What to do about Xalan?

[Ferenc Wágner]

"Cantor, Scott" <cantor.2 at osu.edu> writes:

> Unfortunately, it appears Debian's SP packaging builds xml-security-c
> against Xalan. That is a bad idea, though I understand why someone
> might have done it.

Hi Scott,

Thanks for providing such a detailed report on the issue.  As far as I
remember, Xalan support was added to xml-security-c just for the sake of
completeness, at least I found no report requesting it.  Moreover, the
only reverse dependency of libxml-security-c within Debian is
Shibboleth, so we could risk pulling support...  If only the freeze
wasn't so damn close.  Does this break ABI for consumers not using
XPath/XSLT support (like Shibboleth)?

> or perhaps add a split package and have the SP depend on the "without"
> one?

xml-security-c-lite would indeed be doable, if it turns out we can't rip
Xalan support entirely.

> But I will probably get working on a patch to lock out the attack
> vector in xmltooling so if you prefer to wait for that, that's not the
> end of the world.

That would certainly be smoother, but on the other hand it would bring
us one more Debian stable release with xml-security-c linked with Xalan,
which may cause problems down the road.  The upcoming patches will be
useful anyway for fortifying current stable and oldstable releases
(which still have security support).
-- 
Regards,
Feri.