Apparently these symbols were never supposed to be exported:
<https://github.com/libexpat/libexpat/pull/197>. However, there could
be packages "in the wild" that uses these symbols and would silently
break with the grafted Expat.
IIUC the fix for CVE-2018-20843 is this commit:
<https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6>.
I think it's better to graft a variant with only this patch to be on the
safe side. Can you try that?
Good idea. I didn't think to check. Yes, I can try to do that.
Could you also submit a second patch that adds GitHub as an additional
download location for the regular Expat package? :-)
I'll try that as well.