1 |
On Wed, 2019-12-18 at 22:02 +0100, Sebastian Pipping wrote: |
2 |
> Hi all, |
3 |
> |
4 |
> |
5 |
> I noticed that dev-util/cmake depends on dev-libs/expat and that |
6 |
> libexpat upstream (where I'm involved) is in the process of |
7 |
> dropping GNU Autotools altogether in favor of CMake in the near future, |
8 |
> potentially the next release (without any known target release date). |
9 |
> |
10 |
> CMake bundles a (previously outdated and vulnerable) copy of expat so |
11 |
> I'm not sure if re-activating that bundle — say with a new use flag |
12 |
> "system-expat" — would be a good thing to resort to for breaking the |
13 |
> cycle, with regard to security in particular. |
14 |
> |
15 |
> Do you have any ideas how to avoid a bad circular dependency issue for |
16 |
> our users in the future? Are you aware of similar problems and |
17 |
> solutions from the past? |
18 |
> |
19 |
|
20 |
I know that's an unhappy idea but maybe it's time to include CMake |
21 |
in stage3. Then it would be just a matter of temporarily enabling |
22 |
bundled libs for stage builds, I guess. |
23 |
|
24 |
-- |
25 |
Best regards, |
26 |
Michał Górny |