(original) (raw)

On 11 Jun 2017, at 12:10, Victor Stinner <victor.stinner@gmail.com> wrote:

Le 11 juin 2017 09:38, "Ronald Oussoren" <ronaldoussoren@mac.com> a écrit :
I don’t think it would be a good idea to rely on the system provided libexpat on macOS, as Apple is not exactly fast w.r.t. upgrading their external dependencies and could easily stop updating libraries when the no longer need them (see for example the mess w.r.t. OpenSSL).

Ok, but can't we download expat instead of keeping an old copy in our repisitory?

Sure. The script that creates the installer already downloads a number of libraries, adding one more shouldn’t be a problem.

Having a copy is useful when we modify it. I don't that it is the case here.

I don’t know why expat was included in the CPython tree and if those reasons are still valid. I therefore have no opinion on keeping it, other than that expat shouldn’t be kept in the CPython tree unless there’s a good reason for doing so.

BTW. Removing 3th-party libraries from the source tree doesn’t fully isolate us from security issues in those libraries due to shipping the libraries in binary installers on Windows and macOS. The removal does make maintenance easier (no need to guess whether or not there are local patches).

Ronald

Victor
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: https://mail.python.org/mailman/options/python-dev/ronaldoussoren%40mac.com