Thread

  1. libxml2 video about its abandonment

    Bruce Momjian <bruce@momjian.us> — 2025-12-17T14:21:28Z

    Here is a video about the current status of libxml2's abandonment
    status:
    
    	https://www.youtube.com/watch?v=GDr4fKXmUvc
    
    The current libxml2 security text is below -- I think this is a positive
    development.  It was rewritten on December 10 to create "a more positive
    Security section":
    
            This patch changes the security section in the README.md file to
            give more information.
    
            This removes the "unmaintained" text, as this project is
            maintained again. It also makes it clear that this is a
            community project, so anyone will know what to expect, and it
            also makes explicit that developers are volunteers and will work
            on the issues that they want, as a try to avoid pressure from
            bug reporters.
    
            The message tries to be positive, promoting collaboration instead
            of conflict. The idea is to make it clear that collaboration is
            welcome and the way to go is to do it yourself instead of asking
            the maintainers to do it for you.
    
    Here is the current Security section text:
    
    	https://gitlab.gnome.org/GNOME/libxml2
    	
    	Security
    	
            This is open-source software written by hobbyists and maintained
            by volunteers.
    
            It's NOT recommended to use this software to process untrusted
            data.  There is a lot of ways that a malicious crafted xml could
            exploit a hidden vulnerability in the software.
    
            The software is provided "as is", without warranty of any kind,
            express or implied. Use this software at your own risk.
    
            To report security bugs, you can create a confidential issue
            with the "security" label. We will review and work on it as a
            best effort. But remember that this is a community project,
            maintained by volunteer developers, so if you are concern about
            any important security bug that's critical for you, feel free to
            collaborate and provide a patch.
    
            The main rule is to be kind. Do not pressure developers to fix
            a CVE or to work on a functionality that you need, because
            that won't work. This is a community project, developers will
            work in the issues that they consider interesting and when
            they want. All contributions are welcome, so if something is
            important for you, you can always get involved, implement it
            yourself and be part of the open source community.
    
    -- 
      Bruce Momjian  <bruce@momjian.us>        https://momjian.us
      EDB                                      https://enterprisedb.com
    
      Do not let urgent matters crowd out time for investment in the future.
    
    
    
    
  2. Re: libxml2 video about its abandonment

    Iván Chavero <ichavero@chavero.com.mx> — 2025-12-17T16:12:48Z

    Hello,
    
    
    As of december 9th libxml2 has two maintainers:
    
    Daniel Garcia Moreno and Iván Chavero (me), we're trying to
    
    steer the project in a more positive direction.
    
    
    Contributions are welcome!
    
    
    Cheers,
    
    Iván
    
    
    En 17/12/25 8:21 a.m., Bruce Momjian escribió:
    > Here is a video about the current status of libxml2's abandonment
    > status:
    >
    > 	https://www.youtube.com/watch?v=GDr4fKXmUvc
    >
    > The current libxml2 security text is below -- I think this is a positive
    > development.  It was rewritten on December 10 to create "a more positive
    > Security section":
    >
    >          This patch changes the security section in the README.md file to
    >          give more information.
    >
    >          This removes the "unmaintained" text, as this project is
    >          maintained again. It also makes it clear that this is a
    >          community project, so anyone will know what to expect, and it
    >          also makes explicit that developers are volunteers and will work
    >          on the issues that they want, as a try to avoid pressure from
    >          bug reporters.
    >
    >          The message tries to be positive, promoting collaboration instead
    >          of conflict. The idea is to make it clear that collaboration is
    >          welcome and the way to go is to do it yourself instead of asking
    >          the maintainers to do it for you.
    >
    > Here is the current Security section text:
    >
    > 	https://gitlab.gnome.org/GNOME/libxml2
    > 	
    > 	Security
    > 	
    >          This is open-source software written by hobbyists and maintained
    >          by volunteers.
    >
    >          It's NOT recommended to use this software to process untrusted
    >          data.  There is a lot of ways that a malicious crafted xml could
    >          exploit a hidden vulnerability in the software.
    >
    >          The software is provided "as is", without warranty of any kind,
    >          express or implied. Use this software at your own risk.
    >
    >          To report security bugs, you can create a confidential issue
    >          with the "security" label. We will review and work on it as a
    >          best effort. But remember that this is a community project,
    >          maintained by volunteer developers, so if you are concern about
    >          any important security bug that's critical for you, feel free to
    >          collaborate and provide a patch.
    >
    >          The main rule is to be kind. Do not pressure developers to fix
    >          a CVE or to work on a functionality that you need, because
    >          that won't work. This is a community project, developers will
    >          work in the issues that they consider interesting and when
    >          they want. All contributions are welcome, so if something is
    >          important for you, you can always get involved, implement it
    >          yourself and be part of the open source community.
    >
    
    
    
    
  3. Re: libxml2 video about its abandonment

    Tom Lane <tgl@sss.pgh.pa.us> — 2025-12-17T18:45:57Z

    =?UTF-8?Q?Iv=C3=A1n_Chavero?= <ichavero@chavero.com.mx> writes:
    > As of december 9th libxml2 has two maintainers:
    > Daniel Garcia Moreno and Iván Chavero (me), we're trying to
    > steer the project in a more positive direction.
    
    This is good news indeed.  Best of luck!
    
    			regards, tom lane
    
    
    
    
  4. Re: libxml2 video about its abandonment

    Andreas Karlsson <andreas@proxel.se> — 2025-12-22T19:28:21Z

    On 12/17/25 5:12 PM, Iván Chavero wrote:
    > As of december 9th libxml2 has two maintainers:
    > 
    > Daniel Garcia Moreno and Iván Chavero (me), we're trying to
    > 
    > steer the project in a more positive direction.
    > 
    > 
    > Contributions are welcome!
    
    Great news, good luck!
    
    Andreas