On 10/10/22, 12:17 PM, "Boris Kolpackov" <bo...@codesynthesis.com> wrote:
> Not every application that uses Xerces-C++ is security sensitive. If that were our perspective as a project, then among other things there should be no networking code in there. > Also note that if you think > Xerces-C++ is somehow exceptionally bad, you are mistaken. We are > also packaging Expat and it's a constant stream of CVEs. And if you > think since it's actively maintained (which it is), those CVEs are > promptly patched, you are mistaken again: it's pretty common for the > release to appear weeks after the CVEs is fixed in the repository. Then they may have some problems with their project too, but that's not comparable to being unable or too resource-constrained to fix them at all. -- Scott
