Red Hat Bugzilla – Full Text Bug Listing
|Summary:||xqilla blatantly includes its own copy of xerces|
|Product:||[Fedora] Fedora||Reporter:||Toshio Ernie Kuratomi <a.badger>|
|Component:||xqilla||Assignee:||Jonathan Robie <jonathan.robie>|
|Status:||CLOSED RAWHIDE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||rawhide||CC:||carl.gaudreault, extras-orphan, gsim, john.snelson, lemenkov|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2010-03-08 18:11:53 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description Toshio Ernie Kuratomi 2010-01-15 12:19:15 EST
Description of problem: xqilla includes its own version of the xerces source as a second Source: line in the spec file. The packaging Guidelines are very clear that this is not allowed: https://fedoraproject.org/wiki/Packaging:Guidelines#Duplication_of_system_libraries https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries Additionally: The latest XQilla, xqilla-2.2.3 has this in the configure.in: if test "$xerces_version_major" -lt "3" -a "$xerces_source_tree" = "no"; then AC_MSG_ERROR([For Xerces-C versions before 3.0 the source tree is required to build XQilla. You must specify the path to the Xerces-C source tree using --with-xerces.]) fi So it looks like the latest xqilla and xerces-3.x can fix this problem. Note that the latest entry in our xerces-c package says: Our Xerces package has this as its most recent changelog: * Thu Aug 06 2009 Peter Lemenkov <email@example.com> 2.8.0-5 - Fix CVE-2009-1885 Which mitre.org says is an application crash DOS. This is not addressed in the version of xerces that xqilla bundles.
Comment 1 Carl G. 2010-01-15 16:32:45 EST
Thank you for taking the time to fill this bug report. Since it's against the packaging guideline devel-list have been noticed. http://lists.fedoraproject.org/pipermail/devel/2010-January/129283.html --- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
Comment 2 Jonathan Robie 2010-01-19 08:52:35 EST
XQilla can use any version of Xerces >= 2.8, but versions earlier than Xerces 3.0 require additional header files not provided by Xerces (these are shipped with Xerces as of 3.0). I propose to fix this by adding the needed headers if the Xerces version is < 3.0, or using the installed Xerces otherwise. In either case, XQilla will not use a private copy of Xerces.
Comment 3 Toshio Ernie Kuratomi 2010-01-21 11:46:46 EST
From John Snelson in Bug#511425 In order to build XQilla 2.2.3 against Xerces-C 2.8 (or any version before 3.0), XQilla requires the following (formerly) private headers: xercesc/dom/impl/DOMAttrImpl.hpp xercesc/dom/impl/DOMCasts.hpp xercesc/dom/impl/DOMDocumentImpl.hpp xercesc/dom/impl/DOMDocumentTypeImpl.hpp xercesc/dom/impl/DOMElementNSImpl.hpp xercesc/dom/impl/DOMNodeImpl.hpp xercesc/dom/impl/DOMRangeImpl.hpp xercesc/dom/impl/DOMTypeInfoImpl.hpp xercesc/dom/impl/DOMWriterImpl.hpp Packaging XQilla along with these headers from Xerces-C should allow a stand alone build without the Xerces-C source code (ie: from a normal install of Xerces-C).
Comment 4 Toshio Ernie Kuratomi 2010-01-21 12:51:15 EST
I've been talking with jrobie. We have two options open to us: 1) update xerces-c to 3.x and then xqilla will build without a bundled version of the library. This is what we want to do for rawhide. It may mean that packages already in Fedora either need to port or we may need a compat package: http://xerces.apache.org/xerces-c/migrate-archive-3.html 2) pull just the private header files from John Snelson's list into xqilla and build with those. This might be better for EL-5 and F-11/F-12 since moving to xerces-c-3 would be discouraged for a released Fedora (and more strictly discouraged for EPEL).