tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [Patch] Switch nvi from bundled regex to tre

On 15.11.2017 23:40, Rin Okuyama wrote:
> On 2017/11/15 16:08, Rin Okuyama wrote:
>> On 2017/11/15 15:46, Kamil Rytarowski wrote:
>>> While there we might sync up with upstream tre from:
>>> Including feeding up local changes as noted in doc/3RDPARTY.
>> Thank you for your comments.
>> I will sync it with upstream before installing headers.
>> Also, I will send pull-request.
> Hmm, the upstream has not been actively updated for this past
> few years. Critical bugs including CVE-2016-8859 left untouched.
> DragonFly and Apple, who use tre as their regex routines in libc,
> also leave the CVE. On the other hand, musl libc aggressively
> fixes bugs.
> How about taking fixes from musl, after syncing with the latest
> official upstream? Whereas musl itself is in the MIT license,
> but, of course, files from tre are kept in the BSD license.
> I'd like to merge their fixes except for nonstandard extensions
> to regular expressions. How do you think about it?
> rin

Sounds good,

I noted that upstream (in GitHub repo) is open to patches. Best to keep
a local diff that has a minimal delta with upstream.

Attachment: signature.asc
Description: OpenPGP digital signature

Home | Main Index | Thread Index | Old Index