From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 87DCF138334 for ; Thu, 19 Dec 2019 13:40:31 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9E946E08AE; Thu, 19 Dec 2019 13:40:27 +0000 (UTC) Received: from mail.sf-mail.de (mail.sf-mail.de [IPv6:2a01:4f8:1c17:6fae:616d:6c69:616d:6c69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 15CB8E0887 for ; Thu, 19 Dec 2019 13:40:26 +0000 (UTC) Received: (qmail 11092 invoked from network); 19 Dec 2019 13:32:53 -0000 Received: from mail.sf-mail.de ([2a01:4f8:1c17:6fae:616d:6c69:616d:6c69]:38242 HELO webmail.sf-mail.de) (auth=eike@sf-mail.de) by mail.sf-mail.de (Qsmtpd 0.36dev) with (DHE-RSA-AES256-GCM-SHA384 encrypted) ESMTPSA for ; Thu, 19 Dec 2019 14:32:53 +0100 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Thu, 19 Dec 2019 14:32:53 +0100 From: Rolf Eike Beer To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Needs ideas: Upcoming circular dependency: expat <> CMake In-Reply-To: References: <1a722f8f-36b5-c313-b6e1-eac75e0839c5@gentoo.org> <85c9df6f-fcf5-61d7-90af-a375f5c75088@gentoo.org> Message-ID: X-Sender: eike@sf-mail.de User-Agent: Roundcube Webmail/1.3.8 X-Archives-Salt: 1ddd1490-b79f-4d6a-8bb9-e1ba9e1d6dc3 X-Archives-Hash: 35c960efb7e9e896f99d13358b5dae00 Am 2019-12-18 22:44, schrieb Francesco Riosa: > Il giorno mer 18 dic 2019 alle ore 22:03 Sebastian Pipping > > ha scritto: > >> >> CMake bundles a (previously outdated and vulnerable) copy of expat so >> I'm not sure if re-activating that bundle — say with a new use flag >> "system-expat" — would be a good thing to resort to for breaking the >> cycle, with regard to security in particular. >> > Pushing gently upstream to upgrade bundled expat copy would (at least > temporarily) fix the issue and also benefit other use cases. Maybe they > are > Gentoo friendly > they also release quite often, which would fix the problem soon This is in CMake 3.16.0: commit 50bc359184472700e9776a0a9d6f7e06ea82b9ce Author: Brad King Date: Mon Nov 11 10:44:17 2019 -0500 expat: Update CMake build for 2.2.9 commit b63a5c88a2089494e53f22f83db1925435161934 Merge: 512fabaa9d 1712885b4f Author: Brad King Date: Mon Nov 11 10:42:32 2019 -0500 Merge branch 'upstream-expat' into update-expat * upstream-expat: expat 2019-09-25 (a7bc26b6) These things _are_ updated regularly, but in case something is missed just file a bug at gitlab.kitware.com. All these bundled thing bumps are scripted as far as possible, so the actual overhead is quite small. Eike