Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#57863 - [nodejs] Should not be compiled against openssl 1.1

Attached to Project: Community Packages
Opened by chocobozzz (chocobozzz) - Friday, 16 March 2018, 17:26 GMT
Last edited by Bruno Pagani (ArchangeGabriel) - Friday, 10 August 2018, 13:09 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Felix Yan (felixonmars)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description: nodejs 9.8.0 should not be compiled against openssl 1.1 because this is a breaking change: some native dependencies are not compatible with openssl 1.1.

Moreover when we compile native nodejs modules, node-gyp will fetch node headers on https://nodejs.org/download/release/v9.8.0/node-v9.8.0-headers.tar.gz that only provides headers for openssl OpenSSL 1.0.2n.

Thanks,
Chocobozzz
This task depends upon

Closed by  Bruno Pagani (ArchangeGabriel)
Friday, 10 August 2018, 13:09 GMT
Reason for closing:  Fixed
Additional comments about closing:  Had been reverted and ultimately fixed upstream a long time ago.
Comment by codetorex (codetorex) - Wednesday, 21 March 2018, 09:59 GMT
This bug breaks uWebSockets (uws) library.

module.js:678
return process.dlopen(module, path.toNamespacedPath(filename));
^

Error: /node_modules/uws/uws_linux_59.node: undefined symbol: SSL_library_init
Comment by Tyler Johnson (tejohnso) - Friday, 23 March 2018, 13:04 GMT
This is still broken in 9.9.0 - and I think it should at least be a medium severity since it breaks any module that depends on openssl in a non-intuitive way.
Comment by Bruno Pagani (ArchangeGabriel) - Friday, 30 March 2018, 09:43 GMT
Did you report this upstream? I mean they are officially supporting OpenSSL 1.1.x, so those issues should be reported and fixed.
Comment by chocobozzz (chocobozzz) - Monday, 02 April 2018, 09:22 GMT Comment by Bruno Pagani (ArchangeGabriel) - Monday, 02 April 2018, 11:11 GMT
That’s not really a fix, it’s a temporary workaround. Please see my message above.
Comment by Akihiko Odaki (nekomanma) - Wednesday, 18 April 2018, 11:37 GMT
I'm writing this to suggest a patch submitted with #57913 as it is commented that it should be mentioned here.

Here is a fix to enable OpenSSL 1.1.0, by preventing node-gyp fetch external headers:
https://bugs.archlinux.org/task/57913?getfile=16243

Node.js/npm/node-gyp DOES provide a way to use external headers in case that they are not compatible. By adding a file /usr/lib/node_modules/npm/npmrc with content "npm_config_nodedir=/usr", you can force to use system headers.
/usr/lib/node_modules/npm/npmrc is designed to be provided by a distributor, according to https://docs.npmjs.com/files/npmrc#built-in-config-file. node-gyp respects the configuration (see https://github.com/nodejs/node-gyp#configuration)

However, the configuration will not be applied when node-gyp is invoked directly. It is problematic for Arch Linux because its package symlinks node-gyp executable, allowing such an invocation. The patch mentioned above deals with the problem, too.

The patch solves node-gyp issue, but it just deals with the API, and does not deal with the ABI, and breaks prebuilt Node.js C++ addons. Node.js documentation does not say the version of each modules should be checked, and even C++ addons conforming to the documentation (https://nodejs.org/api/process.html#process_process_versions) may break. The author of uws said the bug is not the fault of uws, but of Arch Linux (or of Node.js if Node.js allows such a configuration) considering that.

IIRC, Arch Linux respects the upstream while keeping everything up-to-date, and linking with OpenSSL 1.1.0 should be the correct option in the principle, but note that the configuration is controversial.
Comment by Felix Yan (felixonmars) - Wednesday, 25 April 2018, 05:56 GMT
With the update to 10.0.0 nodejs upstream switched to openssl 1.1. The package in [community-testing] has reflected the change.

Loading...