From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 23 18:34:13 2019 Received: (at 32957-done) by debbugs.gnu.org; 23 Mar 2019 22:34:13 +0000 Received: from localhost ([127.0.0.1]:55854 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1h7pDR-00004z-2Z for submit@debbugs.gnu.org; Sat, 23 Mar 2019 18:34:13 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:42955) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1h7pDP-0008WQ-01 for 32957-done@debbugs.gnu.org; Sat, 23 Mar 2019 18:34:11 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 75A2321BAD; Sat, 23 Mar 2019 18:34:05 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Sat, 23 Mar 2019 18:34:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= from:to:cc:subject:in-reply-to:references:date:message-id :mime-version:content-type; s=fm2; bh=F7iLOC07PIjMQxre1jELCCAckt h9/v7WF6+vLogHoiM=; b=cR3szB7uYAqex2ilGPCU5zhPE414/HjgFsOowsYu6U ZTyOreRpqqMVhUkSKYByfaPqGKBhPTM8m+Z78CVyrR26caz3o8Gh1Qpg3o53uORT W/hE0Ga9EYcvXma47d6Bwii3uPtPFAdnkYVsZhznfZwh1IyavXmkb0VyNWuFhdzr dirDcd1bpmaedY0CfoI0LUQmogQtmTXJk9NPcmzZdr+jjWr44A9n0yPNv7sovQlt HVDmYIuAgq0Em4DoLrmpVYWDQTDpCuJMNWrr/VhSm7g8XQqjB3BOF3aLXhxcNUoN 8lUrnVCwyT0Xt5Knd+27ST7BfkKtZqDZVQOXZMxeGKYA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=F7iLOC 07PIjMQxre1jELCCAckth9/v7WF6+vLogHoiM=; b=4ZyMyr3LxP4h8Rxv2Ddmcs DJMNYAxLpsX+KqLGzO7zoTahd8wggg2ZgRdKSzvrW1iZvzFpX82ZIjjqZ4YuREw4 hdMj+052RHWMbMNRoQ7HKrfRw1JBtpLM2vM6E46BRvBWQeonGEdwMRkLak95ki4p K5AtEioVMmjestTbPUbJJrMDbe4Fs5ZmqFPfLbdatiQTWsMa23BeKTl912yQFRlg WAqa3Ttv/NeSFW3/ozKRVxcpqQAdOYwV9dcfB8f8E/0ORW2FpA+DB1p1nNsk0EeK 8BA+Jc+Ogy8cr7wRAi0aL1yXszn3+ra2/CfMfM6H8DykBdv44u4OwyR+CmNMrUBA == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrjeegucetufdoteggodetrfdotffvucfrrh hofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgenuceurghi lhhouhhtmecufedttdenucenucfjughrpefhvffujghffgffkfggtgesghdtreertdertd enucfhrhhomhepofgrrhhiuhhsuceurghkkhgvuceomhgsrghkkhgvsehfrghsthhmrghi lhdrtghomheqnecuffhomhgrihhnpeguvggsihgrnhdrohhrghenucfkphepiedvrdduie drvddviedrudegtdenucfrrghrrghmpehmrghilhhfrhhomhepmhgsrghkkhgvsehfrghs thhmrghilhdrtghomhenucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: Received: from localhost (140.226.16.62.customer.cdi.no [62.16.226.140]) by mail.messagingengine.com (Postfix) with ESMTPA id B8A37E4549; Sat, 23 Mar 2019 18:34:04 -0400 (EDT) From: Marius Bakke To: Leo Famulari Subject: Re: bug#32957: Python uses a bundled expat In-Reply-To: <20181010192714.GC22832@jasmine.lan> References: <87o9c7i0l6.fsf@fastmail.com> <20181010192714.GC22832@jasmine.lan> User-Agent: Notmuch/0.28.2 (https://notmuchmail.org) Emacs/26.1 (x86_64-pc-linux-gnu) Date: Sat, 23 Mar 2019 23:34:02 +0100 Message-ID: <874l7t1aqt.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 32957-done Cc: 32957-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Sat, Oct 06, 2018 at 04:58:13PM +0200, Marius Bakke wrote: >> Python 2 and 3 are using a bundled Expat (residing under Modules/). >>=20 >> This has been the cause of security vulnerabilities in the past and >> should be changed to use Expat from Guix. > > Looks like Debian uses an external Expat to fill the dependency, so it > should be possible: > > https://packages.debian.org/stretch/python3.5-minimal > > We should look into the difference between the bundled Expat and > upstream Expat. Looking at the Debian package did help me figure out how to make it use system Expat. We needed this patch: . That patch only works *after* the configure step and requires regenerating some files (see the rules file around PyExpat), so I took a simpler approach. Fixed in d1659c0fb27c4f71c8ddc6a85d3cd9f3a10cca97. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlyWtFoACgkQoqBt8qM6 VPofDgf/WzwcJMChtSroskjXIDJRIqVfOdqv4epmBDIYCCohH0h/BHzmpUoq9A5m 52YfqxTjPKmzsRUbyazd88andVej6AmnosDarkCWH3sDr/MJgHOawk7l6bsjEV8a dfQSrC57X2I6qQSwvlEHskPhS4vAy4LeVIccGOiSyBrPVZbzNpe70FoILPOiMNIC opf8xB56KacuNh7ZRsNBmKZHdSassVn5QvdKhGhuJmVhsFqlm7bP9j4npq0/OhGv Y302hIwh8JoAUkAcWlWj9iaY5uYi7pzwU8TyMj1T+LjuvyjilBc80/k3HBgsXWB8 x8fRP5kFJc69JAYed6rDbHZD/EcxoA== =zaky -----END PGP SIGNATURE----- --=-=-=--