On Tue, 21 Oct 2025 17:41:51 -0400 David Malcolm <[email protected]> wrote:
> Ideally libgcobol would be dynamically linked against a "system copy" > of libxml2, at which point the mitigation story for the user becomes: > update the system copy of libxml2 That is the plan, yes, to the extent we control it. When building libgcobol, the command line includes "-lxml2". How the linker finds it, and whether or not it's the "system copy" is above my pay grade. ;-) > Sorry if it seems either like (a) I'm picking on you Not at all. > hesitate to accept libxml2 as a mandatory dependency for all of > gcc I would, too. It's a mandatory component of the runtime library of an optional language, which technically makes it the lesser weevil. Of course it could be made optional. But the that doesn't make the user's life better. If libxml2 is excluded at install time -- perhaps by the packager -- then the user goes along merrily until he tries to use the syntax. It's a lousy experience. To me, it's safe to assume that corporate security policy deals with this stuff all the time. Right now, we have users who *want* this feature. If in the future we have users who specifically want to ban it, well, not for nothing it's called free software. --jkl
