expat: Add latest release 2.4.6 with a regression fix

[hartwork]

No description provided.

[spackbot-app]

Hi @hartwork! I noticed that the following package(s) don't yet have maintainers:

• expat

Are you interested in adopting any of these package(s)? If so, simply add the following to the package class:

    maintainers = ['hartwork']

If not, could you contact the developers of this package and see if they are interested? You can quickly see who has worked on a package with spack blame:

$ spack blame expat

Thank you for your help! Please don't add maintainers without their consent.

You don't have to be a Spack expert or package developer in order to be a "maintainer," it just gives us a list of users willing to review PRs or debug issues relating to this package. A package can have multiple maintainers; just add a list of GitHub handles of anyone who wants to volunteer.

[haampie]

deprecate release 2.4.5 because of a regression

that's the point of patch releases, please don't deprecate.

[hartwork]

@haampie could you elaborate? The problem is that 2.4.5 fixed a security issue but also introduced a regression, so on one hand people need the security fix but on the other it will make some things worse. That conflict is only resolved by using >=2.4.6 and hence I would argue deprecation in the sense of "no one should be using this release today" makes sense to me.

[hartwork]

PS: @haampie in the same sense, in my book, we should add 2.4.7 and 2.4.8 and then (only) deprecated 2.4.6 after because 2.4.7 is "okay to use" today.

[haampie]

Hm, how likely is it to hit the bugs when using expat through python/cmake? It's a tradeoff between stability and many rebuilds. deprecated=True is rather annoying when you update spack and reconcretize an environment, and end up rebuilding a bunch of packages, even when maximizing reuse of installed packages.

[hartwork]

@haampie I'm not sure I understand. Why do reverse dependencies need a rebuild when Expat releases are ABI compatible with each opther? I would not expect rebuilds of anything (other than Expat) from updating Expat (say) 2.4.5 to 2.4.8 (expect in NixOS maybe). Am I missing something specific to Spack?

[haampie]

Spack fixes dependencies by hash, and the version number is used to compute the hash. And the hash is computed ahead of the build, so making sure two versions providing the same library&abi have the same hash is currently not possible.

[hartwork]

@haampie that explains what you meant by stability versus rebuilds. I don't know much about your environment, but getting off 2.4.5 is worth rebuilds to me, and so will getting off 2.4.6 be. Why not to you?