-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build: disable v8 snapshots #585
Conversation
+1 from me on this! |
@bnoordhuis This does the job only for unix. But with that remark, lgtm. |
@piscisaureus vcbuild.bat ends up running configure, doesn't it? I can update it to rename the nosnapshot option but that would be a blind change. |
@bnoordhuis I'll test it for ya |
@bnoordhuis Looking good. |
👍 from me as well. This should have been the default all along. |
this is almost a breaking change because |
@rvagg that specific comment has also been nagging me for a while. It's pretty common practise for flags in "autoconf"-like environments to always allow both variations {with,}out, enable/disable, etc - but showcasing a way to toggle defaults ( Is it possibly worth to redo most of these flags at some point? |
I removed the --without-snapshot flag from the Makefiles, PTAL.
shrug Flags have come and gone before. I can add a no-op --without-snapshot if you feel strongly about it. |
Google "./configure --without-snapshot", over 20k results. I'm a little ashamed to say that I do feel strongly about this, a noop to prevent surprises and break scripted builds would be my preference here. |
017bd2f
to
b0899ec
Compare
@piscisaureus @rvagg Updated, PTAL. |
lgtm |
Snapshots speed up start-up by a few milliseconds but are potentially dangerous because of the fixed hash seed that is used for strings and dictionaries, making collision denial-of-service attacks possible. Release builds on iojs.org have snapshots disabled but source builds did not, until now. The risk for individual source builds is low; the binary gets a random 32 bits hash seed that should be hard to guess by an external attacker. It's when binaries are distributed by, for example, a distro vendor that the fixed hash seed becomes a vulnerability, because then it's possible to target a large group of people at once. People that really need the faster start-up time can use the new --with-snapshot configure flag. PR-URL: nodejs#585 Reviewed-By: Bert Belder <bertbelder@gmail.com> Reviewed-By: Johan Bergström <bugs@bergstroem.nu> Reviewed-By: Rod Vagg <rod@vagg.org>
lgtm too |
b0899ec
to
4f68369
Compare
Snapshots speed up start-up by a few milliseconds but are potentially dangerous because of the fixed hash seed that is used for strings and dictionaries, making collision denial-of-service attacks possible. Release builds on iojs.org have snapshots disabled but source builds did not, until now. The risk for individual source builds is low; the binary gets a random 32 bits hash seed that should be hard to guess by an external attacker. It's when binaries are distributed by, for example, a distro vendor that the fixed hash seed becomes a vulnerability, because then it's possible to target a large group of people at once. People that really need the faster start-up time can use the new --with-snapshot configure flag. Cherry picked from bnoordhuis/io.js@4f68369 Original commit metadata below: PR-URL: nodejs/node#585 Reviewed-By: Bert Belder <bertbelder@gmail.com> Reviewed-By: Johan Bergström <bugs@bergstroem.nu> Reviewed-By: Rod Vagg <rod@vagg.org>
Snapshots speed up start-up by a few milliseconds but are potentially dangerous because of the fixed hash seed that is used for strings and dictionaries, making collision denial-of-service attacks possible. Release builds on iojs.org have snapshots disabled but source builds did not, until now. The risk for individual source builds is low; the binary gets a random 32 bits hash seed that should be hard to guess by an external attacker. It's when binaries are distributed by, for example, a distro vendor that the fixed hash seed becomes a vulnerability, because then it's possible to target a large group of people at once. People that really need the faster start-up time can use the new --with-snapshot configure flag. Cherry picked from bnoordhuis/io.js@4f68369 Original commit metadata below: PR-URL: nodejs/node#585 Reviewed-By: Bert Belder <bertbelder@gmail.com> Reviewed-By: Johan Bergström <bugs@bergstroem.nu> Reviewed-By: Rod Vagg <rod@vagg.org>
Snapshots speed up start-up by a few milliseconds but are potentially
dangerous because of the fixed hash seed that is used for strings and
dictionaries, making collision denial-of-service attacks possible.
Release builds on iojs.org have snapshots disabled but source builds
did not, until now.
The risk for individual source builds is low; the binary gets a random
32 bits hash seed that should be hard to guess by an external attacker.
It's when binaries are distributed by, for example, a distro vendor
that the fixed hash seed becomes a vulnerability, because then it's
possible to target a large group of people at once.
People that really need the faster start-up time can use the new
--with-snapshot configure flag.
R=@piscisaureus
https://jenkins-iojs.nodesource.com/view/iojs/job/iojs+any-pr+multi/106/