From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marius Bakke <mbakke@fastmail.com>
Subject: bug#32957: Python uses a bundled expat
Date: Sat, 23 Mar 2019 23:34:02 +0100
Message-ID: <874l7t1aqt.fsf@fastmail.com>
References: <87o9c7i0l6.fsf@fastmail.com> <20181010192714.GC22832@jasmine.lan>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([209.51.188.92]:51200)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1h7pEI-0006xS-NB
	for bug-guix@gnu.org; Sat, 23 Mar 2019 18:35:10 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1h7pEG-0000UZ-Q1
	for bug-guix@gnu.org; Sat, 23 Mar 2019 18:35:06 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:42312)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1h7pEE-0000Tx-Ia
	for bug-guix@gnu.org; Sat, 23 Mar 2019 18:35:03 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1h7pEE-00006L-AW
	for bug-guix@gnu.org; Sat, 23 Mar 2019 18:35:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-To: bug-guix@gnu.org
Resent-Message-ID: <handler.32957.D32957.1553380453317.done@debbugs.gnu.org>
In-Reply-To: <20181010192714.GC22832@jasmine.lan>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: 32957-done@debbugs.gnu.org

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Leo Famulari <leo@famulari.name> writes:

> On Sat, Oct 06, 2018 at 04:58:13PM +0200, Marius Bakke wrote:
>> Python 2 and 3 are using a bundled Expat (residing under Modules/).
>>=20
>> This has been the cause of security vulnerabilities in the past and
>> should be changed to use Expat from Guix.
>
> Looks like Debian uses an external Expat to fill the dependency, so it
> should be possible:
>
> https://packages.debian.org/stretch/python3.5-minimal
>
> We should look into the difference between the bundled Expat and
> upstream Expat.

Looking at the Debian package did help me figure out how to make it use
system Expat.  We needed this patch:
<https://salsa.debian.org/cpython-team/python3/blob/master/debian/patches/s=
etup-modules.diff>.

That patch only works *after* the configure step and requires
regenerating some files (see the rules file around PyExpat), so I took a
simpler approach.

Fixed in d1659c0fb27c4f71c8ddc6a85d3cd9f3a10cca97.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlyWtFoACgkQoqBt8qM6
VPofDgf/WzwcJMChtSroskjXIDJRIqVfOdqv4epmBDIYCCohH0h/BHzmpUoq9A5m
52YfqxTjPKmzsRUbyazd88andVej6AmnosDarkCWH3sDr/MJgHOawk7l6bsjEV8a
dfQSrC57X2I6qQSwvlEHskPhS4vAy4LeVIccGOiSyBrPVZbzNpe70FoILPOiMNIC
opf8xB56KacuNh7ZRsNBmKZHdSassVn5QvdKhGhuJmVhsFqlm7bP9j4npq0/OhGv
Y302hIwh8JoAUkAcWlWj9iaY5uYi7pzwU8TyMj1T+LjuvyjilBc80/k3HBgsXWB8
x8fRP5kFJc69JAYed6rDbHZD/EcxoA==
=zaky
-----END PGP SIGNATURE-----
--=-=-=--