Snapshots speed up start-up by a few milliseconds but are potentially
dangerous because of the fixed hash seed that is used for strings and
dictionaries, making collision denial-of-service attacks possible.
Release builds on iojs.org have snapshots disabled but source builds
did not, until now.
The risk for individual source builds is low; the binary gets a random
32 bits hash seed that should be hard to guess by an external attacker.
It's when binaries are distributed by, for example, a distro vendor
that the fixed hash seed becomes a vulnerability, because then it's
possible to target a large group of people at once.
People that really need the faster start-up time can use the new
--with-snapshot configure flag.
PR-URL: https://github.com/iojs/io.js/pull/585
Reviewed-By: Bert Belder <bertbelder@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Rod Vagg <rod@vagg.org>
Resolves minor discrepancies between android and standard POSIX systems.
In addition, some configure parameters were added, and a helper-script
for android configuration. Ideally, this script should be merged into
the standard configure script.
To build for android, source the android-configure script with an NDK
path:
source ./android-configure ~/android-ndk-r8d
This will create an android standalone toolchain and export the
necessary environment parameters.
After that, build as normal:
make -j8
After the build, you should now have android-compatible NodeJS binaries.
