[Python-Dev] Remove embedded expat library?

Ronald Oussoren ronaldoussoren at mac.com
Sun Jun 11 10:23:33 EDT 2017

> On 11 Jun 2017, at 12:10, Victor Stinner <victor.stinner at gmail.com> wrote:
> Le 11 juin 2017 09:38, "Ronald Oussoren" <ronaldoussoren at mac.com <mailto:ronaldoussoren at mac.com>> a écrit :
> I don’t think it would be a good idea to rely on the system provided libexpat on macOS, as Apple is not exactly fast w.r.t. upgrading their external dependencies and could easily stop updating libraries when the no longer need them (see for example the mess w.r.t. OpenSSL).
> Ok, but can't we download expat instead of keeping an old copy in our repisitory?

Sure. The script that creates the installer already downloads a number of libraries, adding one more shouldn’t be a problem. 

> Having a copy is useful when we modify it. I don't that it is the case here.

I don’t know why expat was included in the CPython tree and if those reasons are still valid. I therefore have no opinion on keeping it, other than that expat shouldn’t be kept in the CPython tree unless there’s a good reason for doing so. 

BTW. Removing 3th-party libraries from the source tree doesn’t fully isolate us from security issues in those libraries due to shipping the libraries in binary installers on Windows and macOS.  The removal does make maintenance easier (no need to guess whether or not there are local patches).


> Victor
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/ronaldoussoren%40mac.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20170611/b80aebdc/attachment.html>

More information about the Python-Dev mailing list