Hi all,
I noticed that dev-util/cmake depends on dev-libs/expat and that libexpat upstream (where I'm involved) is in the process of dropping GNU Autotools altogether in favor of CMake in the near future, potentially the next release (without any known target release date). CMake bundles a (previously outdated and vulnerable) copy of expat so I'm not sure if re-activating that bundle — say with a new use flag "system-expat" — would be a good thing to resort to for breaking the cycle, with regard to security in particular. Do you have any ideas how to avoid a bad circular dependency issue for our users in the future? Are you aware of similar problems and solutions from the past? Thanks and best Sebastian
