On 5/9/14, 12:15 PM, "Sam Hartman" <[log in to unmask]> wrote:

>The policy I was given was to use system libraries where possible.
>epel has xmlsec 1.6.0.

I consider only what ships with the OS and what yum references out of the
box as the system, but YMMV. (My build of Xerces was just an error, I
would have used 3.0 as shipped.)

BTW, unless it contains the fixes backported from 1.7.x, that's a big
security issue (I don't know who's maintaining that or what they know
about), so you probably would want to verify that.

>so, they may be sitting on a time bomb in that the next rebuild may
>break their ABI?

Could be, yes. I could also be mis-remembering when GCM appeared, but
that's my recollection. I know 1.0.1 doesn't break the 1.0.0 ABI in
OpenSSL, supposedly, but I guess they did that by some pretty careful
management, since they added a *lot* of big features in 1.0.1 (TLS
1.1/1.2, GCM).

>If that's not true, we could just get them to rebuild.
>Although I don't know what policies they use for what they build against.
>If that is true, they are about to have a kind of annoying mess on their
>hands next time they update xmlsec.

Yes, this has been a very unusual situation for a Red Hat build, and as I
said so far I've been immunized from it by the OBS being slow to adopt.
But I don't currently depend on any C++ packages that I don't supply
myself (boost aside), so I haven't had to address it.

-- Scott