On Wed, 2019-12-18 at 22:02 +0100, Sebastian Pipping wrote:
> Hi all,
> 
> 
> I noticed that dev-util/cmake depends on dev-libs/expat and that
> libexpat upstream (where I'm involved) is in the process of
> dropping GNU Autotools altogether in favor of CMake in the near future,
> potentially the next release (without any known target release date).
> 
> CMake bundles a (previously outdated and vulnerable) copy of expat so
> I'm not sure if re-activating that bundle — say with a new use flag
> "system-expat" — would be a good thing to resort to for breaking the
> cycle, with regard to security in particular.
> 
> Do you have any ideas how to avoid a bad circular dependency issue for
> our users in the future?  Are you aware of similar problems and
> solutions from the past?
> 

I know that's an unhappy idea but maybe it's time to include CMake
in stage3.  Then it would be just a matter of temporarily enabling
bundled libs for stage builds, I guess.

-- 
Best regards,
Michał Górny