On 3/21/2011 9:38 AM, Greg Stein wrote: > On Sun, Mar 20, 2011 at 21:13, William A. Rowe Jr. <[email protected]> > wrote: >> On 3/20/2011 7:43 PM, Dan Poirier wrote: >>> On Sun. 2011-03-20 at 07:47 PM EDT, "William A. Rowe Jr." >>> <[email protected]> wrote: >>>> >>>> [1] Note particularly that expat appears to be abandoned, no releases >>>> in almost 4 yrs, with a significant security issue hanging over it we >>>> patched in apr. No effort appears to be expended in providing any >>>> alternate non-expat apr_xml interfaces. >>> >>> For APR to continue bundling expat seems easiest, in the absence of >>> anyone motivated to do something more. >> >> I wish we had a better understanding of where expat is headed, or if it >> is truly abandoned. It seems strange to rely on an orphaned dependency. >> >> Anyone have any inside knowledge or informed opinion? > > I'm a committer on Expat, but (as you've noted) the project has had no > attention for quite a while. I wasn't aware of a security problem in > there, however. > > Even if I dropped a new release of Expat, would we want to rely on the > external build (and latest release being propagated) or continue to > ship a patched Expat within APR? > > Switching to libxml2 would be possible (it is MIT licensed), but would > require a lot more coding work in the xml support. Users of APR (1.x) > also depend on Expat being available, and a switch would require them > to rewrite their XML parsing code. Maybe that is acceptable for apps > to switch to 2.0? > > In short: I can make a release happen, but would that matter to the APR > project?
Greg, I'm eagerly anticipating releases of openssl-1.0.1 and zlib-1.2.7 to include them in the Windows package. We won't be moving that target very much over the course of the 2.4.x lifecycle, so I didn't care to ship something with openssl 1.0.0 or other stale packages. I see there is some commit activity. Is there any hope of an expat 2.0.2 in the near future, since these vulnerabilities have been know for about half a year or more, now? I would really love to ship an httpd binary which includes something more fresh than expat 1.9.7-tweaked. Bill
