It seems perfectly reasonable for any library to take the stance they are not a security barrier. It is up to people using libxml2 in applications and OSs that have the resources to issue CVEs and track embargos. I am sure any resulting PRs will be gratefully welcomed.

We get so many 'security advisors' trying to blackmail us for money or blackmailing us to post on some social media that we don't care about security because we ignored their emails. A small company, let alone an opensource maintainer doesn't have time for this. Most of this stuff is just not priority or not valid for our case. We had some relief years ago when we changed our internal stuff to give off productnames and version numbers that simply don't exist, but because so much is frontend now tools are so good at finger printing that, so now we do get tons of those again.

funny - when struts2/log4j caused a lot of million-dollar problems, how many companies were looking for commercial alternatives or invested into developing their own solutions? That's right - zero. Everyone just switched to the next freebie.

Do we need a more profound solution than what the maintainer is doing here? Any given bug is either:

a) nonsense in which case nobody should spend any time fixing this (I'm thinking things like the frontend DDOS CVEs that are common) b) an actual problem in which case a compliance person at one of these mega tech companies will tell the engineers it needs to be fixed. If the maintainer refuses to be the person fixing it (a reasonable choice), the mega tech company will eventually just do it.

I suppose the risk is the mega tech company only fixes it for their internal fork.

It would be better if there was a layer of maintainers between the free software authors and the end users that could act as a buffer in cases like this, in particular to take care of security vulnerabilities that genuinely need dealing with quickly.

Of course that's exactly what traditional Linux distributions signed up to do.

Clearly many people have decided that they're better off without the distributions' packaging work. But maybe they should be thinking about how to get the "buffering" part back, and ideally make it work better than the distributions managed to.

I think they are not going far enough.

"All null-pointer-referencing issues should come with an accompanying fix pull request".

its so weird to me to report a bug to open source but not atleast suggest a fix :/. especially around security bugs. to prove it u need to reliably trigger and exploit it so it should be plainly obvious in most cases what the fix is :/.

this is why i never report stuff to open source. if you wanna play bug bounty and cve hoarder its better to stick with bug bounty programs.

why? there the security researcher can be depressed about the process himself rather than some volunteer coder. gotta not make your issues other ppls issues.

I wonder if fil c would make most of these issues go away

https://github.com/pizlonator/llvm-project-deluge

When a project is up, open source developers are keen to promote it, put it on their CV, give conference talks. There is no obligation for companies to sponsor anything, this is not the reason behind open source.

Yes open source has changed, from when the early 90s. There are more users, companies use projects and make millions with other peoples work.

I feel with the maintainer, with how ungrateful people are. And demanding without giving.

Open Source licenses fall short.

Open Source projects should clearly state what they think about fixing security, taking on external contributions or if they consider the project feature complete. Just like standard licenses, we should have a standard, parseable maintenance "contract".

"I fix whatever you pay for, I fix nothing, I fix how I see fit. Including disclosure, etc."

So everyone is clear about what to expect.