search

the-real-blackh / hexpat

A general purpose Haskell XML library using Expat to do its parsing
BSD 3-Clause "New" or "Revised" License
2 stars 7 forks source link

Please add compile switch to bypass bundled Expat #8

Closed hartwork closed 7 years ago

hartwork commented 7 years ago

Sorry, it's me again :)

Would it be possible to add a compile switch to use the systemwide installation of Expat during compilation rather than the bundle? Or to resolve the bundle altogether? Linux distros try to unbundle dependencies for security and other reasons and there is an actual demand for that with hexpat. Is this technically possible with hexpat?

Thanks and best, Sebastian

the-real-blackh commented 7 years ago

It should be possible, and I'm happy for that change. We could even make it the default. I can get to it some time. If you want it soon, feel free to send me a patch.

hartwork commented 7 years ago

I know very little about Haskell and Cabal so a fix would take me a considerable amount of time, by myself. I'd be happy to team up about it though.

the-real-blackh commented 7 years ago

Don't worry - I don't think it's too difficult (for me). I'll sort it out soon.

hartwork commented 7 years ago

That would rock the house 😄

the-real-blackh commented 7 years ago

Fixed in http://hackage.haskell.org/package/hexpat-0.20.12

blackh@amentet:~/src/hexpat$ cat test.sh
#!/bin/sh -e
cabal install $@
cd test
cabal configure
cabal build
ldd dist/build/testsuite/testsuite
blackh@amentet:~/src/hexpat$ ./test.sh 2>&1 | tail -10
Linking dist/build/testsuite/testsuite ...
    linux-vdso.so.1 =>  (0x00007ffc3113f000)
    libexpat.so.1 => /lib/x86_64-linux-gnu/libexpat.so.1 (0x00007ff8ca7af000)
    libgmp.so.10 => /usr/lib/x86_64-linux-gnu/libgmp.so.10 (0x00007ff8ca52f000)
    libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007ff8ca225000)
    librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007ff8ca01d000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ff8c9e19000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007ff8c9bfb000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ff8c9832000)
    /lib64/ld-linux-x86-64.so.2 (0x000055f9cecc5000)
blackh@amentet:~/src/hexpat$ ./test.sh -f bundle 2>&1 | tail -10
[7 of 7] Compiling Main             ( suite/TestSuite.hs, dist/build/testsuite/testsuite-tmp/Main.o ) [Text.XML.Expat.Cursor.Tests changed]
Linking dist/build/testsuite/testsuite ...
    linux-vdso.so.1 =>  (0x00007ffe8e5af000)
    libgmp.so.10 => /usr/lib/x86_64-linux-gnu/libgmp.so.10 (0x00007fa0bd94d000)
    libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fa0bd644000)
    librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fa0bd43b000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fa0bd237000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fa0bd01a000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa0bcc50000)
    /lib64/ld-linux-x86-64.so.2 (0x000055803ef7d000)
blackh@amentet:~/src/hexpat$

test suite passes without bundling.

hartwork commented 7 years ago

Very nice! Cool that it's off by default.

How does cabal know that -f translates to activation of flag bundle? Could you maybe add a scary warning to "Use bundled libexpat", e.g. "Use bundled libexpat (not a good idea for production, think security updates)" or something along those lines?

I also noticed that -DHAVE_MEMMOVE -DXML_NS -DXML_DTD is missing out on the high quality sources of entropy like getrandom and arc4random_buf that Expat 2.2.1 added support for. Normally a run of ./configure detects availability of these but I guess it's going to be hard to make anything close work here? What platforms does hexpat support to be compiled for?

the-real-blackh commented 7 years ago

To activate the bundled version, you have to type: cabal install -f bundle hexpat That turns the bundle flag on. We can run configure in Haskell. I'll find some time and do some work on improving that. The reason why I bundled it was because otherwise installing hexpat is a total headache on Windows. When bundled, it works perfectly on every platform except Javascript.

hartwork commented 7 years ago

cabal install -f bundle hexpat

I overlooked bundle here previously, sorry.

We can run configure in Haskell. I'll find some time and do some work on improving that. The reason why I bundled it was because otherwise installing hexpat is a total headache on Windows.

Okay cool! Since you mention Windows, if configure integration turns out painful, maybe adding something like this (to a new compiled file?) would work as well:

#ifndef _WIN32
# error Use of Expat bundle is limited to Windows for security reasons (see issue #8); please use system-wide Expat instead.
#endif

Just an idea :)

When bundled, it works perfectly on every platform except Javascript.

Except JavaScript? Can you elaborate?

the-real-blackh commented 7 years ago

libexpat isn't written in Javascript, so it doesn't compile on Javascript. (GHCJS). Every other platform supported by GHC is C-based.