Am 2019-12-18 22:44, schrieb Francesco Riosa:
Il giorno mer 18 dic 2019 alle ore 22:03 Sebastian Pipping <>
ha scritto:

CMake bundles a (previously outdated and vulnerable) copy of expat so
I'm not sure if re-activating that bundle — say with a new use flag
"system-expat" — would be a good thing to resort to for breaking the
cycle, with regard to security in particular.

Pushing gently upstream to upgrade bundled expat copy would (at least
temporarily) fix the issue and also benefit other use cases. Maybe they are
Gentoo friendly
they also release quite often, which would fix the problem soon

This is in CMake 3.16.0:

commit 50bc359184472700e9776a0a9d6f7e06ea82b9ce
Author: Brad King <>
Date:   Mon Nov 11 10:44:17 2019 -0500

    expat: Update CMake build for 2.2.9

commit b63a5c88a2089494e53f22f83db1925435161934
Merge: 512fabaa9d 1712885b4f
Author: Brad King <>
Date:   Mon Nov 11 10:42:32 2019 -0500

    Merge branch 'upstream-expat' into update-expat

    * upstream-expat:
      expat 2019-09-25 (a7bc26b6)

These things _are_ updated regularly, but in case something is missed just file a bug at All these bundled thing bumps are scripted as far as possible, so the actual overhead is quite small.


Reply via email to