ius-community team mailing list archive

Thread
Date

expat2 deprectation

To: "ius-community@xxxxxxxxxxxxxxxxxxx" <ius-community@xxxxxxxxxxxxxxxxxxx>
From: Carl George <carl.george@xxxxxxxxxxxxx>
Date: Tue, 24 Feb 2015 21:44:48 +0000
Accept-language: en-US
Thread-index: AdBQexzAIsWNEYqnRRq9NuZv5Pw+4w==
Thread-topic: expat2 deprectation

# What is happening?

The IUS team will be deprecating the expat2 package in our repos.

# What is expat?

Expat is an XML parser library that is required to build python.  Python bundles version 2.1.0 with their source.  Traditionally, Fedora and Red Hat unbundle libraries whenever possible.  In the case of python, that means deleting the bundled expat and building against the system version.  However, expat in EL5 is only at version 1.95.8.  When the python27 package was created, it was decided that IUS should create and use expat2 as a separate package in order to stick with the practice of unbundling libraries.

# Why deprecate it?

To be frank, we haven't maintained expat2 as well as we should have.  Granted, there has only been one newer version released, but that version fixed two moderate CVEs.

* https://access.redhat.com/security/cve/CVE-2012-1148
* https://access.redhat.com/security/cve/CVE-2012-0876

EL5 is nearing the end of it's life cycle.  Rather than devoting time to updating an EL5-only package, we decided that it would be more efficient to just allow python27 to use the bundled copy of expat on EL5.  This removes our dependency on the expat2 package and allows us to safely deprecate it.

# What does this mean to me?

The latest build of python27 (python27-2.7.9-3.ius) uses the bundled copy of expat on EL5.  EL6 servers with python27 installed will see no change.  EL5 servers with python27 installed will still have expat2 installed, but it will no longer be required, and can be safely removed.

If python27 was the only reason expat2 was installed on your system, we recommend that you remove expat2 after upgrading to python27-2.7.9-3.ius.  Unfortunately, yum does not automatically clean up old dependencies, so this will be a manual step.  Even if expat2 is left installed on your server, we believe you will not be vulnerable to those CVEs once there are no package linking against it's libraries.

# When?

The latest build of python27 (python27-2.7.9-3.ius) is available now in the IUS testing repos.  If you are using the ius-release package, you can apply the update with the following commands.

```
yum --enablerepo=ius-testing update python27
yum erase expat2
```

We will move this package to the stable repos on Monday 2015-03-02, and then anyone get the updated package just by running `yum update`.  A few days later, we will move expat2 from the stable repos to the archive repos.

Carl George
Rackspace GNU/Linux Engineer