OpenSAML user discussion

["Scott Cantor" <>]

> Has this issue been resolved?  Thanks, Tom

I'm not sure what you mean, since Chad was talking about the new code. I'm
still not aware of any dependency on java.xml.transform in the released
version. I have no simple way to find out, however, and it's complicated by
the fact that Sun's code could run without my knowledge even if Xalan is
removed.

What I do know is that *Apache* Xalan is not required, because I had xmlsec
patched extensively to allow that back when we planned on using Sun's code
and not endorsing anything for 1.5. That failed of course since Sun's code
leaks memory.

Xalan is there now because if you're going to hijack java.xml.*, it's just
best to hijack all of it with a consistent set of Apache code, just in case.
I don't even know how to evaluate the implications of using Xerces + Sun's
Xalan, and I don't think I trust these abstractions enough to believe that's
a good idea.

The situation Chad was talking about is even more complex, but it's best not
to go into it, it's not relevant to anything that's released.

-- Scott