[Python-Dev] Remove embedded expat library? (original) (raw)

Victor Stinner victor.stinner at gmail.com
Fri Jun 9 08:43:06 EDT 2017

• Previous message (by thread): [Python-Dev] UPDATE: Python 3.6.2rc1 cutoff now scheduled for 2017-06-16 12:00 UTC
• Next message (by thread): [Python-Dev] Remove embedded expat library?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Python embeds a copy of the expat library which already got two major security vulnerabilities:

"CVE-2016-0718: expat bug #537" http://python-security.readthedocs.io/vuln/cve-2016-0718_expat_bug_537.html

"Issue #26556: Expat 2.1.1" http://python-security.readthedocs.io/vuln/issue_26556_expat_2.1.1.html

Would it be possible to maintain this dependency on an external repository which would be easier to maintain? Like http://svn.python.org/projects/external/ used to build Python on Windows.

I expect that all Linux distributions build Python using --with-system-expat. It may become the default? What about macOS and other operating systems?

By the way, Zachary Ware is working on converting this repository to Git. I don't know his progress:

• https://github.com/python/cpython-bin-deps
• https://github.com/python/cpython-source-deps

Victor

• Previous message (by thread): [Python-Dev] UPDATE: Python 3.6.2rc1 cutoff now scheduled for 2017-06-16 12:00 UTC
• Next message (by thread): [Python-Dev] Remove embedded expat library?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list