"he would love to mentor new maintainers for libxml2, ""but there simply aren't any candidates""
I know some folks from China, Russia, and North Korea who would love to become maintainers. No pay needed. I recommend Jia Tan - he has vast experience maintaining opensource software.
Maybe my human interaction interfacing software has a glitch but I am having a hard time parsing this content. Do I detect a hint of sarcasm? Please add a '/s' at the end of your future posts to aid my very archaic and vintage brain matter.
Jia Tan was the alias of the hacker(s) who infiltrated xz to plant a backdoor. He/They were in the project for 2 years I believe, and so had "significant experience" "maintaining" open source software.
If you think you need libxml2, think again. XML is a complex beast. Do you really need all those features? Maybe a much smaller, more easily maintained library would suit your needs while performing better at the same time!
For instance, consuming XML and creating it are two very different use cases. Zooming into consuming it, perhaps your input data has more guarantees than libxml2 assumes, such as the nonexistence of meta definition tags.
XML is used in countless standards. You can't just not use it if you interact with the outside world. Every XML feature is still in the many XML libraries because someone has a need for it, even things like external entities.
Maybe you don't need libxml2 specifically (good luck finding an alternative to parse XML in C and other such languages though), but "I don't like the complex side of XML so let's pretend it doesn't exist" doesn't solve the problem most people pick libxml2 for. It's the de-facto standard because it supports everything you could possibly need.
I feel like it adds more weight to my feeling that we should have a software building code. When you have software that's critical infrastructure, with a nutso security policy like "no embargoes / 0day me bruh", we should have some regulations in place to require the software be maintained properly (that is to say, in a sane manner) or you can't use it commercially or for safety-critical things. Which would inevitably force commercial entities to pay for the maintenance so it could be done right.... which they should be doing already, the same way any company that builds safety-critical infrastructure has to pay to do it right.
If we want society to be safe, we have to make a law that enforces it. That's how that shit works.
(as an aside: holy shit, you're a prolific HN submitter, and all from different sources. where do you get it all?)
This made my brain go
"Oh no, not this again. Open source projects don't owe you..." etc etc.
> or you can't use it commercially or for safety-critical things
Oh. Yeah, okay, absolutely! For safety-critical, I would like to think the responsibility already lies with the integrator/seller, but making it explicitly so can't hurt.
Safety critical fields like aviation already have strict requirements. Usually there's very few software dependencies used in those projects.
Expanding that to more fields would be interesting, but difficult and expensive across the board. Particularly any sort of requirements like that generally incur significant regulatory and certification overhead.
However, if it was done similar to PCISS as an industry forum it might work better. Especially if certain fields like anything connecting with the electric grid we're required to use certified software.
Nick Wellnhofer is stepping away from libxml2 after a decade of unpaid maintenance. He’s forking it under the AGPL, but that will probably scare off most corporate users.
Meanwhile libxml2 is still everywhere. Without someone with real backing, a core piece of infrastructure is about to go unmaintained.
Once again, the open-source funding problem is laid bare: the internet runs on the unpaid evenings of a few people until they burn out (add relevant reference from XKCD, obviously).
With not enough time to develop an alternative and too many application ecosystems relying on this library, I think it's a matter of time before a large company forks the library to fix security issues with it now that they have no choice but to do the work themselves. At least until IBM and Google figure out a way to move away from this library.
"he would love to mentor new maintainers for libxml2, ""but there simply aren't any candidates""
I know some folks from China, Russia, and North Korea who would love to become maintainers. No pay needed. I recommend Jia Tan - he has vast experience maintaining opensource software.
Maybe my human interaction interfacing software has a glitch but I am having a hard time parsing this content. Do I detect a hint of sarcasm? Please add a '/s' at the end of your future posts to aid my very archaic and vintage brain matter.
Jia Tan was the alias of the hacker(s) who infiltrated xz to plant a backdoor. He/They were in the project for 2 years I believe, and so had "significant experience" "maintaining" open source software.
"Jia Tan" was the name of the person (or group) who became a maintainer of libxz and sneaked in a vulnerability targeting OpenSSH.
If you think you need libxml2, think again. XML is a complex beast. Do you really need all those features? Maybe a much smaller, more easily maintained library would suit your needs while performing better at the same time!
For instance, consuming XML and creating it are two very different use cases. Zooming into consuming it, perhaps your input data has more guarantees than libxml2 assumes, such as the nonexistence of meta definition tags.
XML is used in countless standards. You can't just not use it if you interact with the outside world. Every XML feature is still in the many XML libraries because someone has a need for it, even things like external entities.
Maybe you don't need libxml2 specifically (good luck finding an alternative to parse XML in C and other such languages though), but "I don't like the complex side of XML so let's pretend it doesn't exist" doesn't solve the problem most people pick libxml2 for. It's the de-facto standard because it supports everything you could possibly need.
Gratuitous use of XML does sometimes smell like a "now you have two problems" kind of affair.
Related gitlab comment: https://gitlab.gnome.org/GNOME/libxml2/-/issues/976#note_253... .
Related Libxml2's "no security embargoes" policy (298 points, 84 days ago, 270 comments) https://news.ycombinator.com/item?id=44381093
Thanks, this is really interesting.
I feel like it adds more weight to my feeling that we should have a software building code. When you have software that's critical infrastructure, with a nutso security policy like "no embargoes / 0day me bruh", we should have some regulations in place to require the software be maintained properly (that is to say, in a sane manner) or you can't use it commercially or for safety-critical things. Which would inevitably force commercial entities to pay for the maintenance so it could be done right.... which they should be doing already, the same way any company that builds safety-critical infrastructure has to pay to do it right.
If we want society to be safe, we have to make a law that enforces it. That's how that shit works.
(as an aside: holy shit, you're a prolific HN submitter, and all from different sources. where do you get it all?)
> we should have a software building code
This made my brain go "Oh no, not this again. Open source projects don't owe you..." etc etc.
> or you can't use it commercially or for safety-critical things
Oh. Yeah, okay, absolutely! For safety-critical, I would like to think the responsibility already lies with the integrator/seller, but making it explicitly so can't hurt.
Safety critical fields like aviation already have strict requirements. Usually there's very few software dependencies used in those projects.
Expanding that to more fields would be interesting, but difficult and expensive across the board. Particularly any sort of requirements like that generally incur significant regulatory and certification overhead.
However, if it was done similar to PCISS as an industry forum it might work better. Especially if certain fields like anything connecting with the electric grid we're required to use certified software.
Nick Wellnhofer is stepping away from libxml2 after a decade of unpaid maintenance. He’s forking it under the AGPL, but that will probably scare off most corporate users.
Meanwhile libxml2 is still everywhere. Without someone with real backing, a core piece of infrastructure is about to go unmaintained.
Once again, the open-source funding problem is laid bare: the internet runs on the unpaid evenings of a few people until they burn out (add relevant reference from XKCD, obviously).
With not enough time to develop an alternative and too many application ecosystems relying on this library, I think it's a matter of time before a large company forks the library to fix security issues with it now that they have no choice but to do the work themselves. At least until IBM and Google figure out a way to move away from this library.
https://xkcd.com/2347
[flagged]
Too bad gnome foundation does not get any money. They are completely broke, like Mozilla!