Discussion:
expat vs libxml2
Nick Kew
2013-09-03 12:03:42 UTC
Permalink
Igor recently pinged me on IRC to ask about switching
trafficserver's expat use to libxml2. There's a rationale
about libxml2 being a dependency for a range of plugins,
so why not use a single XML parser for everything?

A quick grep reveals that expat is only used in two places
and that its use is extremely brief and straightforward.
I attach a trivial proof-of-concept for switching that to
libxml2. The use of ugly developer #ifdefs can of course
be refined to a working configuration option to select either
expat or libxml2 if folks think it's a worthwhile exercise.

I don't think this is the best way to switch: it's just
what I could hack OTTOMH without having to resort to TFM.

Note that a switch to libxml2 could be the basis for further
development, including probably a switch to use libxml2's
DOM in place of TrafficServer's homebrew partial document
tree. But I'm not volunteering to do that anytime soon.
--
Nick Kew
Leif Hedstrom
2013-09-03 15:12:54 UTC
Permalink
Post by Nick Kew
Igor recently pinged me on IRC to ask about switching
trafficserver's expat use to libxml2. There's a rationale
about libxml2 being a dependency for a range of plugins,
so why not use a single XML parser for everything?
Seems reasonable to me. One comment: Do we really need to keep the expat #ifdef in the code? I'd be draconian and say we only support libxml2 (there can't be any platforms we support that doesn't have libxml2?).

Cheers,

-- Leif
Yongming Zhao
2013-09-03 16:53:37 UTC
Permalink
afaik, that libXML2 is vary heavy lib that may include many more dependency issue there, for example in it will bind to icu library. the upgrading of libxml2 always make me unhappy on Gentoo.

can we try to add the xml2 a configure option?
Post by Leif Hedstrom
Post by Nick Kew
Igor recently pinged me on IRC to ask about switching
trafficserver's expat use to libxml2. There's a rationale
about libxml2 being a dependency for a range of plugins,
so why not use a single XML parser for everything?
Seems reasonable to me. One comment: Do we really need to keep the expat #ifdef in the code? I'd be draconian and say we only support libxml2 (there can't be any platforms we support that doesn't have libxml2?).
Cheers,
-- Leif
Leif Hedstrom
2013-09-03 16:56:07 UTC
Permalink
Post by Yongming Zhao
afaik, that libXML2 is vary heavy lib that may include many more dependency issue there, for example in it will bind to icu library. the upgrading of libxml2 always make me unhappy on Gentoo.
can we try to add the xml2 a configure option?
Is there a gain / purpose of allowing both? It seemed to me the point of this change was simplification, adding double code path is the opposite of simplification, to me at least :).

-- Leif
Yongming Zhao
2013-09-03 17:08:09 UTC
Permalink
another concern is the security of libXML2, I just greped the security focus list, it shows that at least 3 security update for 2013

I don't know much on the XML indeed

just FYI

thanks
Post by Leif Hedstrom
Post by Yongming Zhao
afaik, that libXML2 is vary heavy lib that may include many more dependency issue there, for example in it will bind to icu library. the upgrading of libxml2 always make me unhappy on Gentoo.
can we try to add the xml2 a configure option?
Is there a gain / purpose of allowing both? It seemed to me the point of this change was simplification, adding double code path is the opposite of simplification, to me at least :).
-- Leif
Leif Hedstrom
2013-09-03 17:19:08 UTC
Permalink
Post by Yongming Zhao
another concern is the security of libXML2, I just greped the security focus list, it shows that at least 3 security update for 2013
I don't know much on the XML indeed
Valid points. I guess I should clarify how I feel about this: If we're moving from expat to libxml2, lets do it universally. If we don't think libxml2 is the better choice, we should do the opposite and see what we can do to avoid the dependencies on libxml2 (e.g. is there a better alternative to hwloc ? ).

-- leif
Nick Kew
2013-09-03 17:51:16 UTC
Permalink
Post by Yongming Zhao
another concern is the security of libXML2, I just greped the security focus list, it shows that at least 3 security update for 2013
It's a lot bigger and more complex than expat!

Plan A: make it a configuration option.

You could take a look at what I did with APR, which was
a more complex job than TS!
--
Nick Kew
Fox, Kevin M
2013-09-03 17:39:27 UTC
Permalink
Frequency of security updates alone isn't enough to tell if it's got good or bad security behind it. Time between discovery and fix is a major factor.

Kevin

-----Original Message-----
From: Leif Hedstrom [***@apache.org<mailto:***@apache.org>]
Sent: Tuesday, September 03, 2013 10:20 AM Pacific Standard Time
To: ***@trafficserver.apache.org
Subject: Re: expat vs libxml2
Post by Yongming Zhao
another concern is the security of libXML2, I just greped the security focus list, it shows that at least 3 security update for 2013
I don't know much on the XML indeed
Valid points. I guess I should clarify how I feel about this: If we're moving from expat to libxml2, lets do it universally. If we don't think libxml2 is the better choice, we should do the opposite and see what we can do to avoid the dependencies on libxml2 (e.g. is there a better alternative to hwloc ? ).

-- leif
Loading...