[Python-Dev] Remove embedded expat library?

Victor Stinner victor.stinner at gmail.com
Fri Jun 9 08:43:06 EDT 2017


Hi,

Python embeds a copy of the expat library which already got two major
security vulnerabilities:

"CVE-2016-0718: expat bug #537"
http://python-security.readthedocs.io/vuln/cve-2016-0718_expat_bug_537.html

"Issue #26556: Expat 2.1.1"
http://python-security.readthedocs.io/vuln/issue_26556_expat_2.1.1.html

Would it be possible to maintain this dependency on an external
repository which would be easier to maintain? Like
http://svn.python.org/projects/external/ used to build Python on
Windows.

I expect that all Linux distributions build Python using
--with-system-expat. It may become the default? What about macOS and
other operating systems?

By the way, Zachary Ware is working on converting this repository to
Git. I don't know his progress:
- https://github.com/python/cpython-bin-deps
- https://github.com/python/cpython-source-deps

Victor


More information about the Python-Dev mailing list