Add node.js 0.10.x as feature to fix OpenSSL issues



5 years ago
5 years ago


(Reporter: Harald, Assigned: bburton)





5 years ago
Requests to fail with an OpenSSL error [1]. The issue is fixed in 0.10.x [2].

This currently blocks the Summit app and would require additional refactoring that impacts our already limited schedule. Offering 0.10.x would also benefit most node developers that will likely use 0.10.x locally.


Comment 1

5 years ago
Unfortunately we're not able to support node 0.10.x as a builtin runtime until the security review of the production cluster for is complete because it requires a major version upgrade of the Stackato cluster.

As discussed in #paas, contains a shell script and some stackato.yml tweaks that will use a PPA from a Node community member to replace the system node with 0.10 and so Stackato ends up using 0.10 in your app instances.

Let me know if this work around works completely for you and we'll resolve this bug for now

Assignee: server-ops-webops → bburton
Severity: major → normal
Component: Server Operations: Web Operations → WebOps: IT-Managed Tools
Priority: -- → P3
Product: → Infrastructure & Operations

Comment 2

5 years ago
I strongly urge you to consider a hosting solution other than our Stackato system for an app that has to be in production for the Summit. The current system is DEVELOPMENT quality, not production.

We are *intending* to have a production instance of Stackato available before the summit, but it's not approved right now and there's only 2 weeks left. Even if it was usable, we can't necessarily guarantee the sort of availability or performance you might require right out of the gate.

Without knowing more about the app, I can't make much of a recommendation on what might be a good alternative hosting solution. Node.js is not our forte... we're mostly a Django and PHP shop.

One last thing worth mentioning, and hopefully you know this already: the Security Assurance team requires that all new web applications go through an Application Security review before they can be put into production. They do grant exceptions for applications that will be restricted (by VPN or LDAP) to employees only, but given the Summit's audience I doubt you can take advantage of that in this case.

If you haven't already scheduled or completed a sec-review, I *highly* recommend you get in touch with Yvan Boily as soon as possible.


5 years ago
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.