Downloads
Home   >   mailing lists

Re: libxml2 author overwhelmed with security requests - Mailing list pgsql-hackers

From Sandeep Thakkar
Subject Re: libxml2 author overwhelmed with security requests
Date
Msg-id CANFyU97ka5aQH0ZWckaT6R=ctq7FOqzuY0TGuuNDh0--Nhb-AQ@mail.gmail.com
Whole thread Raw
List pgsql-hackers
Tree view


On Fri, Jun 20, 2025 at 2:42 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Pavel Stehule <pavel.stehule@gmail.com> writes:
> Own implementation of SQL/XML generating functions like XMLFOREST or
> XMLELEMENT should not be too
> difficult. Significantly more difficult problem is parsing of XML (more
> with namespaces), although some basic
> support for XMLTABLE should not be too hard too.

I don't think anybody really wants to roll our own XML parser.

> Isn't possible to call Rust code from C? Then maybe there are some
> possibility from Rust world
> https://github.com/ballsteve/xrust

Maybe.  I think the fundamental problem here, similar to what we've
run into elsewhere, is that we chose a library to depend on without
thinking hard enough about whether it would be well-supported in the
long run.  I see little reason to think that that risk would be less
for some random not-written-in-C implementation.  If we want to
jump ship away from libxml2, we had better ask hard questions about
the new choice.

Also, libxslt depends on libxml2, and there is no maintainer now after the
recent commits done to remove the existing ones:
https://gitlab.gnome.org/GNOME/libxslt/-/commit/c8b1ea4b89a9b81fa611f32c80f47df0c3b3b004
https://gitlab.gnome.org/GNOME/libxslt/-/commit/923903c59d668af42e3144bc623c9190a0f65988


                        regards, tom lane




--
Sandeep Thakkar


pgsql-hackers by date:

Previous
From: Nazir Bilal Yavuz
Date:
Subject: Re: index prefetching
Next
From: shveta malik
Date:
Subject: Re: POC: enable logical decoding when wal_level = 'replica' without a server restart