Frequency of security updates alone isn't enough to tell if it's got good or bad security behind it. Time between discovery and fix is a major factor.
Kevin -----Original Message----- From: Leif Hedstrom [zw...@apache.org<mailto:zw...@apache.org>] Sent: Tuesday, September 03, 2013 10:20 AM Pacific Standard Time To: dev@trafficserver.apache.org Subject: Re: expat vs libxml2 On Sep 3, 2013, at 11:08 AM, Yongming Zhao <ming....@gmail.com> wrote: > another concern is the security of libXML2, I just greped the security focus > list, it shows that at least 3 security update for 2013 > > I don't know much on the XML indeed Valid points. I guess I should clarify how I feel about this: If we're moving from expat to libxml2, lets do it universally. If we don't think libxml2 is the better choice, we should do the opposite and see what we can do to avoid the dependencies on libxml2 (e.g. is there a better alternative to hwloc ? ). -- leif
