Re: [lmi] [PATCH] Use submodules for, and newer versions of, libxml2 and libxslt

[Vadim Zeitlin]

On Thu, 1 Oct 2020 15:33:31 +0000 Greg Chicares <gchicares@sbcglobal.net> wrote:

GC> Should we upgrade to the latest libxml2 now, just because it's the
GC> perfect time for that?

 We definitely could do it easily enough. I didn't want to change
everything at once and 2.9.4 (that we use currently) is not
catastrophically old (released 2016-05-23), so it didn't seem critical, but
OTOH the (incomplete) libxml2 change log does list a few fixed CVE
advisories and a number of improvements and bug fixes.

 So I wanted to write that I'll do it soon, but then I started wondering if
it could be useful for you to try to do it just to ensure that you can do
it if necessary? Please let me know if you'd be interested in such an
exercise (I hope asking you this right now doesn't constitute abuse of
weakness...).

GC> Are we already at the latest lib{xslt,exslt}?

 Yes.

GC> One oddity: after rerunning 'install_msw.sh', I notice this:
GC> 
GC> /opt/lmi/src/lmi[0]$git --no-pager diff
GC> diff --git a/third_party/libxml2 b/third_party/libxml2
GC> --- a/third_party/libxml2
GC> +++ b/third_party/libxml2
GC> @@ -1 +1 @@
GC> -Subproject commit bdec2183f34b37ee89ae1d330c6ad2bb4d76605f
GC> +Subproject commit bdec2183f34b37ee89ae1d330c6ad2bb4d76605f-dirty
GC> 
GC> This submodule is not flagged as "dirty":
GC> 
GC>   /opt/lmi/src/lmi/third_party/libxslt[0]$git status               
GC>   HEAD detached at 6a46106d
GC>   nothing to commit, working tree clean
GC> 
GC> but this submodule is:
GC> 
GC>   /opt/lmi/src/lmi/third_party/libxml2[0]$git status
GC>   HEAD detached at bdec2183
GC>   Untracked files:
GC>     (use "git add <file>..." to include in what will be committed)
GC>           compile
GC> 
GC>   nothing added to commit but untracked files present (use "git add" to 
track)
GC> 
GC> How should we handle it?
GC> 
GC>  - Add this 'compile' file to third_party/libxml2/.gitignore , as I
GC> suppose upstream should have done?

 Yes, they should have had, and they did in the latest version.

GC> But then we diverge from them, making any future update complicated.

 I don't think we should be especially afraid of diverging from them. Of
course, we shouldn't do this without any real need, but it's really not a
problem to have our own commits if we do need them and then just merge
master into our lmi branch (currently such merge would be a fast-forward,
but, as always, I don't consider non-fast-forward merges a problem at all).

GC> Or is some other way better?

 In this particular case, I think we should just upgrade libxml2, which
will fix this issue as a side effect.

 Just please let me know if we should do it or if you will,
VZ

pgp49QEPJaQ7F.pgp
Description: PGP signature