Skip to content

build: disable v8 snapshots

Rodrigo Muino Tomonari requested to merge github/fork/bnoordhuis/disable-v8-snapshots into v1.x

Snapshots speed up start-up by a few milliseconds but are potentially dangerous because of the fixed hash seed that is used for strings and dictionaries, making collision denial-of-service attacks possible.

Release builds on iojs.org have snapshots disabled but source builds did not, until now.

The risk for individual source builds is low; the binary gets a random 32 bits hash seed that should be hard to guess by an external attacker.

It's when binaries are distributed by, for example, a distro vendor that the fixed hash seed becomes a vulnerability, because then it's possible to target a large group of people at once.

People that really need the faster start-up time can use the new --with-snapshot configure flag.

R=@piscisaureus

https://jenkins-iojs.nodesource.com/view/iojs/job/iojs+any-pr+multi/106/

Merge request reports