From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id ABAB7138334 for ; Wed, 18 Dec 2019 21:02:53 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D2096E08E2; Wed, 18 Dec 2019 21:02:49 +0000 (UTC) Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 934ECE08AD for ; Wed, 18 Dec 2019 21:02:49 +0000 (UTC) Received: from [77.11.4.254] (helo=[192.168.178.31]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) (envelope-from ) id 1ihgT1-0004U6-St for gentoo-dev@lists.gentoo.org; Wed, 18 Dec 2019 22:02:47 +0100 References: <1a722f8f-36b5-c313-b6e1-eac75e0839c5@gentoo.org> To: gentoo-dev From: Sebastian Pipping Autocrypt: addr=sping@gentoo.org; prefer-encrypt=mutual; keydata= mQGiBErBPZQRBAC/YmehEEVqCcQ+yOT/RXdImKUOYVDqAN8bLF2wHxCPahZJrI5NSZNtI4Ah H3RwEDCP0iQXX5lCK+aI9zOQ4/Q80gxjStMFpghcAQLSfUrb9aI8FcKnKJVEPi6QFJo+UChT pAJ/kS2DuFmpfOjggMENfh8F2sIHPUYNBq4/fYPlpwCg29dr0CNMPiYigt8jtI9ye2kA2QUD /23yloFXkaCxgCIif8g0HzW3Uc2QQP00tqKG2k0vwjVjI5ajzUpuxqwOFVXaoj+aLuR5rNS0 lCBfmkhJ6AFRb5Ts6p8B+8fnJYhAGGT54HSh51F+Lm4WjUOlUCk5F7iLXe5LLd0uiRI3kuDS 23JUhRjjppXtRvx6HI1S4LX9gng/A/9dFbMnrRUgXJeU/2xlafe7QqaoNFm6s47tgClsVnYQ aH+cnoZX9XiZj/2iSXB/NvmI6jsQASPvm44SrO/loELP8f5oJQe4hWG+THX+BdgE8TgVNSdI tfifW+gA2v6RuBANgF3jQdKuku36P+bGb93fYP7CQjUXOyMK5lKxYIq79LQsU2ViYXN0aWFu IFBpcHBpbmcgKHNwaW5nKSA8c3BpbmdAZ2VudG9vLm9yZz6IYAQTEQIAIAUCSsE9lAIbAwYL CQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJELALxmpAGhYAYaQAn31DMQSoyLzq+CBxsJzt1FKX 6TA7AJ4inBy6z7We3PCgXw+1aLa0AeXFQLkCDQRKwT2UEAgA260Wa/cg1DAViRT+PPLyroBl aFrrtOsVaOfodyKz9XkKRQmaNsSxPz/LrJwnn+Kjzjy2DUp7zkgkdOPfLeKhzHNSI2bo8Oqp as5Xwt9e0oKanFxyVWk60wAYzB113MWsiUS04ZfkrwNv0n86//htibCerYzCAKLhWX0sW6pH PIT2ytgC9PWHB1hRO1wI5rTA0rj9XKC94oTe/De/MQyaBvZndWLnFpKda2xdg70kfVzu/tfv ETAaG8hCLOTS3QLwPoN45G1hQQ0JVMLxQbB65hyeqoMoHjlFfoXkKztVWJ9QYOuFAi/Bxq+V RzzAQ468iqmXu1liDNRqEcOwW8Q7dwADBQf7BnrntgPwiikBrWHRTe1EvUNO7APxKPSlCId/ 50TqbqSv52bQSRDJV4Wv7ORwHxIQ2gh32mB5WBv56j+0KeA1hXmcy0HN227FpV+jaYw3OmYc NkzHoY81RAgohJpstDFm+X8m2Mr/BvHKW9MCFuP+czlbhnandl32PPjBN7pJIJFMPiLyT4Ye Zgyyvk4hWovm9+cQGtceXyzbU/r5MugxEig7d+xJRycuQQRPU4o1LMROwHE49gJrxnMvCmn3 F0ztasjw/SVEY3gMzX/E5qRVUgrvdW8cPl/hXlILVZeKqPgKxszcGA4W0w0As/zJnKMne9sN 77nUnPSaIo2T//PXKohJBBgRAgAJBQJKwT2UAhsMAAoJELALxmpAGhYAMzkAn08ZlrPFDYCj BsVl5kSMycDl6ueOAKCua2zQ12NSJb4UdWhqgq556FHs8w== Subject: [gentoo-dev] Needs ideas: Upcoming circular dependency: expat <> CMake X-Forwarded-Message-Id: <1a722f8f-36b5-c313-b6e1-eac75e0839c5@gentoo.org> Message-ID: <85c9df6f-fcf5-61d7-90af-a375f5c75088@gentoo.org> Date: Wed, 18 Dec 2019 22:02:47 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: <1a722f8f-36b5-c313-b6e1-eac75e0839c5@gentoo.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Df-Sender: c3BpbmctZ2VudG9vQGJpbmVyYS5kZQ== X-Archives-Salt: 0420c0f6-d865-4876-8d50-81a16a18287f X-Archives-Hash: 0de16d86f0fd9cbfcc7b44d1c1e6684a Hi all, I noticed that dev-util/cmake depends on dev-libs/expat and that libexpat upstream (where I'm involved) is in the process of dropping GNU Autotools altogether in favor of CMake in the near future, potentially the next release (without any known target release date). CMake bundles a (previously outdated and vulnerable) copy of expat so I'm not sure if re-activating that bundle — say with a new use flag "system-expat" — would be a good thing to resort to for breaking the cycle, with regard to security in particular. Do you have any ideas how to avoid a bad circular dependency issue for our users in the future? Are you aware of similar problems and solutions from the past? Thanks and best Sebastian