> On 23 Mar 2015, at 9:04 pm, Peter Kelly <[email protected]> wrote: > > Furthermore, we want to use the system libxml where available, both to take > advantage of shared libraries (libxml only needs to exist in memory once, the > OS maps it into the address space of each process that uses it), and for > security updates (system libxml updated due to vulnerability, programs using > DocFormats are still vulnerable until we go and update our own version).
For reference, here’s a list of security vulnerabilities that have been discovered in libxml over the years: http://www.cvedetails.com/vulnerability-list/vendor_id-1962/product_id-3311/Xmlsoft-Libxml2.html On a standard Linux setup where libxml is a 3rd-party package, all that’s required when one of these are discovered is an upgrade of that single package. If we keep 3rd-party sources in the repository, then every vulnerability in every library we use suddenly becomes a vulnerability in Corinthia as well, and we have to track these and issue a new version whenever one of the libraries are patched. If we were to ever include OpenSSL as a dependency - as *many* projects do (and we might, e.g. to cater for encryption in OOXML documents), this would be an even more serious problem. I’ve lost count of the number of vulnerabilities that have been patched in OpenSSL over just over the past year. — Dr Peter M. Kelly [email protected] PGP key: http://www.kellypmk.net/pgp-key <http://www.kellypmk.net/pgp-key> (fingerprint 5435 6718 59F0 DD1F BFA0 5E46 2523 BAA1 44AE 2966)
