On Mon, 19 Sep 2011 16:42:22 -0500, Pedro Giffuni
<giffunip@tutopia.com> wrote:
> On Mon, 19 Sep 2011 23:34:22 +0200, Mathias Bauer
> <Mathias_Bauer@gmx.net> wrote:
> ...
>>> Just a thought ... Perhaps we should try to make Apache OO
>>> *really*
>>> Apache. I am now seeing so many nice things that other Apache
>>> projects
>>> offer: Santuario, APR, pdfbox, Xerces/Xalan, Maven, etc. Just
>>> something
>>> to consider (after 3.4).
>>
>> Whatever external components are added: it should be avoided to use
>> Java
>> components for code that is loaded on startup or for loading
>> "normal"
>> documents. If possible, Java should be used only for optional
>> components/features.
>>
> Except for pdfbox, all the Apache conponents I mentioned are
> available
> in C/C++ versions.
>
(I was on my way out so I left this sort of half answered)
The issue here is xmlsec as we have it now depends on nss and openssl.
Apache Santuario has xml-security-c which only depends on openssl (and
Xerces-c3).
The Apache way would be to use Santuario, but that is probably more
work
than finding out why we are not using xmlsec + openssl. In both cases
we should also update OpenSSL for security reasons.
Pedro.
|