From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marius Bakke <mbakke@fastmail.com>
Subject: bug#34526: Updating node.js
Date: Sun, 17 Nov 2019 19:25:33 +0100
Message-ID: <878soefjhe.fsf@devup.no>
References: <87d0npb1tx.fsf@atufi.org> <877edw6cta.fsf@fsfe.org>
 <87h8cz20ic.fsf@atufi.org> <877edud0ha.fsf@fsfe.org>
 <87va1doz0z.fsf@atufi.org> <871ru7h8gh.fsf@dustycloud.org>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:45808)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1iWPFM-0006N5-H0
 for bug-guix@gnu.org; Sun, 17 Nov 2019 13:26:06 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1iWPFL-00030Q-7b
 for bug-guix@gnu.org; Sun, 17 Nov 2019 13:26:04 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:33757)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1iWPFK-00030I-VU
 for bug-guix@gnu.org; Sun, 17 Nov 2019 13:26:03 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1iWPFK-0004Ni-RW
 for bug-guix@gnu.org; Sun, 17 Nov 2019 13:26:02 -0500
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.34526.B34526.157401514816809@debbugs.gnu.org>
In-Reply-To: <871ru7h8gh.fsf@dustycloud.org>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Christopher Lemmer Webber <cwebber@dustycloud.org>, 34526@debbugs.gnu.org
Cc: jlicht@fsfe.org

--=-=-=
Content-Type: text/plain

Christopher Lemmer Webber <cwebber@dustycloud.org> writes:

> Daniel Gerber writes:
>
>> Hi,
>>
>> 2019-02-20, Jelle Licht:
>>> Daniel Gerber <dg@atufi.org> writes:
>>>
>>>>   [snip]
>>>> What about statically linking llhttp's C "sources" included in
>>>> node?   Building v11.10.0 succeeds with this:
>>>
>>> You could do this, of course, but afaics this is not acceptable for
>>> inclusion in Guix proper.
>>>
>>> I don't really see any way forward between convincing the fine node
>>> folks to see the 'error of their ways', or to implement a
>>> ABI-compatible
>>> replacement for llhttp that we can actually bootstrap.
>>
>> Although I would prefer the convincing-the-fine-node-folks solution,
>> here are two more ways to avoid dropping node with the EOL of 8.x(LTS)
>> at the end of 2019.
>>
>> - Remove llhttp and keep only the "legacy" http-parser, or
>>
>> - Accept to bootstrap it -- I mean use intermediary self-compiling
>> steps, like ccl, golang, java, or haskell do.
>> The build-time dependencies are: node@11.x -> llhttp -> ts-node ->
>> typescript -> self (typescript), plus quite a few npm packages.
>> It seems that node@8.x or 9.x should be a native-input to later
>> versions, but I do not know enough of Guile / Guix packaging to do it
>> myself anytime soon.
>
> Hello,
>
> Went through the process of trying to update node myself, not having
> remembered this bug.  Ran into the same issue.
>
> The bug was closed; I doubt we are going to convince the Node folks.
>
> Quite a few high-importance projects rely on Node at this point, and we
> are running an out of date Node which I suspect probably has quite a few
> insecurities.
>
> Our version of Node:   v10.16.0
> LTS Node:              v12.13.0
> Latest Node:           v13.1.0
>
> One way or another, we will probably need to update.  Both Chromium and
> Icecat depend on Node at this point.  I'm not sure if either of them use
> Node in any active way that an insecruity could manifest or if it's
> "just for packaging" but I think there's good reason to be nervous about
> being so out of date.

Node 10.x is maintained until April 2021 though:

https://nodejs.org/en/about/releases/

...so we still have some time to figure out how to bootstrap Node 12.x
and later.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl3RkJ0ACgkQoqBt8qM6
VPo3rQf9GTSaYchNAL4TWAYKFL49RewhVDbUzp0KrgS344kyHOUo6CSB48fg0sjl
cfQMOmfKjZE1feH5N8wV4YTFtuyzEfR1FmtX3622d1h0KiXuvi6KpknduRdPapE/
NPb/H4hHNyoaDbXDJDALP72FScpxCcAXAA5aAzIgoN5eZ4E3a9VRbQFmWSPxICZv
xCyug32AM3opAsOzpM+bMaSkniiP/k3IOUDUyxUTqoyMHm3Tm5dpi9ufgQUVq+pR
72MdxXivT54h5uto0jCEHhVdc70mN256Wsmh71d0WIv4y6X+zdE3Qry/helql15R
7uIodY0QulihesGZPTtvcpzuj6wQZg==
=i9Ea
-----END PGP SIGNATURE-----
--=-=-=--