Re: [xml] correct version of libxml2

[Jonah Petri <jpetri izotope com>]

On Apr 29, 2011, at 9:55 AM, Daniel Veillard wrote:

> On Tue, Apr 26, 2011 at 10:22:20AM -0400, Jonah Petri wrote:
> > Just out of curiousity - it _should_ be ok to call this within a
> > library on a statically linked copy of libxml2, right?
>
>  I have never heard of a static embedding of libxml2 in a shared
> library. This may still fail, depending on how the linker works,
> if another library uses libxml2 and the linker finds it withon yours
> the problem is the same.
>  In general embedding statically is a bad idea, any security errata
> touching libxml2 would need fixing in all the statically compiled
> places too, people try very hard to avoid it. I think open office
> used to do this and we tried to make sure distro fixed this (a long
> time ago, just to give an example).

Hi Daniel,

Thanks for the reply.  We're building audio DSP plugins, and we've learned (through experience) that the 
programs hosting our plugins are fairly hostile environments, so we've tried to be maximally defensive.  This 
includes statically linking copies of the small number of 3rd party libraries which we make use of (including 
libxml2).  We do take care to have our link step hide all of the libxml2 symbols, to prevent the runtime 
linker from seeing them at all.  I did this to avoid exactly the sort of problem you were mentioning, and it 
works.  As for the security errata issue, that's definitely true, but the risk in our use case is small, as 
only local FS files are processed.  There is still some risk, however.

Thanks for all your work on libxml2!
Jonah