[openstack-dev] [Horizon] the future of angularjs development in Horizon

Matthias Runge mrunge at redhat.com
Thu Nov 13 07:23:17 UTC 2014

On Wed, Nov 12, 2014 at 08:35:18AM -0500, Monty Taylor wrote:
> Just for the record, I believe that we should chose the tools that make
> sense for making our software, as long as it's not physically impossible
> for them to be packaged. This means we should absolutely not use things
> that require multiple versions of node to be needed. The nodejs that's
> in trusty is new enough to work with all of the modern javascript tool
> chain things needed for this, so other than the various javascript tools
> and libraries not being packaged in the distros yet, it should be fine.

Agreed. We're in the position to describe or define, what we'd like to
use or to see in the future. That may require us to create required

You're not concerned about node.js? Most probably, since you're not
distributing it. Looking at the changelog, I'm a bit worried[1]:

- 2014.10.20: openssl (addressing multiple CVEs)
- 2014.09.16: v8: fix a crash introduced by previous release
- 2014.08.19: v8: backport CVE-2013-6668 (they shouldn't bundle v8 at
- 2014.06.05: openssl: to 1.0.1h (CVE-2014-0224)
- 2013.12.18: v8: backport fix for CVE-2013-{6639|6640}

etc., etc. This leads immediately to two questions: Why is openssl
bundled there? Why is v8 bundled there? It's not about flaws in
implementation of software, it's more about bad design.

Since we don't require node.js on the server (yet), but only for
the development process: did anyone look at node's competitors? Like
CommonJS, Rhino, or SpiderMonkey?

[1] http://nodejs.org/changelog.html
Matthias Runge <mrunge at redhat.com>

More information about the OpenStack-dev mailing list