[xmlsec] building without DTD validation support in libxml

Bernd Becker bb at bernd-becker.de
Thu May 12 06:20:39 PDT 2005

OK, I understand your concern. It seems that the xmlsec library doesn't use 
of the DTD validation stuff directly. But a conformant application would 
need to.
In my case I am generating very "simple" xml signatures and I don't need it.
But I can live either with compiling libxml with dtd-validation (only about 
size difference of the library) or with building just the xmlsec library 
the apps).
By the way, this is how I am building libxml for my xmlsec application 
(dsig only):
    --with-catalog=no \
    --with-debug=no \
    --with-docbook=no \
    --with-ftp=no \
    --with-html=no \
    --with-http=no \
    --with-iconv=no \
    --with-legacy=no \
    --with-pattern=no \
    --with-python=no \
    --with-schemas=no \
    --with-xinclude=no \
    --with-zlib=no \
    --with-modules=no \
    --with-regexps=no \
Do you see other "conformancy" problems with that?


--On Thursday, May 12, 2005 08:17:06 -0400 Daniel Veillard 
<veillard at redhat.com> wrote:

> On Thu, May 12, 2005 at 12:48:01PM +0200, Bernd Becker wrote:
>> Hi again,
>> I am trying to build a "minimal" version of libxml and xmlsec, as I just
>> need
>> some of the xmldsig stuff.
>> So I compiled libxml2 with configure --with-valid=no (i.e. without DTD
>> validation support). Building the xmlsec application fails (the lib
>> builds  fine):
>> xmlsec.o(.text+0x1cc5): In function `xmlSecAppXmlDataCreate':
>> xmlsec1-1.2.8/apps/xmlsec.c:2453: undefined reference to `xmlParseDTD'
>> xmlsec.o(.text+0x1d3f):xmlsec1-1.2.8/apps/xmlsec.c:2463: undefined
>> reference to `xmlValidateDtd'
>> So I conditionally exclude the code around "dtdFileParam" with
>> ifdef LIBXML_VALID_ENABLED, which is picked up from libxml/xmlversion.h.
>> Of course this causes all tests (with make check) that use --dtd-file
>> to fail.
>> Is that OK?
>   Seems you're then building a non-conformant library, and if that's the
> case it should be forbidden. xmlsec needs DTD to have a conformant XPath
> implementation, which in turn is needed to have a conformant xmlsec
> implementation -this is a guess I didn't look precisely- and in that
> case I would prefer to see a compilation error than non-compliant build
> spreading around (guess who whould take the heat if people start to
> complain about the divergence from the standard.)
> Daniel

More information about the xmlsec mailing list