Comment 5 for bug 1187262

Hi Jamie

On 28/06/13 12:32, Jamie Strandboge wrote:
> libv8 is something we've considered in the past as part of our webkit
> work and Ubuntu SDK audits. We can't effectively support libv8 because
> it is constantly changing. Therefore, backporting patches becomes
> infeasible very quickly and we are faced with having to use a new
> upstream release-- which would likely break anything that depends on it.
> NAK on libv8 in the archive.

OK - sounds entirely reasonable and this was something I was concerned
about.

> What we did for the Ubuntu SDK is allow an embedded version of libv8--
> this is guaranteed to always match with its consumer, but for this to
> work it must be demonstrated that libv8 does not process untrusted
> javascript. If it doesn't, there is no attack surface for the embedded
> libv8 and therefore it doesn't have to be kept up to date. If it does
> processed untrusted javascript, NAK.

mongodb ships an embedded version of libv8 within the upstream tarball;
we can switch back to using this so that we avoid libv8 being a
standalone library.

Re: it must be demonstrated that libv8 does not process untrusted javascript

libv8 is used to provide the scriptable shell in mongodb; access to the
shell is via the mongo client application. By default, authentication
is turned off in the packaging - so its possible to access the db and
setup authentication - see
http://docs.mongodb.org/manual/tutorial/enable-authentication/. That
said the default bind ip is 127.0.0.1 so only users with access to the
system running mongod have unauthenticated access to the database -
allowing a configuration to be bootstrapped securely.

Hopefully that clarifies use of v8 sufficiently to support embedded
inclusion in mongodb.

--
James Page
Ubuntu Core Developer
Debian Maintainer
<email address hidden>