build: disable v8 snapshots #585
Conversation
|
+1 from me on this! |
|
@bnoordhuis This does the job only for unix. But with that remark, lgtm. |
|
@piscisaureus vcbuild.bat ends up running configure, doesn't it? I can update it to rename the nosnapshot option but that would be a blind change. |
|
@bnoordhuis I'll test it for ya |
|
@bnoordhuis Looking good. |
|
👍 from me as well. This should have been the default all along. |
|
this is almost a breaking change because |
|
@rvagg that specific comment has also been nagging me for a while. It's pretty common practise for flags in "autoconf"-like environments to always allow both variations {with,}out, enable/disable, etc - but showcasing a way to toggle defaults ( Is it possibly worth to redo most of these flags at some point? |
|
I removed the --without-snapshot flag from the Makefiles, PTAL.
shrug Flags have come and gone before. I can add a no-op --without-snapshot if you feel strongly about it. |
|
Google "./configure --without-snapshot", over 20k results. I'm a little ashamed to say that I do feel strongly about this, a noop to prevent surprises and break scripted builds would be my preference here. |
bnoordhuis
force-pushed
the
disable-v8-snapshots
branch
from
017bd2f
to
b0899ec
Compare
|
@piscisaureus @rvagg Updated, PTAL. |
|
lgtm |
Snapshots speed up start-up by a few milliseconds but are potentially dangerous because of the fixed hash seed that is used for strings and dictionaries, making collision denial-of-service attacks possible. Release builds on iojs.org have snapshots disabled but source builds did not, until now. The risk for individual source builds is low; the binary gets a random 32 bits hash seed that should be hard to guess by an external attacker. It's when binaries are distributed by, for example, a distro vendor that the fixed hash seed becomes a vulnerability, because then it's possible to target a large group of people at once. People that really need the faster start-up time can use the new --with-snapshot configure flag. PR-URL: nodejs#585 Reviewed-By: Bert Belder <bertbelder@gmail.com> Reviewed-By: Johan Bergström <bugs@bergstroem.nu> Reviewed-By: Rod Vagg <rod@vagg.org>
|
lgtm too |
bnoordhuis
force-pushed
the
disable-v8-snapshots
branch
from
b0899ec
to
4f68369
Compare
Snapshots speed up start-up by a few milliseconds but are potentially dangerous because of the fixed hash seed that is used for strings and dictionaries, making collision denial-of-service attacks possible. Release builds on iojs.org have snapshots disabled but source builds did not, until now. The risk for individual source builds is low; the binary gets a random 32 bits hash seed that should be hard to guess by an external attacker. It's when binaries are distributed by, for example, a distro vendor that the fixed hash seed becomes a vulnerability, because then it's possible to target a large group of people at once. People that really need the faster start-up time can use the new --with-snapshot configure flag. Cherry picked from bnoordhuis/io.js@4f68369 Original commit metadata below: PR-URL: nodejs/node#585 Reviewed-By: Bert Belder <bertbelder@gmail.com> Reviewed-By: Johan Bergström <bugs@bergstroem.nu> Reviewed-By: Rod Vagg <rod@vagg.org>
Snapshots speed up start-up by a few milliseconds but are potentially dangerous because of the fixed hash seed that is used for strings and dictionaries, making collision denial-of-service attacks possible. Release builds on iojs.org have snapshots disabled but source builds did not, until now. The risk for individual source builds is low; the binary gets a random 32 bits hash seed that should be hard to guess by an external attacker. It's when binaries are distributed by, for example, a distro vendor that the fixed hash seed becomes a vulnerability, because then it's possible to target a large group of people at once. People that really need the faster start-up time can use the new --with-snapshot configure flag. Cherry picked from bnoordhuis/io.js@4f68369 Original commit metadata below: PR-URL: nodejs/node#585 Reviewed-By: Bert Belder <bertbelder@gmail.com> Reviewed-By: Johan Bergström <bugs@bergstroem.nu> Reviewed-By: Rod Vagg <rod@vagg.org>
Snapshots speed up start-up by a few milliseconds but are potentially
dangerous because of the fixed hash seed that is used for strings and
dictionaries, making collision denial-of-service attacks possible.
Release builds on iojs.org have snapshots disabled but source builds
did not, until now.
The risk for individual source builds is low; the binary gets a random
32 bits hash seed that should be hard to guess by an external attacker.
It's when binaries are distributed by, for example, a distro vendor
that the fixed hash seed becomes a vulnerability, because then it's
possible to target a large group of people at once.
People that really need the faster start-up time can use the new
--with-snapshot configure flag.
R=@piscisaureus
https://jenkins-iojs.nodesource.com/view/iojs/job/iojs+any-pr+multi/106/