Leo Famulari writes: > On Sat, Oct 06, 2018 at 04:58:13PM +0200, Marius Bakke wrote: >> Python 2 and 3 are using a bundled Expat (residing under Modules/). >> >> This has been the cause of security vulnerabilities in the past and >> should be changed to use Expat from Guix. > > Looks like Debian uses an external Expat to fill the dependency, so it > should be possible: > > https://packages.debian.org/stretch/python3.5-minimal > > We should look into the difference between the bundled Expat and > upstream Expat. Looking at the Debian package did help me figure out how to make it use system Expat. We needed this patch: . That patch only works *after* the configure step and requires regenerating some files (see the rules file around PyExpat), so I took a simpler approach. Fixed in d1659c0fb27c4f71c8ddc6a85d3cd9f3a10cca97.