| 21 Sep 2025 |
 Grimmauld (any/all) | it got 2.13.9 apparently last week. After like 15 other CVEs went unfixed for several months and we needed to do manual backport | 11:53:25 |
| Grimmauld (any/all) | so yes, that exists, but i am not confident this is something we can bet on for our release | 11:54:03 |
| Grimmauld (any/all) | don't get me wrong, 2.13.9 is nice and we should absolutely pick that to 25.05 and drop our current patches on 25.11 where we have our own patches on top of 2.13.8. However, upstream already announced they'd only be maintaining libxml2 until the end of 2025. The libxslt maintainer said they'd step up for libxml2, but expecting them to carry along old versions is a bet that is quite dangerous. | 11:56:11 |
| Grimmauld (any/all) | I am only willing to do it if you are the idiot volunteering to backport all the patches yourself if 2.14.x doesn't get backports! | 11:56:40 |
 K900 | Actually a decent chance that I'll finish the rebuild today | 11:57:49 |
 vcunat | OK. I wasn't really following this long-term, just happened to see this 2.13.9. One possibility is always to piggy-back on some distro that takes security seriously (and happens to follow a particular package branch). | 11:59:17 |
| K900 | Somehow | 11:57:52 |
| Grimmauld (any/all) | debian is still on ANCIENT versions with tens of patches. Fedora could work... | 12:02:12 |
| Grimmauld (any/all) | i expect arch to just yolo, either upgrading or not patching. That is the arch way anyways, i have looked at this before. | 12:02:46 |
| Grimmauld (any/all) | yeah arch already did 2.15.0 | 12:03:20 |
| Grimmauld (any/all) | https://repology.org/project/libxml2/versions | 12:03:23 |
| Grimmauld (any/all) | wait even fedora is still on 2.12 | 12:03:47 |
| vcunat | Fedora is 2.12 ?!
https://packages.fedoraproject.org/pkgs/libxml2/libxml2/ | 12:03:47 |
| Grimmauld (any/all) | ugh | 12:03:48 |
| vcunat | Ubuntu also doesn't go beyond 2.12. | 12:04:20 |
| vcunat | * Ubuntu also doesn't go beyond 2.12 thus far. | 12:04:25 |
| Grimmauld (any/all) | gentoo is patching along 2.13 | 12:04:27 |
| Grimmauld (any/all) | and apparently 2.14 too | 12:04:42 |
| vcunat | * Ubuntu also doesn't go beyond 2.12 thus far. (just following Debian in here, I expect) | 12:04:44 |
| Grimmauld (any/all) | so i guess we could fetch gentoo | 12:04:50 |
| vcunat | Ah, they have a separate package after the ABI bump?
https://packages.ubuntu.com/questing/libxml2-16 | 12:05:58 |
| vcunat | It all looks like a mess. | 12:06:18 |
| Grimmauld (any/all) | thats what i am saying | 12:06:55 |
| Grimmauld (any/all) | i don't want to carry more than necessary | 12:07:04 |
| vcunat | Too new version can also create work, as you see, but the security maintenance work is hard to predict. Though recently they did have lots of CVEs. | 12:10:06 |
| vcunat | Anyway, if you think 2.15 will be better, I certainly don't oppose that. | 12:10:49 |
| K900 | So who's getting sniped into writing multilib stdenv for 26.05 | 12:22:22 |
| K900 | (please don't be me) | 12:22:29 |
| K900 | (this message is brought to you by pandoc-i686-linux) | 12:24:03 |
 emily | I trust containers org | 13:11:42 |
