From unknown Fri Aug 15 03:56:23 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#32957 <32957@debbugs.gnu.org>
To: bug#32957 <32957@debbugs.gnu.org>
Subject: Status: Python uses a bundled expat
Reply-To: bug#32957 <32957@debbugs.gnu.org>
Date: Fri, 15 Aug 2025 10:56:23 +0000

retitle 32957 Python uses a bundled expat
reassign 32957 guix
submitter 32957 Marius Bakke <mbakke@fastmail.com>
severity 32957 important
tag 32957 security

thanks


From debbugs-submit-bounces@debbugs.gnu.org Sat Oct 06 10:58:33 2018
Received: (at submit) by debbugs.gnu.org; 6 Oct 2018 14:58:33 +0000
Received: from localhost ([127.0.0.1]:38755 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1g8o2L-0005Jj-I6
	for submit@debbugs.gnu.org; Sat, 06 Oct 2018 10:58:33 -0400
Received: from eggs.gnu.org ([208.118.235.92]:39926)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mbakke@fastmail.com>) id 1g8o2J-0005JU-2o
 for submit@debbugs.gnu.org; Sat, 06 Oct 2018 10:58:31 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mbakke@fastmail.com>) id 1g8o2C-0002AP-UO
 for submit@debbugs.gnu.org; Sat, 06 Oct 2018 10:58:25 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:49636)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <mbakke@fastmail.com>) id 1g8o2C-00029Y-5B
 for submit@debbugs.gnu.org; Sat, 06 Oct 2018 10:58:24 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49510)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <mbakke@fastmail.com>) id 1g8o2B-0007uJ-Fv
 for bug-guix@gnu.org; Sat, 06 Oct 2018 10:58:24 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mbakke@fastmail.com>) id 1g8o27-00026X-4s
 for bug-guix@gnu.org; Sat, 06 Oct 2018 10:58:22 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:56795)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <mbakke@fastmail.com>) id 1g8o26-00024z-0J
 for bug-guix@gnu.org; Sat, 06 Oct 2018 10:58:18 -0400
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.nyi.internal (Postfix) with ESMTP id E01D821175
 for <bug-guix@gnu.org>; Sat,  6 Oct 2018 10:58:15 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute5.internal (MEProxy); Sat, 06 Oct 2018 10:58:15 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h=
 from:to:subject:date:message-id:mime-version:content-type; s=
 fm1; bh=ZqEcX46pMlbNfVJhtip8n7/q2hqLWq9pbQPHYTZMfpw=; b=BGeoMd6z
 EMF91dhURrb/xFxFRikDxJwqCNpuS8E0MT6dUS4h3DkEGzDx1HvTMsFTQK5FW3zh
 HFQBTcKpbE9mXbWQoJTwrMaOIHBgRbdJfbnjt6Pe8MakNIzx8oAo59TOw01hZFw6
 NUelrlOj/0I/vCB8ft4/LA9eXYg+Xrnt/PuI9rtqSY4tMtAaf3lGGEkF+7N0IgQT
 1nSaZuDduvWyVJ11FB6fGuX4vWW7nBlq2aMvEzwN3BEdukCZ1VUbPFcI37bhRkP9
 /ZID4/E2Txwb35xsYY4Ss7AEsRxug18U28tIpzplG1G9frkc5rnMei2GXqzFSprH
 6dt7GEx5gVZGmg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm3; bh=ZqEcX46pMlbNfVJhtip8n7/q2hqLW
 q9pbQPHYTZMfpw=; b=atjxAuC2KRAFgRcFV+dbV7wSacdJ9xvPPerxQ7xmTyygW
 6wW+u5xZVjaFFzAsH0TmP5mk8yXAElhlhQFyBfhd1nBk7gv7K8PojP6EmBbwL3VM
 c0nI2DvnPwj+Ga1gRAFnr6hhWx/RnbsYPip+qn3peYFIKfuWDg8X6xR2PQupbO/z
 0cKVL1mvOHEhrlEL0xHdw5TsZOs87oVG5TVP0vSWEJcudLTwuHc2uurZ8R4GD9Xk
 ga7gFpUEjJ3JfsAR/x41+mu2BdDwiehJ5zg+kPO2VbFxoG/fJTIH0c7rdPEUFT1l
 0R0Ky7QWhqCUJibgIo6RYZCacCjLHR1MfkmeT4NBw==
X-ME-Sender: <xms:h824W4w2g-r11IMHuaz0zI1UOR5k7vJXabceA1HWawnX5hovLZFaTA>
X-ME-Proxy: <xmx:h824W0B0oIDakyVrWkx1CFfqQiICictDZufswx3MLeB7AU_LHmstXQ>
 <xmx:h824Ww9OA8tzLs_wxFbXK22UjSeItyosrz42pZ_X9PmRU9-MFtCzeQ>
 <xmx:h824W4DkhoE4fh53Je2B670CKOD-HGtj9Lj3MnDTnHx45EnYCMm3Wg>
 <xmx:h824W88EAzJr8t1qQxkEVhXHt1XrAIMnhyZHc4bhJClNeeTeUoq-Rw>
 <xmx:h824W7zLExKDHd8fN6Fue4aBp8CokA_druD_du4jh9p7cz5Oa9zmAg>
 <xmx:h824W1YksQ6YAxGFHqPtOjgU-HcgetAwIkEwJb01PYtzTjux5QoXVg>
Received: from localhost (140.226.16.62.customer.cdi.no [62.16.226.140])
 by mail.messagingengine.com (Postfix) with ESMTPA id 449AA102E8
 for <bug-guix@gnu.org>; Sat,  6 Oct 2018 10:58:15 -0400 (EDT)
From: Marius Bakke <mbakke@fastmail.com>
To: bug-guix@gnu.org
Subject: Python uses a bundled expat
User-Agent: Notmuch/0.27 (https://notmuchmail.org) Emacs/26.1
 (x86_64-pc-linux-gnu)
Date: Sat, 06 Oct 2018 16:58:13 +0200
Message-ID: <87o9c7i0l6.fsf@fastmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.3 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -5.3 (-----)

