STINNER Victor <vstin...@redhat.com> added the comment:
> Any reason to not take the current patch for our vendored copy and give it > some exposure at least on platforms that rely on it (maybe just Windows)? I > don't see any reason to wait on another group to "release" it when we need to > manually apply the update to our own repo anyway. My policy is upstream fix: first, get a change merged upstream. If we start with a downstream patch: * only Windows and macOS will get the fix * upstream may require changes making the change incompatible, for example change the default limits * I would prefer to keep Modules/expat/ as close as possible to the upstream Python is vulnerable for years, it's not like there is an urgency to fix it. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue17239> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com