Davi Arnaut wrote: > Justin Erenkrantz wrote: >> On 7/29/07, Davi Arnaut <[EMAIL PROTECTED]> wrote: >>> We don't need to bundle it because it's a mandatory API, we just have to >>> explain to (win32) users how to extract a recent expat at xml/. It's not >>> a matter of API and we don't *need* to bundle expat, it's becoming a burden. >> No - the last time I checked, simply extracting a recent expat into >> xml/ isn't sufficient for Win32. Expat has changed its build systems >> for Win32 many times over the years, so how we interface with a >> bundled expat of varying versions requires manual customization of our >> project files. IOW, expat 2 isn't a drop-in replacement for 1.95.8 on >> Win32. (The library name has changed, etc, etc.) > > I said "explain to the user", that implies explaining which versions, > etc. But, how about leaving it for win32 and removing for other platforms? > >> I am very much against projects that do not bundle required >> dependencies - not everyone is on a platform that has a good package >> management system. I want a good out-of-the-box experience for folks >> on bare-bones platforms. For those who are fortunate to be on 'rich' >> platforms can simply choose to use the --with flags. > > IMHO, we are not in the business of solving packaging problems. If the > user has to build apr-util (on a bare-bones plataform) he/she surely can > build expat too, that's how things are supposed to work. "Hiding" only > make things worse later, ie: bringing another library which links with > another expat.. boom. > >> And, I'm not so sure it's that much of a burden. > > Sure it's a burden, the time we are spending here discussing whether or > not to bundle, tracking bugs or updating our bundled version -- could > all be better spent on other things :-) >
As an example: http://www.securityfocus.com/bid/6398/info Have we updated our bundled expat to fix this vulnerability? -- Davi Arnaut
