On Tue, May 15, 2018 at 14:21:07 +0100, Daniel Berrange wrote: > On Tue, May 15, 2018 at 03:05:55PM +0200, Peter Krempa wrote: > > On Fri, May 11, 2018 at 14:59:04 +0200, Ján Tomko wrote: > > > Yajl has not seen much activity upstream recently. > > > > [0] > > [snip] > > [0] For anyone following current meme trends, this looks like it's > > relevant to our YAJL->janson switch: > > > > https://i.redditmedia.com/J46fZN24lFx3fMRlJNpkNEOFqU79zWTsRDBMla1u0HE.jpg?s=4757d31d1cbd758962407917e0d3aacb > > If you think we should stay with YAJL because it "just works" then > take a look at the bug reports against it upstream > > https://github.com/lloyd/yajl/issues > > double frees, memory leaks, parser gets stuck after parsing bad JSON, etc > all ignored for years. The robustness of the JSON parser we use is > critical to the security of the libvirt QEMU driver. I'm not saying > janson is perfect, but it is at least maintained, so when problem in > it as discovered, there's a real possibility to get them fixed, instead > of ignored with the YAJL abandonware. No. I agree with the change, but "having serious flaws" is slightly different than "not very active upstream".
Attachment:
signature.asc
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
