io.js-v2.0.0 fails with libressl
Closed this issue · 9 comments
It seems, that libressl removed a few functions used in iojs-v2.0.0. Version 1.6.2 works fine. I haven't test other versions.
See this output for more info:
https://gist.github.com/4199d35343200e58a5d7
System: VoidLinux
Linux: 4.0.1
LibreSSL: 2.1.6_3
io.js: 2.0.0
I'm going to close this because we don't pretend to support libressl, or anything besides the bundled openssl. Thanks for filing a bug report though.
@Gottox that being said, the reason is probably because we switched to openssl 1.0.2a. If libressl has a compatible version for that, it may work. No guarantees.
Thanks for this clarification!
or anything besides the bundled openssl.
Bundling security relevant libraries is inherently insecure and usually causes distro developers to diverge from upstream by unbundling them.
Figuring out the vulnerabilities of 300 local copies of e.g. zlib is simply impossible system-wide. It also means that updates to the bundles libraries are a lot slower, because they are tied to your releases. As such, there is nothing that can make the user force to update to a non-vulnerable openssl version if he's running iojs vanilla outside of the packagemanager.
@hasufell That's one of the reasons iojs allows packagers/users to distribute their own openssl by passing --shared-openssl.
That's one of the reasons iojs allows packagers/users to distribute their own openssl by passing --shared-openssl.
Then I cannot understand why you say "we don't support it". It's important to support it.
The burden of support falls on the packagers, them being the only ones linking to shared libraries. The shared library support was originally contributed by packagers.
it is something we've discussed testing in our CI cluster, but until that happens we can't claim to support it officially because we simply don't know from release-to-release if it still works
Well I hope you never plan to get packaged by Debian since your software is broken there too.