--=-=-=
Content-Type: text/plain

Python 2 and 3 are using a bundled Expat (residing under Modules/).

This has been the cause of security vulnerabilities in the past and
should be changed to use Expat from Guix.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlu4zYUACgkQoqBt8qM6
VPo2UAgAzKQ8+SbMxzNFx4YEEOM/Mm0XKo+20DMBZHlqI+Gg0Q+9VVCNfwttbAzw
zdEYr5Zw5FEWIe30/97Dw0BdmaK+17rREcSrc6b4UZESgIPF9R1NHzcxwZWjRWj7
PuOI6pHdADHzraMN1afgyGg2jVVc8zPmLCimNcHUpJIvJH+kFVPauEetl/ONcC7G
mOtNL1d3pHmpSAgCEHQ+iC7KoPJDDJBM0aKLtDNTYK69VaOY8L3K2b/5DgHW+jCE
RcA6tlE37Cjen+L64fPmvlMqPSD5GT5nAwn5/PwPaXWJG6FaVW5FVo6OGdn/EKI7
5kHqiuLZm2yr/fBY7xWlOhqPajHEyg==
=dmT8
-----END PGP SIGNATURE-----
--=-=-=--




From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 08 09:27:29 2018
Received: (at control) by debbugs.gnu.org; 8 Oct 2018 13:27:29 +0000
Received: from localhost ([127.0.0.1]:40010 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1g9VZH-0006s9-8k
	for submit@debbugs.gnu.org; Mon, 08 Oct 2018 09:27:29 -0400
Received: from eggs.gnu.org ([208.118.235.92]:52276)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1g9VZG-0006rv-6f
 for control@debbugs.gnu.org; Mon, 08 Oct 2018 09:27:26 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@gnu.org>) id 1g9VZ7-0003Re-7d
 for control@debbugs.gnu.org; Mon, 08 Oct 2018 09:27:20 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled
 version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:34707)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
 id 1g9VZ6-0003RU-Vb
 for control@debbugs.gnu.org; Mon, 08 Oct 2018 09:27:17 -0400
Received: from [193.50.110.78] (port=57028 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>) id 1g9VZ3-0001SF-Hs
 for control@debbugs.gnu.org; Mon, 08 Oct 2018 09:27:16 -0400
Date: Mon, 08 Oct 2018 15:27:12 +0200
Message-Id: <87efd0zhzj.fsf@gnu.org>
To: control@debbugs.gnu.org
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: control message for bug #32957
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

tags 32957 security




From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 08 09:27:31 2018
Received: (at control) by debbugs.gnu.org; 8 Oct 2018 13:27:31 +0000
Received: from localhost ([127.0.0.1]:40013 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1g9VZL-0006sS-9a
	for submit@debbugs.gnu.org; Mon, 08 Oct 2018 09:27:31 -0400
Received: from eggs.gnu.org ([208.118.235.92]:52298)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1g9VZK-0006s1-4g
 for control@debbugs.gnu.org; Mon, 08 Oct 2018 09:27:30 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@gnu.org>) id 1g9VZD-0003TT-6y
 for control@debbugs.gnu.org; Mon, 08 Oct 2018 09:27:25 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled
 version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:34710)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
 id 1g9VZD-0003T6-1W
 for control@debbugs.gnu.org; Mon, 08 Oct 2018 09:27:23 -0400
Received: from [193.50.110.78] (port=57030 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>) id 1g9VZC-0001aU-A3
 for control@debbugs.gnu.org; Mon, 08 Oct 2018 09:27:22 -0400
Date: Mon, 08 Oct 2018 15:27:18 +0200
Message-Id: <87d0skzhzd.fsf@gnu.org>
To: control@debbugs.gnu.org
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: control message for bug #32957
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

