Hi, First of all I'm 100% open with co-maintenance of xmlrpc-c.
I think that libxmltok should be removed if it is a less well maintained copy of libxml2-dev without any user. php8.4 build-depends on both but maybe it does not need libxmltok1t64 at all; -> there's no runtime dependency generated. $ reverse-depends libxmltok1t64 Reverse-Depends =============== * libxmltok1-dev $ reverse-depends -b libxmltok1-dev Reverse-Build-Depends ===================== * php8.4 I would consider these XML lib as private implementation details and do not plan to create stub libraries for non-existing usage. I'll handle the switch to external libxml2 soon. Greetings Le sam. 12 avr. 2025 à 11:39, Adrian Bunk <b...@debian.org> a écrit : > > On Thu, Apr 10, 2025 at 12:57:14PM +0200, Salvatore Bonaccorso wrote: > >... > > Triggered by the oss-security post from the expat upstream maintainer: > > https://www.openwall.com/lists/oss-security/2025/04/09/4 > > > > It might be worth to use similar patch to make xmlrpc-c switch to use > > the system expat instead of the internal copy. > > > > Ideally usptream would even just remove the upstream embedded source > > but from what I read in the above there is no interest in that for > > now. > > > > https://raw.githubusercontent.com/gentoo/gentoo/61b6130343a41b49da1ffe7376ab5d2077a37411/dev-libs/xmlrpc-c/files/xmlrpc-c-1.59.03-use-system-expat.patch > > is the patch by Sebastian Pipping to use the system libexpat. > >... > > The options offered by upstream are internal expat or external libxml2, > and external libxml2 is the new upstream default. > > Building the package with external libxml2 worked for me. > > No matter whether we use the supported external libxml2 or patch in > support for external expat, this means xmlrpc-c will drop the two > libraries containing the vendered expat from libxmlrpc-core-c3t64 > (libxmlrpc_xmlparse.so and libxmlrpc_xmltok.so). > > For trixie an option might be: > - switch to external libxml2 > - for a new library name compared to bookworm, > dropping the ${t64:Provides} would be an option > > There does not seem to be any other package actually linking to any of > the two libraries containing the vendored expat, but 3rd party software > might do so in *stable. > In bookworm: > $ xmlrpc-c-config --libs > -L/usr/lib/x86_64-linux-gnu -lxmlrpc -lxmlrpc_xmlparse -lxmlrpc_xmltok > -lxmlrpc_util > $ > as-needed obviously helps and headers don't seem to be installed, but > these libraries should perhaps be provided as stubs if they disappear > in *stable. > > Another issue for *stable is that changing the XML parser might result > in behaviour changes. > > Relevant for *stable would also be whether that would actually reduce > the number of expat1 copies that need fixing to zero. > > src:libxmltok is expat1 with a different name. > CVE-2021-46143 was fixed in trixie, other expat CVEs need triaging. > php8.4 has a (stale?) build dependency on libxmltok1-dev. > > > Regards, > > Salvatore > > cu > Adrian
