defusedxml deprecation warning

[carlwgeorge]

Running the tests currently results in a deprecation warning that wasn't there with previous versions of the dependencies.

source/repomd.py:4
  /home/carl/development/repomd/source/repomd.py:4: DeprecationWarning: defusedxml.lxml is no longer supported and will be removed in a future release.
    import defusedxml.lxml

This looks to be caused by tiran/defusedxml#38.

[Kuba314]

Hi, are there any updates on this? We could just do this, right?:

- import defusedxml.lxml
+ from defusedxml import ElementTree

and replace defusedxml.lxml.fromstring() with ElementTree.fromstring()

[carlwgeorge]

Sorry, no update on this so far. I'm long overdue to do some maintenance work on this module, I just haven't gotten around to it yet. When I do I plan to just remove the defusedxml dependency entirely, as that upstream now believes that lxml is mostly safe. When I first wrote this module lxml was significantly faster than other methods, so I'd prefer to stick with it.

[Kuba314]

@carlwgeorge Thank you for the quick reply. Would you accept a PR to use lxml instead of defusedxml? Or even use the standard xml module itself since all this project is doing is running fromstring which the xml module is capable of? I don't know anything about speed though so lxml might be a better choice here but then again, it's 1 more dependency.

[carlwgeorge]

I appreciate the offer of a PR, but it's not necessary as I just need to revert this commit, which will be easy to do once I find time to work on this again. I do intend to keep using the lxml module because of the speed benefits, which are really needed for larger repositories.