somehow the original way (stdout/stderr) didn't work in dash
(which is /bin/sh in Debian, and rather limited, that is, a good
testing ground for POSIX shell compatibility)
which is the case with at least the Homebrew (OS X) and pkgsrc (many)
package managers.
FIXME: doesn't check if 'xml' is xmlstarlet
TODO: fail explicitly if no
mktemp(1) is not specified by POSIX and accordingly inconsistent
across systems - e.g. non-GNU-implementations requiring that there
be some sort of template specified. this appears to be the simplest
more-or-less portable invocation.
use the user name as part of the name for temporary files.
