@adamjstewart updated expat to 2.2.2 yesterday. One of the changes is

Protect against compilation without any source of high
quality entropy enabled, e.g. with CMake build system;
from https://github.com/libexpat/libexpat/blob/R_2_2_2/expat/Changes

High quality source of randomness appear to be the getrandom() call (linux 3.17+) the SYS_getrandom system call (linux 3.17+) or arc4random_buf (bsd or libbsd).

I apparently have none of the above (CentOS 7 kernel running 3.10.0-327.36.3.el7.x86_64).

I'm not entirely sure what people in my situation (older kernels) are supposed to do.

One solution might be to add a package for libbsd.

It seems like sjackman ran into the same problem with Ubuntu 14.04. His solution was to depend on libbsd.

Alternatively, we could add a variant that defines XML_POOR_ENTROPY.

I'll look into libbsd.