| 21 Sep 2025 |
 Vladimír Čunát | * I don't expect we even need libxml2 2.15 in 25.11 when it comes to it. | 11:47:53 |
| Vladimír Čunát | 2.13 is still getting security fixes apparently, so I expect 2.14 can hold for several more months. | 11:48:36 |
 Grimmauld (any/all) | we are manually backporting them, and only because there is things that insist on the old ABI | 11:52:02 |
| Grimmauld (any/all) | if it were me we'd have dropped that long ago | 11:52:13 |
| Grimmauld (any/all) | i do NOT want to repeat this backport hell on 25.11 | 11:52:22 |
| Vladimír Čunát | 2.13 is getting security fixes upstream | 11:52:48 |
| Vladimír Čunát | Released about a week ago:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/04af2cabb9f859c198b8a553c028a87481199410 | 11:53:15 |
| Grimmauld (any/all) | it got 2.13.9 apparently last week. After like 15 other CVEs went unfixed for several months and we needed to do manual backport | 11:53:25 |
| Grimmauld (any/all) | so yes, that exists, but i am not confident this is something we can bet on for our release | 11:54:03 |
| Grimmauld (any/all) | don't get me wrong, 2.13.9 is nice and we should absolutely pick that to 25.05 and drop our current patches on 25.11 where we have our own patches on top of 2.13.8. However, upstream already announced they'd only be maintaining libxml2 until the end of 2025. The libxslt maintainer said they'd step up for libxml2, but expecting them to carry along old versions is a bet that is quite dangerous. | 11:56:11 |
| Grimmauld (any/all) | I am only willing to do it if you are the idiot volunteering to backport all the patches yourself if 2.14.x doesn't get backports! | 11:56:40 |
 K900 | Actually a decent chance that I'll finish the rebuild today | 11:57:49 |
| Vladimír Čunát | OK. I wasn't really following this long-term, just happened to see this 2.13.9. One possibility is always to piggy-back on some distro that takes security seriously (and happens to follow a particular package branch). | 11:59:17 |
| K900 | Somehow | 11:57:52 |
| Grimmauld (any/all) | debian is still on ANCIENT versions with tens of patches. Fedora could work... | 12:02:12 |
| Grimmauld (any/all) | i expect arch to just yolo, either upgrading or not patching. That is the arch way anyways, i have looked at this before. | 12:02:46 |
| Grimmauld (any/all) | yeah arch already did 2.15.0 | 12:03:20 |
| Grimmauld (any/all) | https://repology.org/project/libxml2/versions | 12:03:23 |
| Grimmauld (any/all) | wait even fedora is still on 2.12 | 12:03:47 |
| Vladimír Čunát | Fedora is 2.12 ?!
https://packages.fedoraproject.org/pkgs/libxml2/libxml2/ | 12:03:47 |
| Grimmauld (any/all) | ugh | 12:03:48 |
| Vladimír Čunát | Ubuntu also doesn't go beyond 2.12. | 12:04:20 |
| Vladimír Čunát | * Ubuntu also doesn't go beyond 2.12 thus far. | 12:04:25 |
| Grimmauld (any/all) | gentoo is patching along 2.13 | 12:04:27 |
| Grimmauld (any/all) | and apparently 2.14 too | 12:04:42 |
| Vladimír Čunát | * Ubuntu also doesn't go beyond 2.12 thus far. (just following Debian in here, I expect) | 12:04:44 |
| Grimmauld (any/all) | so i guess we could fetch gentoo | 12:04:50 |
| Vladimír Čunát | Ah, they have a separate package after the ABI bump?
https://packages.ubuntu.com/questing/libxml2-16 | 12:05:58 |
| Vladimír Čunát | It all looks like a mess. | 12:06:18 |
| Grimmauld (any/all) | thats what i am saying | 12:06:55 |