severity 32957 important




From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 10 15:27:20 2018
Received: (at 32957) by debbugs.gnu.org; 10 Oct 2018 19:27:20 +0000
Received: from localhost ([127.0.0.1]:43871 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1gAK8e-0001Go-AB
	for submit@debbugs.gnu.org; Wed, 10 Oct 2018 15:27:20 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:37235)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1gAK8c-0001Gg-NG
 for 32957@debbugs.gnu.org; Wed, 10 Oct 2018 15:27:18 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 8A59121D26;
 Wed, 10 Oct 2018 15:27:18 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute4.internal (MEProxy); Wed, 10 Oct 2018 15:27:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=7yafLitxo+EldNuMVPG0UPU0
 TsYxDCdIyKxtjIZrKCw=; b=besMsMWEfaPvAvV2vhU24easofQa0S0rldX6KiDD
 NveyYeLMFJd4PPgI7mrIh7AO9MMGCwC4SAr/nsC29GmHsVx4FaE9GttoDqZiFuc4
 JAITjrJg412CMJF2y2nXXZtwug/FFxKAnd9h6pnzHRGoh7ayuYxljxdJRA10tbug
 5io=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=7yafLi
 txo+EldNuMVPG0UPU0TsYxDCdIyKxtjIZrKCw=; b=qK/zyLYTz/OwJxFZQ6pzs+
 svJTkXvbyf35Ae4GA25lOHZOhPkHmYOHVgAmu5m3PQbLuc0PbNbJ6y9oVqA7eKSG
 uTbyEa/goiIf57QKgrvPHzN0JQED+TxXS9h4f9zNkQFl4zUGtV0l+EW7P8ZhE+pJ
 KsSal40rpFRZFBd4nrVN5R1dWF9NGgtpS9HCQzQFYNXJuvVS/J2E73xDxe3dmtGs
 YCN94TBajbW4BtCzXGePdjb/i5HxijlUfkP1G3pcyGhIYm0h3jBQcwExnnaTi6V1
 yw9Z5I8UIG/zoC57iwVx75Xv04GwUdhwS07h5VYaJ2Z8owouvWL8JZfQuuQPWVZQ
 ==
X-ME-Sender: <xms:lFK-WyPpXNtwWE5hjHmp9ZVRxshDdAbILaCtIUfX5WCPLOYoba6_GA>
X-ME-Proxy: <xmx:lFK-WzguMC3VMMlBfrjwj2XQHMXJojktx5gOfTXxpL0oeCMtXrMjFA>
 <xmx:lFK-WwP08uYJ6ZBUYKHriOF4vvW6_OTNd2hKeq3lRjaf8e-oE8YXyQ>
 <xmx:lFK-W07gSlHJyQRiAP-cadqyjmOckwZIsov9ADBUR7asF42gcv_Bwg>
 <xmx:lFK-W-0SFjip-zd8r9DEvfpPAlA-_WYVgvdBThVJbuJjdYfsSD59iQ>
 <xmx:lFK-W1boekyH2dbOIRhMF1QjLtUi4RTbwFiHaAlsCNhCWcCd4V8xwQ>
 <xmx:llK-W_Fuk5Ts9WAEqfnpz9d8U5l8ia6Jj7JpXbDiOAaLGp6n_wjDYA>
Received: from localhost (unknown [172.58.201.64])
