On 2015-09-08 12:50, Stefan Hett wrote:
Hi,
a while ago I've been pointed by Bert to the fact that APRUtil 1.5.4
includes Expat 1.95.7 which is rather old (from October 2003). According
tohttp://www.libexpat.org/ there has been another 1.95 release with
mostly bugfixes (1.95.8 in July 2004) and the latest one is 2.1.0 (from
March 2012).
I would like to repspond positively on this suggestion that "something"
be done.
It could be updated, and fortunately expat is not a package with
frequent (security) updates,
but it is external. What may have been good before is perhaps not as
correct anymore.
a) expat needs to be closer to mainstream: there are many features
in expat that have been introduced since then.
The embedded expat is not packaged as an internal (aka static) library -
but appears as a separate library.
I ran into this problem when packaging something else that needed the
latest and greatest (i.e., 2.0.1 as base).
My solution is to repackage apr, apr-util and httpd after removing
the internal expat - so that I have latest and greatest for both - and
can update it,
in principle - separate from apr.
I would vote to make external expat the default and/or just remove expat
from apr.
Especially in light of 2.1.0 incorporating several security fixes, Bert
suggested that I upgrade Expat to the latest version.
I'm wondering whether it wouldn't be useful if APRUtil would update its
Expat integration directly. Originally I planned to provide a patch for
that, but after checking things out I realize that it'd take me a
significant amount of time (especially since I'd have to check/test the
Linux integration) to bring the patch up to a quality which could be
accepted.
I also read that there are plans for APR 2 to incorporate APRUtil
directly and drop the direct integration of Expat. Nevertheless, I think
that APR-Util 1.5.x will still be around for several years, it might
still serve a purpose to upgrade Expat in 1.5.x.
In case that helps, I've put together the patch I'm using to upgrade
Expat in APRUtil for building Apache HTTP & SVN on Windows to this
issue:http://www.luke1410.de:8090/browse/MAXSVN-1
In principle it's just copying over the files from Expat 2.1.0 following
the description from glsmith here:
https://www.apachelounge.com/viewtopic.php?t=5416 .
Only some tweaks were made to keep some of the APRUtil specific changes
I spotted.
Please note that this was only tested in my own build environment and
only on Windows. It certainly won't work on Linux as is.
Regards,
Stefan
