Return-Path: X-Original-To: apmail-corinthia-dev-archive@minotaur.apache.org Delivered-To: apmail-corinthia-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 855E917B64 for ; Mon, 23 Mar 2015 14:14:38 +0000 (UTC) Received: (qmail 6014 invoked by uid 500); 23 Mar 2015 14:14:38 -0000 Delivered-To: apmail-corinthia-dev-archive@corinthia.apache.org Received: (qmail 5983 invoked by uid 500); 23 Mar 2015 14:14:38 -0000 Mailing-List: contact dev-help@corinthia.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@corinthia.incubator.apache.org Delivered-To: mailing list dev@corinthia.incubator.apache.org Received: (qmail 5972 invoked by uid 99); 23 Mar 2015 14:14:38 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Mar 2015 14:14:38 +0000 X-ASF-Spam-Status: No, hits=-1997.8 required=5.0 tests=ALL_TRUSTED,HTML_MESSAGE,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO mail.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with SMTP; Mon, 23 Mar 2015 14:14:36 +0000 Received: (qmail 5692 invoked by uid 99); 23 Mar 2015 14:14:16 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Mar 2015 14:14:16 +0000 Received: from [192.168.1.34] (unknown [202.44.228.43]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id E328E1A0058 for ; Mon, 23 Mar 2015 14:14:15 +0000 (UTC) From: Peter Kelly Content-Type: multipart/alternative; boundary="Apple-Mail=_A96C1EAE-2A77-4021-A176-7BF7B67C307D" Message-Id: <16695643-5BAA-48E9-8AA2-523E65E49908@apache.org> Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2090\)) Subject: Re: libxml2 and iconv question, do we really need iconv ? Date: Mon, 23 Mar 2015 21:14:09 +0700 References: To: dev@corinthia.incubator.apache.org In-Reply-To: X-Mailer: Apple Mail (2.2090) X-Virus-Checked: Checked by ClamAV on apache.org --Apple-Mail=_A96C1EAE-2A77-4021-A176-7BF7B67C307D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 23 Mar 2015, at 9:04 pm, Peter Kelly wrote: >=20 > Furthermore, we want to use the system libxml where available, both to = take advantage of shared libraries (libxml only needs to exist in memory = once, the OS maps it into the address space of each process that uses = it), and for security updates (system libxml updated due to = vulnerability, programs using DocFormats are still vulnerable until we = go and update our own version). For reference, here=E2=80=99s a list of security vulnerabilities that = have been discovered in libxml over the years: = http://www.cvedetails.com/vulnerability-list/vendor_id-1962/product_id-331= 1/Xmlsoft-Libxml2.html On a standard Linux setup where libxml is a 3rd-party package, all = that=E2=80=99s required when one of these are discovered is an upgrade = of that single package. If we keep 3rd-party sources in the repository, then every vulnerability = in every library we use suddenly becomes a vulnerability in Corinthia as = well, and we have to track these and issue a new version whenever one of = the libraries are patched. If we were to ever include OpenSSL as a dependency - as *many* projects = do (and we might, e.g. to cater for encryption in OOXML documents), this = would be an even more serious problem. I=E2=80=99ve lost count of the = number of vulnerabilities that have been patched in OpenSSL over just = over the past year. =E2=80=94 Dr Peter M. Kelly pmkelly@apache.org PGP key: http://www.kellypmk.net/pgp-key = (fingerprint 5435 6718 59F0 DD1F BFA0 5E46 2523 BAA1 44AE 2966) --Apple-Mail=_A96C1EAE-2A77-4021-A176-7BF7B67C307D--