 by mail.messagingengine.com (Postfix) with ESMTPA id C2577102ED;
 Wed, 10 Oct 2018 15:27:15 -0400 (EDT)
Date: Wed, 10 Oct 2018 15:27:14 -0400
From: Leo Famulari <leo@famulari.name>
To: Marius Bakke <mbakke@fastmail.com>
Subject: Re: bug#32957: Python uses a bundled expat
Message-ID: <20181010192714.GC22832@jasmine.lan>
References: <87o9c7i0l6.fsf@fastmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="uh9ZiVrAOUUm9fzH"
Content-Disposition: inline
In-Reply-To: <87o9c7i0l6.fsf@fastmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 32957
Cc: 32957@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--uh9ZiVrAOUUm9fzH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Oct 06, 2018 at 04:58:13PM +0200, Marius Bakke wrote:
> Python 2 and 3 are using a bundled Expat (residing under Modules/).
>=20
> This has been the cause of security vulnerabilities in the past and
> should be changed to use Expat from Guix.

Looks like Debian uses an external Expat to fill the dependency, so it
should be possible:

https://packages.debian.org/stretch/python3.5-minimal

We should look into the difference between the bundled Expat and
upstream Expat.

--uh9ZiVrAOUUm9fzH
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlu+UpIACgkQJkb6MLrK
fwgOaQ/7BWBph+EUCzDA64XayEu4voEnWKB/NWbD4bbVge3wo2bTAjemKg3hQRMt
VxntWISU56rnln9PEq5ZZ+apnC8U91CGuAoum5ydgADJMUPjzmzcw1g/CVivT2ss
5DfMWSC23AtYQQrJ9OuV8ofXERbwAtJzVCGumt0mK9uuVZ4A+I3Kv5SzPzL5eLkk
V384R7uOWFJXP6PFxHFG5ZMTUvOHJNTujQwfTx9lEBccaFHXyy28/nJjZ3t315yz
h4Sy/iCCzGlROnJGjqDWOOpQdYx5N2KuhX14NW5woGLRK8nAej9COgFFRjD+iECu
nQonNS1VaoIDrZpgijdAGAjqhkn9zJuS6fL1IbinJDIeMlVXkvNZyq2dLp5eUE8L
WpJVOnt+pk5w25l1CYu1ZSYL7UEO8jkCkPPcxrukXItKLQOecPDIGWd1ynx5FLqu
YLIa/VTWnmZlHUZep6tvz2rYH6QqZyMSMVUrQZxjTNuNRlEJ5ylgzHRWz80hzs9z
pV/ql+LHRNb3GlJcBpKNAdGxe/QJ6UIsZV7SlwDIuOicqaEtQN8q/fVSNNPr5/XC
TgfmR3n1SbUOwd8vrVf7TDzF58NwjH/BXUX+nv96RPmuyCma7i8VXvVUQgv/ORo2
NKqKHE+q3s7ykIF5GG2Te3WsH9KspqA5fY7E8cxuJly5XQ//of0=
=Jgba
-----END PGP SIGNATURE-----

