Libxml2's "no security embargoes" policy

Posted by jwilk 7 days ago

Libxml2's "no security embargoes" policy(lwn.net)

298 points | 269 commentspage 4

VMtest 6 days ago|

I'm very sure if he is well paid by those corporations he will have no problem maintaining it, take note guys

tptacek 7 days ago||

I don't think this trend much matters. Serious vendors concerned about security will simply vendor things like libxml2 and handle security inbounds themselves; they'll become the real upstreams.

hyperman1 6 days ago||

Then they all have patches floating around, and get in trouble coordinating with each other. Long term, they would have to set up a foundation to manage these patches, call it the 'a patchie' foundation. Maybe they'll think about a cute name and release a webserver.

canyp 6 days ago||

Serious vendors:

akshatver12312 6 days ago||

Valid points, hope you get it...

KingMob 6 days ago||

"...the project has received the immense sum of $11,000..."

Is the author being sarcastic? Or is that genuinely an immense sum relative to how little funding most FOSS gets?

pabs3 6 days ago|

Both :/

mystified5016 6 days ago||

Honestly the only permanent solution to this is probably a big string of LeftPad events. Maintainers of projects like this that have been subsumed into corporate infrastructure should pull the plug and nuke the git repo.

Disastrous, apocalyptic consequences is the only way to get the attention of the real decision makers. If libxml2 just vanishes and someone explains to John Chrome or whoever that $150k a year will make the problem go away, it's a non-decision. $150k isn't even a rounding error on a rounding error for Google.

The only way to fight corporations just taking whatever they want is to absolutely wreck their shit when they misbehave.

Call it juvenile, sure, but corporations are not rational adults and usually behave like a child throwing a temper tantrum. There have to be real, painful and ongoing consequences in order to force a corporation to behave.

akshatver12312 6 days ago||

vbc

bjourne 7 days ago||

So software released under the MIT license and maintainer now complains that corporate users are not helping improve it? I'd file this under Stallman told you so.

kayodelycaon 7 days ago||

No. He’s complaining about companies demanding he do free work for them.

burnt-resistor 7 days ago||

The correct response is "FU, pay me."

tzs 6 days ago||

The license used is completely irrelevant here. Corporate users generally aren't making any changes to software like libxml2.

Aurornis 7 days ago||

I empathize with some of the frustrations, but I'm puzzled by the attempts to paint the library as low-quality and not suitable for production use:

> The viewpoint expressed by Wellnhofer's is understandable, though one might argue about the assertion that libxml2 was not of sufficient quality for mainstream use. It was certainly promoted on the project web site as a capable and portable toolkit for the purpose of parsing XML. Open-source proponents spent much of the late 1990s and early 2000s trying to entice companies to trust the quality of projects like libxml2, so it is hard to blame those companies now for believing it was suitable for mainstream use at the time.

I think it's very obvious that the maintainer is sick of this project on every level, but the efforts to trash talk its quality and the contributions of all previous developers doesn't sit right with me.

This is yet another case where I fully endorse a maintainer's right to reject requests and even step away from their project, but in my opinion it would have been better to just make an announcement about stepping away than to go down the path of trash talking the project on the way out.

rectang 7 days ago||

I think Wellnhofer is accurate in his assessment of the current state of the library and its support infrastructure institutions. Software without adequate ongoing maintenance should not be used in production.

(Disclosure: I'm a past collaborator with Nick on other projects. He's a fantastic engineer and a responsible and kind person.)

firesteelrain 6 days ago||

The crux is these seemingly bogus security “bugs”. If there were quality issues, the amount of software and people using libxml by virtue of testing in production/wild would have found most issues by now.

There is plenty of software today that is tested within cost and schedule that’s closed source and it’s running in production. I get the point but libxml is not one of those cases

zetafunction 6 days ago|||

A large part of the problem is the legacy burden of libxml2 and libxslt. A lot of the implementation details are exposed in headers, and that makes it hard to write improvements/fixes that don't break ABI compatibility.

flomo 7 days ago|||

Recall similar things were said about OpenSSL, and it was effective at getting corps to start funding the project.

wbl 7 days ago||

It was not however effective at getting the project to care about quality or performance.

poulpy123 6 days ago||

I think it's a way to say: "if you don't like what I'm doing, go fuck yourself"

bawolff 6 days ago|

So reading this, it sounds like the maintainer got burned out.

That's reasonable, being a maintainer is a thankless job.

However i think there is a duty to step aside when that happens. If nobody can take the maintainer's place, then so be it, its still better than the alternative. Being burned out but continuing anyways just hurts everyone.

Its absolutely not the security researcher's fault for reporting real albeit low severity bugs (to be clear though, entirely reasonable for maintainers to treat low severity security bugs as public. The security policy is the maintainer's decision, its not right to blame researchers for following the policy maintainers set)

firesteelrain 6 days ago||

Curl has the same issue and the problem is that these reports are just noise. It wastes everyone’s time and even lacks a Proof of Concept.

bawolff 6 days ago||

Afaik, curl was complaining about AI generated reports that were bullshit. They were not complaining about reports that legit caused crashes. Totally different thing.

firesteelrain 6 days ago||

I don’t recall that. I was referring to this blog post and there was a series of them

https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-eve...

teddyh 6 days ago||

Being a free software maintainer, especially for code that you did not yourself write, is in effect a volunteer position in a charity or a non-profit organization. You yourself volunteered to take the position, and when you did, you became responsible for acting in the interests of the project and all its users. The fact that you are not paid does not mean that you can do whatever you please. If you at any time feel that you cannot fulfill your responsibilities to your users and to the development of the project, you should immediately leave your position to more eager and/or capable hands. (You should already have been prepared and have such people ready to take over, which should be possible if the project is popular enough.)