From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: bug#32957: Python uses a bundled expat
Date: Wed, 10 Oct 2018 15:27:14 -0400
Message-ID: <20181010192714.GC22832@jasmine.lan>
References: <87o9c7i0l6.fsf@fastmail.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="uh9ZiVrAOUUm9fzH"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49697)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gAK9L-0006v0-Jc
	for bug-guix@gnu.org; Wed, 10 Oct 2018 15:28:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gAK9K-0003sA-Hw
	for bug-guix@gnu.org; Wed, 10 Oct 2018 15:28:03 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:39619)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1gAK9K-0003s0-Ap
	for bug-guix@gnu.org; Wed, 10 Oct 2018 15:28:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gAK9K-0001Hz-64
	for bug-guix@gnu.org; Wed, 10 Oct 2018 15:28:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.32957.B32957.15391996404890@debbugs.gnu.org>
Content-Disposition: inline
In-Reply-To: <87o9c7i0l6.fsf@fastmail.com>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Marius Bakke <mbakke@fastmail.com>
Cc: 32957@debbugs.gnu.org


--uh9ZiVrAOUUm9fzH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Oct 06, 2018 at 04:58:13PM +0200, Marius Bakke wrote:
> Python 2 and 3 are using a bundled Expat (residing under Modules/).
>=20
> This has been the cause of security vulnerabilities in the past and
> should be changed to use Expat from Guix.

Looks like Debian uses an external Expat to fill the dependency, so it
should be possible:

https://packages.debian.org/stretch/python3.5-minimal

We should look into the difference between the bundled Expat and
upstream Expat.

--uh9ZiVrAOUUm9fzH
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlu+UpIACgkQJkb6MLrK
fwgOaQ/7BWBph+EUCzDA64XayEu4voEnWKB/NWbD4bbVge3wo2bTAjemKg3hQRMt
VxntWISU56rnln9PEq5ZZ+apnC8U91CGuAoum5ydgADJMUPjzmzcw1g/CVivT2ss
5DfMWSC23AtYQQrJ9OuV8ofXERbwAtJzVCGumt0mK9uuVZ4A+I3Kv5SzPzL5eLkk
V384R7uOWFJXP6PFxHFG5ZMTUvOHJNTujQwfTx9lEBccaFHXyy28/nJjZ3t315yz
h4Sy/iCCzGlROnJGjqDWOOpQdYx5N2KuhX14NW5woGLRK8nAej9COgFFRjD+iECu
nQonNS1VaoIDrZpgijdAGAjqhkn9zJuS6fL1IbinJDIeMlVXkvNZyq2dLp5eUE8L
WpJVOnt+pk5w25l1CYu1ZSYL7UEO8jkCkPPcxrukXItKLQOecPDIGWd1ynx5FLqu
YLIa/VTWnmZlHUZep6tvz2rYH6QqZyMSMVUrQZxjTNuNRlEJ5ylgzHRWz80hzs9z
pV/ql+LHRNb3GlJcBpKNAdGxe/QJ6UIsZV7SlwDIuOicqaEtQN8q/fVSNNPr5/XC
TgfmR3n1SbUOwd8vrVf7TDzF58NwjH/BXUX+nv96RPmuyCma7i8VXvVUQgv/ORo2
NKqKHE+q3s7ykIF5GG2Te3WsH9KspqA5fY7E8cxuJly5XQ//of0=
=Jgba
-----END PGP SIGNATURE-----

--uh9ZiVrAOUUm9fzH--