corinthia-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Kelly <>
Subject Re: libxml2 and iconv question, do we really need iconv ?
Date Mon, 23 Mar 2015 14:14:09 GMT
> On 23 Mar 2015, at 9:04 pm, Peter Kelly <> wrote:
> Furthermore, we want to use the system libxml where available, both to take advantage
of shared libraries (libxml only needs to exist in memory once, the OS maps it into the address
space of each process that uses it), and for security updates (system libxml updated due to
vulnerability, programs using DocFormats are still vulnerable until we go and update our own

For reference, here’s a list of security vulnerabilities that have been discovered in libxml
over the years:

On a standard Linux setup where libxml is a 3rd-party package, all that’s required when
one of these are discovered is an upgrade of that single package.

If we keep 3rd-party sources in the repository, then every vulnerability in every library
we use suddenly becomes a vulnerability in Corinthia as well, and we have to track these and
issue a new version whenever one of the libraries are patched.

If we were to ever include OpenSSL as a dependency - as *many* projects do (and we might,
e.g. to cater for encryption in OOXML documents), this would be an even more serious problem.
I’ve lost count of the number of vulnerabilities that have been patched in OpenSSL over
just over the past year.

Dr Peter M. Kelly

PGP key: <>
(fingerprint 5435 6718 59F0 DD1F BFA0 5E46 2523 BAA1 44AE 2966)

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message