--uh9ZiVrAOUUm9fzH--




From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 23 18:34:13 2019
Received: (at 32957-done) by debbugs.gnu.org; 23 Mar 2019 22:34:13 +0000
Received: from localhost ([127.0.0.1]:55854 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1h7pDR-00004z-2Z
	for submit@debbugs.gnu.org; Sat, 23 Mar 2019 18:34:13 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:42955)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mbakke@fastmail.com>) id 1h7pDP-0008WQ-01
 for 32957-done@debbugs.gnu.org; Sat, 23 Mar 2019 18:34:11 -0400
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.nyi.internal (Postfix) with ESMTP id 75A2321BAD;
 Sat, 23 Mar 2019 18:34:05 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute5.internal (MEProxy); Sat, 23 Mar 2019 18:34:05 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h=
 from:to:cc:subject:in-reply-to:references:date:message-id
 :mime-version:content-type; s=fm2; bh=F7iLOC07PIjMQxre1jELCCAckt
 h9/v7WF6+vLogHoiM=; b=cR3szB7uYAqex2ilGPCU5zhPE414/HjgFsOowsYu6U
 ZTyOreRpqqMVhUkSKYByfaPqGKBhPTM8m+Z78CVyrR26caz3o8Gh1Qpg3o53uORT
 W/hE0Ga9EYcvXma47d6Bwii3uPtPFAdnkYVsZhznfZwh1IyavXmkb0VyNWuFhdzr
 dirDcd1bpmaedY0CfoI0LUQmogQtmTXJk9NPcmzZdr+jjWr44A9n0yPNv7sovQlt
 HVDmYIuAgq0Em4DoLrmpVYWDQTDpCuJMNWrr/VhSm7g8XQqjB3BOF3aLXhxcNUoN
 8lUrnVCwyT0Xt5Knd+27ST7BfkKtZqDZVQOXZMxeGKYA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=F7iLOC
 07PIjMQxre1jELCCAckth9/v7WF6+vLogHoiM=; b=4ZyMyr3LxP4h8Rxv2Ddmcs
 DJMNYAxLpsX+KqLGzO7zoTahd8wggg2ZgRdKSzvrW1iZvzFpX82ZIjjqZ4YuREw4
 hdMj+052RHWMbMNRoQ7HKrfRw1JBtpLM2vM6E46BRvBWQeonGEdwMRkLak95ki4p
 K5AtEioVMmjestTbPUbJJrMDbe4Fs5ZmqFPfLbdatiQTWsMa23BeKTl912yQFRlg
 WAqa3Ttv/NeSFW3/ozKRVxcpqQAdOYwV9dcfB8f8E/0ORW2FpA+DB1p1nNsk0EeK
 8BA+Jc+Ogy8cr7wRAi0aL1yXszn3+ra2/CfMfM6H8DykBdv44u4OwyR+CmNMrUBA
 ==
X-ME-Sender: <xms:XbSWXERq1Zlri-TG5Wma90aX2eKVlfJn2dOloIkBjm2WSVbrxjLJ3A>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrjeegucetufdoteggodetrfdotffvucfrrh
 hofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgenuceurghi
 lhhouhhtmecufedttdenucenucfjughrpefhvffujghffgffkfggtgesghdtreertdertd
 enucfhrhhomhepofgrrhhiuhhsuceurghkkhgvuceomhgsrghkkhgvsehfrghsthhmrghi
 lhdrtghomheqnecuffhomhgrihhnpeguvggsihgrnhdrohhrghenucfkphepiedvrdduie
 drvddviedrudegtdenucfrrghrrghmpehmrghilhhfrhhomhepmhgsrghkkhgvsehfrghs
 thhmrghilhdrtghomhenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:XbSWXIGaxQCJNQlSiRLzAATMDkZ8-cArTmcaxH5mVWR7NmCdnQsIlQ>
 <xmx:XbSWXOgFF0B6u0snFd3LaV4zWVRUUT8eIe-5c_9JqEriR0j2USQuSw>
 <xmx:XbSWXGpss5JGFHt4o1-f3HWyp1x9lOzppZmJz6LOUoxnVNAJjz1Rxg>
 <xmx:XbSWXD_NQqt9Db9UdZmUjs68bM7ZdswL8jxUrayfhElZujty_d61wg>
Received: from localhost (140.226.16.62.customer.cdi.no [62.16.226.140])
 by mail.messagingengine.com (Postfix) with ESMTPA id B8A37E4549;
 Sat, 23 Mar 2019 18:34:04 -0400 (EDT)
From: Marius Bakke <mbakke@fastmail.com>
To: Leo Famulari <leo@famulari.name>
Subject: Re: bug#32957: Python uses a bundled expat
In-Reply-To: <20181010192714.GC22832@jasmine.lan>
References: <87o9c7i0l6.fsf@fastmail.com> <20181010192714.GC22832@jasmine.lan>
User-Agent: Notmuch/0.28.2 (https://notmuchmail.org) Emacs/26.1
 (x86_64-pc-linux-gnu)
Date: Sat, 23 Mar 2019 23:34:02 +0100
Message-ID: <874l7t1aqt.fsf@fastmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 32957-done
Cc: 32957-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Leo Famulari <leo@famulari.name> writes:

