| 1 |
On Wed, 2019-12-18 at 22:02 +0100, Sebastian Pipping wrote: |
| 2 |
> Hi all, |
| 3 |
> |
| 4 |
> |
| 5 |
> I noticed that dev-util/cmake depends on dev-libs/expat and that |
| 6 |
> libexpat upstream (where I'm involved) is in the process of |
| 7 |
> dropping GNU Autotools altogether in favor of CMake in the near future, |
| 8 |
> potentially the next release (without any known target release date). |
| 9 |
> |
| 10 |
> CMake bundles a (previously outdated and vulnerable) copy of expat so |
| 11 |
> I'm not sure if re-activating that bundle — say with a new use flag |
| 12 |
> "system-expat" — would be a good thing to resort to for breaking the |
| 13 |
> cycle, with regard to security in particular. |
| 14 |
> |
| 15 |
> Do you have any ideas how to avoid a bad circular dependency issue for |
| 16 |
> our users in the future? Are you aware of similar problems and |
| 17 |
> solutions from the past? |
| 18 |
> |
| 19 |
|
| 20 |
I know that's an unhappy idea but maybe it's time to include CMake |
| 21 |
in stage3. Then it would be just a matter of temporarily enabling |
| 22 |
bundled libs for stage builds, I guess. |
| 23 |
|
| 24 |
-- |
| 25 |
Best regards, |
| 26 |
Michał Górny |
Archives