httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <>
Subject Re: Prior to apr 2.0 / httpd 2.4...
Date Mon, 21 Mar 2011 14:38:33 GMT
On Sun, Mar 20, 2011 at 21:13, William A. Rowe Jr. <> wrote:
> On 3/20/2011 7:43 PM, Dan Poirier wrote:
>> On Sun. 2011-03-20 at 07:47 PM EDT, "William A. Rowe Jr." <>
>>> [1] Note particularly that expat appears to be abandoned, no releases
>>> in almost 4 yrs, with a significant security issue hanging over it we
>>> patched in apr.  No effort appears to be expended in providing any
>>> alternate non-expat apr_xml interfaces.
>> For APR to continue bundling expat seems easiest, in the absence of
>> anyone motivated to do something more.
> I wish we had a better understanding of where expat is headed, or if it
> is truly abandoned.  It seems strange to rely on an orphaned dependency.
> Anyone have any inside knowledge or informed opinion?

I'm a committer on Expat, but (as you've noted) the project has had no
attention for quite a while. I wasn't aware of a security problem in
there, however.

Even if I dropped a new release of Expat, would we want to rely on the
external build (and latest release being propagated) or continue to
ship a patched Expat within APR?

Switching to libxml2 would be possible (it is MIT licensed), but would
require a lot more coding work in the xml support. Users of APR (1.x)
also depend on Expat being available, and a switch would require them
to rewrite their XML parsing code. Maybe that is acceptable for apps
to switch to 2.0?

In short: I can make a release happen, but would that matter to the APR project?


View raw message