try to work through this issue again).

Thanks much!

> Regards,
>
> --
> Devrim Gündüz
> EnterpriseDB: https://www.enterprisedb.com
> PostgreSQL Consultant, Red Hat Certified Engineer
> Twitter: @DevrimGunduz , @DevrimGunduzTR

In response to

Browse pgsql-pkg-yum by date

  From Date Subject
Next Message Fornaroli Christophe 2018-03-05 10:41:58 Re: dependency problem for gdal-libs and libproj
Previous Message Devrim Gündüz 2018-02-26 21:23:13 Re: PLV8 yum packages