On 2023-03-05 13:25, Marco Atzeri via Cygwin wrote:
> On 05.03.2023 20:24, Brian Inglis via Cygwin wrote:
>> [Xpost to cygwin in case apps not monitored]
>> On 2023-03-05 08:00, Marco Atzeri via Cygwin-apps wrote:
>>> On 13.02.2022 21:34, Brian Inglis wrote:
>>>> [posting to apps to be less public]
>>>> https://nvd.nist.gov/vuln/detail/CVE-2022-23990
>>>> expat < 2.4.4
>>
>>> ping ?
>>> In addition the cmake import library have some issues also
>>
>> Been a year since I hinted!
>>
>> Fixed releases build okay for me 2.4.1/5/9 up to current 2.5.0.
>> See:
>>
>>      https://cygwin.com/cgi-bin2/jobs.cgi?id=5541
>>      https://github.com/cygwin/scallywag/actions/runs/4337543797
>> https://github.com/cygwin/scallywag/actions/runs/4337543797/jobs/7573650090
>>
>> What are you seeing?

> building latest gdal I was forced to add a line on expact.c
> $ grep private  /usr/lib/pkgconfig/expat.pc
> Libs.private: -liconv

Do not see any need for libiconv/-devel in any expat? See attached.

> and move away
> /usr/lib/make/expat-2.4.1
> as the settings are wrong and cmake complains about missing files
> $ grep -H "so.1" *.cmake
> expat-noconfig.cmake:  IMPORTED_LOCATION_NOCONFIG 
> "${_IMPORT_PREFIX}/lib/libexpat.so.1.8.1"
> expat-noconfig.cmake:  IMPORTED_SONAME_NOCONFIG "libexpat.so.1"
> expat-noconfig.cmake:list(APPEND _IMPORT_CHECK_FILES_FOR_expat::expat 
> "${_IMPORT_PREFIX}/lib/libexpat.so.1.8.1" )

Fixed in 2.5.0 - see attached.

> If Doug does not reply, are you considering to adopt expat ?

No - I do not use it and do not maintain anything which uses it:

$ cygcheck-dep -qn libexpat{1,-devel} expat
  libexpat1: is needed for ( avahi cmake dbus dbus-bash-completion dri-drivers 
expat gdb git graphviz lftp libaprutil1 libexpat-devel libfontconfig1 libgdal20 
libgdal26 libgdal28 libgdal29 libgdal30 libgdal31 libgvc6 libwx_baseu2.8_0 
perl-XML-Parser python27 python36 python37 python38 python39 rats subversion 
tcl-tcldot )
  libexpat-devel: is needed for ( libfontconfig-devel )
  expat: is needed for ( )

If Doug does not have time, you seem the most appropriate candidate, as cmake, 
gdal, python maintainer, if you could manage? Or put out a CFA on apps?

For testing your latest builds, just pull source, and change VERSION=2.5.0, add 
LICENSE=MIT, and BUILD_REQUIRES="gettext-devel docbook2X" in case the former is 
needed, as there are .Po files used: not sure if po4a should also be added for 
other files?

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                 -- Antoine de Saint-Exupéry