Monday, May 19, 2008

Re: [HACKERS] Link requirements creep

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Greg Smith <gsmith@gregsmith.com> writes:
> > When we noticed this recently, my digging suggested you'll be hard pressed
> > to have a RedHat system now without those two installed.
>
> Indeed, I've not heard any squawks from the field yet. It's still
> wrong though ...

Unsuprisingly, half the world in Debian also depends on libxml2, but I
agree 110% w/ Tom- it's wrong, and I feel it really ought to be fixed
regardless. It's entirely likely that there will come a time when it's
a less used library getting pulled in, too. I also personally hate
useless clutter in dependencies as it can cause package management
headaches..

After poking around a bit I did find a box that only pulled in libxml2
for subversion, and we've been talking about moving to a different SCM
(which don't appear to depend on libxml2), so it might eventually only
be pulled in by psql for us. Not a show-stopper, but it's also not
completely out of the question that it'll get pulled in unnecessairly.

Thanks,

Stephen

1 comment:

theunicycleguy said...

has anyone read up about the vulnerabilities associated with libxml2?

i am trying to figure out which libxml2.dll version PostgreSQL uses so that potentially I can replace the vulnerable file that's in c/program files/postgresql/8.2

Will replacing the current dll file with a newer libxml2 file screw up postgresql?