On Tue, May 15, 2018 at 03:23:17PM +0200, Peter Krempa wrote:
On Tue, May 15, 2018 at 14:21:07 +0100, Daniel Berrange wrote:
On Tue, May 15, 2018 at 03:05:55PM +0200, Peter Krempa wrote:
On Fri, May 11, 2018 at 14:59:04 +0200, Ján Tomko wrote:
Yajl has not seen much activity upstream recently.
[0]
[snip]
[0] For anyone following current meme trends, this looks like it's relevant to our YAJL->janson switch:
https://i.redditmedia.com/J46fZN24lFx3fMRlJNpkNEOFqU79zWTsRDBMla1u0HE.jpg?s=...
If you think we should stay with YAJL because it "just works" then take a look at the bug reports against it upstream
https://github.com/lloyd/yajl/issues
double frees, memory leaks, parser gets stuck after parsing bad JSON, etc all ignored for years. The robustness of the JSON parser we use is critical to the security of the libvirt QEMU driver. I'm not saying janson is perfect, but it is at least maintained, so when problem in it as discovered, there's a real possibility to get them fixed, instead of ignored with the YAJL abandonware.
No. I agree with the change, but "having serious flaws" is slightly different than "not very active upstream".
I don't think that makes much difference. All non-trivial software has serious flaws, especially if written in memory-unsafe languages like C. The only question is whether the flaws have been found yet. Given that, whether there is an active upstream maintaining it, is a key factor to decide whether to continue using something. The fact that we already see significant unfixed flaws just reinforces how important it is to have an active upstream. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|