> On Sat, Oct 06, 2018 at 04:58:13PM +0200, Marius Bakke wrote:
>> Python 2 and 3 are using a bundled Expat (residing under Modules/).
>>=20
>> This has been the cause of security vulnerabilities in the past and
>> should be changed to use Expat from Guix.
>
> Looks like Debian uses an external Expat to fill the dependency, so it
> should be possible:
>
> https://packages.debian.org/stretch/python3.5-minimal
>
> We should look into the difference between the bundled Expat and
> upstream Expat.

Looking at the Debian package did help me figure out how to make it use
system Expat.  We needed this patch:
<https://salsa.debian.org/cpython-team/python3/blob/master/debian/patches/s=
etup-modules.diff>.

That patch only works *after* the configure step and requires
regenerating some files (see the rules file around PyExpat), so I took a
simpler approach.

Fixed in d1659c0fb27c4f71c8ddc6a85d3cd9f3a10cca97.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlyWtFoACgkQoqBt8qM6
VPofDgf/WzwcJMChtSroskjXIDJRIqVfOdqv4epmBDIYCCohH0h/BHzmpUoq9A5m
52YfqxTjPKmzsRUbyazd88andVej6AmnosDarkCWH3sDr/MJgHOawk7l6bsjEV8a
dfQSrC57X2I6qQSwvlEHskPhS4vAy4LeVIccGOiSyBrPVZbzNpe70FoILPOiMNIC
opf8xB56KacuNh7ZRsNBmKZHdSassVn5QvdKhGhuJmVhsFqlm7bP9j4npq0/OhGv
Y302hIwh8JoAUkAcWlWj9iaY5uYi7pzwU8TyMj1T+LjuvyjilBc80/k3HBgsXWB8
x8fRP5kFJc69JAYed6rDbHZD/EcxoA==
=zaky
-----END PGP SIGNATURE-----
--=-=-=--




From unknown Fri Aug 15 03:56:23 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Sun, 21 Apr 2019 11:24:04 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator