Thread
-
libxml2 author overwhelmed with security requests
Bruce Momjian <bruce@momjian.us> — 2025-06-19T01:41:40Z
This blog post explains the serious problems the single libxml2 author is having in maintaining the library: https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-reports There are few learnings from this: * libxml2 is even less production-ready than we thought * many projects don't have the resources we do -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.
-
Re: libxml2 author overwhelmed with security requests
Álvaro Herrera <alvherre@kurilemu.de> — 2025-06-19T09:00:21Z
On 2025-Jun-18, Bruce Momjian wrote: > This blog post explains the serious problems the single libxml2 author > is having in maintaining the library: > > https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-reports > > There are few learnings from this: > > * libxml2 is even less production-ready than we thought > * many projects don't have the resources we do Maybe some of the companies doing business with Postgres can chime in to let Nick Wellnhofer (the aforementioned maintainer) spend more time on libxml2 maintenance: https://opencollective.com/libxml2 Currently, looking at the OpenCollective reports, it seems USD 50 come monthly from Airbnb to libxml2's Wellnhofer. That's unlikely to pay very many bills. -- Álvaro Herrera 48°01'N 7°57'E — https://www.EnterpriseDB.com/ "Once again, thank you and all of the developers for your hard work on PostgreSQL. This is by far the most pleasant management experience of any database I've worked on." (Dan Harris) http://archives.postgresql.org/pgsql-performance/2006-04/msg00247.php
-
Re: libxml2 author overwhelmed with security requests
Pavel Stehule <pavel.stehule@gmail.com> — 2025-06-19T15:21:20Z
čt 19. 6. 2025 v 11:00 odesílatel Álvaro Herrera <alvherre@kurilemu.de> napsal: > On 2025-Jun-18, Bruce Momjian wrote: > > > This blog post explains the serious problems the single libxml2 author > > is having in maintaining the library: > > > > > https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-reports > > > > There are few learnings from this: > > > > * libxml2 is even less production-ready than we thought > > * many projects don't have the resources we do > > Maybe some of the companies doing business with Postgres can chime in to > let Nick Wellnhofer (the aforementioned maintainer) spend more time on > libxml2 maintenance: > https://opencollective.com/libxml2 > > Currently, looking at the OpenCollective reports, it seems USD 50 come > monthly from Airbnb to libxml2's Wellnhofer. That's unlikely to pay > very many bills. > plus - there is not any free alternative for C Regards Pavel > > -- > Álvaro Herrera 48°01'N 7°57'E — > https://www.EnterpriseDB.com/ > "Once again, thank you and all of the developers for your hard work on > PostgreSQL. This is by far the most pleasant management experience of > any database I've worked on." (Dan Harris) > http://archives.postgresql.org/pgsql-performance/2006-04/msg00247.php > > >
-
Re: libxml2 author overwhelmed with security requests
Jim Jones <jim.jones@uni-muenster.de> — 2025-06-19T19:24:32Z
On 19.06.25 03:41, Bruce Momjian wrote: > This blog post explains the serious problems the single libxml2 author > is having in maintaining the library: > > https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-reports > > There are few learnings from this: > > * libxml2 is even less production-ready than we thought > * many projects don't have the resources we do > That's even worse than I thought. Especially this disclaimer consideration: “This is open-source software written by hobbyists, maintained by a single volunteer, badly tested, written in a memory-unsafe language and full of security bugs. It is foolish to use this software to process untrusted data.” No wonder other major databases opt for writing their own XML processing engines. Sadly, despite these issues, there doesn't seem to be a decent alternative to libxml2 :( -- Jim
-
Re: libxml2 author overwhelmed with security requests
Bruce Momjian <bruce@momjian.us> — 2025-06-19T20:09:04Z
On Thu, Jun 19, 2025 at 09:24:32PM +0200, Jim Jones wrote: > On 19.06.25 03:41, Bruce Momjian wrote: > > This blog post explains the serious problems the single libxml2 author > > is having in maintaining the library: > > > > https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-reports > > > > There are few learnings from this: > > > > * libxml2 is even less production-ready than we thought > > * many projects don't have the resources we do > > > > That's even worse than I thought. Especially this disclaimer consideration: > > “This is open-source software written by hobbyists, maintained by a > single volunteer, badly tested, written in a memory-unsafe language and > full of security bugs. It is foolish to use this software to process > untrusted data.” > > No wonder other major databases opt for writing their own XML processing > engines. Sadly, despite these issues, there doesn't seem to be a decent > alternative to libxml2 :( I think our solution to making Postgres more secure would be to just remove XML support --- we aleady have the inclusion of libxml options at configure time. I don't think there is community support to be developing an XML library --- some Postgres companies might feel differently, but that is not the community's concern. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.
-
Re: libxml2 author overwhelmed with security requests
Pavel Stehule <pavel.stehule@gmail.com> — 2025-06-19T20:59:38Z
čt 19. 6. 2025 v 22:09 odesílatel Bruce Momjian <bruce@momjian.us> napsal: > On Thu, Jun 19, 2025 at 09:24:32PM +0200, Jim Jones wrote: > > On 19.06.25 03:41, Bruce Momjian wrote: > > > This blog post explains the serious problems the single libxml2 author > > > is having in maintaining the library: > > > > > > > https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-reports > > > > > > There are few learnings from this: > > > > > > * libxml2 is even less production-ready than we thought > > > * many projects don't have the resources we do > > > > > > > That's even worse than I thought. Especially this disclaimer > consideration: > > > > “This is open-source software written by hobbyists, maintained by a > > single volunteer, badly tested, written in a memory-unsafe language and > > full of security bugs. It is foolish to use this software to process > > untrusted data.” > > > > No wonder other major databases opt for writing their own XML processing > > engines. Sadly, despite these issues, there doesn't seem to be a decent > > alternative to libxml2 :( > > I think our solution to making Postgres more secure would be to just > remove XML support --- we aleady have the inclusion of libxml options at > configure time. I don't think there is community support to be > developing an XML library --- some Postgres companies might feel > differently, but that is not the community's concern. > Own implementation of SQL/XML generating functions like XMLFOREST or XMLELEMENT should not be too difficult. Significantly more difficult problem is parsing of XML (more with namespaces), although some basic support for XMLTABLE should not be too hard too. Libxml2 is very complex due it supports a lot of API, a lot of redundant API - SAX, DOM, DTD, ... But we use only a few percent of functionality from libxml2. Isn't possible to call Rust code from C? Then maybe there are some possibility from Rust world https://github.com/ballsteve/xrust Regards Pavel > -- > Bruce Momjian <bruce@momjian.us> https://momjian.us > EDB https://enterprisedb.com > > Do not let urgent matters crowd out time for investment in the future. > > >
-
Re: libxml2 author overwhelmed with security requests
Tom Lane <tgl@sss.pgh.pa.us> — 2025-06-19T21:12:06Z
Pavel Stehule <pavel.stehule@gmail.com> writes: > Own implementation of SQL/XML generating functions like XMLFOREST or > XMLELEMENT should not be too > difficult. Significantly more difficult problem is parsing of XML (more > with namespaces), although some basic > support for XMLTABLE should not be too hard too. I don't think anybody really wants to roll our own XML parser. > Isn't possible to call Rust code from C? Then maybe there are some > possibility from Rust world > https://github.com/ballsteve/xrust Maybe. I think the fundamental problem here, similar to what we've run into elsewhere, is that we chose a library to depend on without thinking hard enough about whether it would be well-supported in the long run. I see little reason to think that that risk would be less for some random not-written-in-C implementation. If we want to jump ship away from libxml2, we had better ask hard questions about the new choice. regards, tom lane
-
Re: libxml2 author overwhelmed with security requests
Sandeep Thakkar <sandeep.thakkar@enterprisedb.com> — 2025-07-21T07:16:03Z
On Fri, Jun 20, 2025 at 2:42 AM Tom Lane <tgl@sss.pgh.pa.us> wrote: > Pavel Stehule <pavel.stehule@gmail.com> writes: > > Own implementation of SQL/XML generating functions like XMLFOREST or > > XMLELEMENT should not be too > > difficult. Significantly more difficult problem is parsing of XML (more > > with namespaces), although some basic > > support for XMLTABLE should not be too hard too. > > I don't think anybody really wants to roll our own XML parser. > > > Isn't possible to call Rust code from C? Then maybe there are some > > possibility from Rust world > > https://github.com/ballsteve/xrust > > Maybe. I think the fundamental problem here, similar to what we've > run into elsewhere, is that we chose a library to depend on without > thinking hard enough about whether it would be well-supported in the > long run. I see little reason to think that that risk would be less > for some random not-written-in-C implementation. If we want to > jump ship away from libxml2, we had better ask hard questions about > the new choice. > Also, libxslt depends on libxml2, and there is no maintainer now after the recent commits done to remove the existing ones: https://gitlab.gnome.org/GNOME/libxslt/-/commit/c8b1ea4b89a9b81fa611f32c80f47df0c3b3b004 https://gitlab.gnome.org/GNOME/libxslt/-/commit/923903c59d668af42e3144bc623c9190a0f65988 > regards, tom lane > > > -- Sandeep Thakkar
-
Re: libxml2 author overwhelmed with security requests
Bruce Momjian <bruce@momjian.us> — 2025-07-28T14:13:12Z
On Mon, Jul 21, 2025 at 12:46:03PM +0530, Sandeep Thakkar wrote: > > On Fri, Jun 20, 2025 at 2:42 AM Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Pavel Stehule <pavel.stehule@gmail.com> writes: > > Own implementation of SQL/XML generating functions like XMLFOREST or > > XMLELEMENT should not be too > > difficult. Significantly more difficult problem is parsing of XML (more > > with namespaces), although some basic > > support for XMLTABLE should not be too hard too. > > I don't think anybody really wants to roll our own XML parser. > > > Isn't possible to call Rust code from C? Then maybe there are some > > possibility from Rust world > > https://github.com/ballsteve/xrust > > Maybe. I think the fundamental problem here, similar to what we've > run into elsewhere, is that we chose a library to depend on without > thinking hard enough about whether it would be well-supported in the > long run. I see little reason to think that that risk would be less > for some random not-written-in-C implementation. If we want to > jump ship away from libxml2, we had better ask hard questions about > the new choice. > > Also, libxslt depends on libxml2, and there is no maintainer now after the > recent commits done to remove the existing ones: > https://gitlab.gnome.org/GNOME/libxslt/-/commit/ > c8b1ea4b89a9b81fa611f32c80f47df0c3b3b004 > https://gitlab.gnome.org/GNOME/libxslt/-/commit/ > 923903c59d668af42e3144bc623c9190a0f65988 Where do we think our use of libxml2 is heading? Do you suspect security scanners will start negative reporting the use of libxml2? -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.
-
Re: libxml2 author overwhelmed with security requests
Tom Lane <tgl@sss.pgh.pa.us> — 2025-07-28T14:15:17Z
Bruce Momjian <bruce@momjian.us> writes: > Where do we think our use of libxml2 is heading? Do you suspect > security scanners will start negative reporting the use of libxml2? There's at least one distro that's already stopped building with --with-libxml out of security concerns. (I forget who exactly, but it's been mentioned on the PG lists.) regards, tom lane
-
Re: libxml2 author overwhelmed with security requests
Iván Chavero <ichavero@chavero.com.mx> — 2025-07-29T23:11:29Z
En 21/07/25 1:16 a. m., Sandeep Thakkar escribió: > > > On Fri, Jun 20, 2025 at 2:42 AM Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Pavel Stehule <pavel.stehule@gmail.com> writes: > > Own implementation of SQL/XML generating functions like XMLFOREST or > > XMLELEMENT should not be too > > difficult. Significantly more difficult problem is parsing of > XML (more > > with namespaces), although some basic > > support for XMLTABLE should not be too hard too. > > I don't think anybody really wants to roll our own XML parser. > > > Isn't possible to call Rust code from C? Then maybe there are some > > possibility from Rust world > > https://github.com/ballsteve/xrust > > Maybe. I think the fundamental problem here, similar to what we've > run into elsewhere, is that we chose a library to depend on without > thinking hard enough about whether it would be well-supported in the > long run. I see little reason to think that that risk would be less > for some random not-written-in-C implementation. If we want to > jump ship away from libxml2, we had better ask hard questions about > the new choice. > > > Also, libxslt depends on libxml2, and there is no maintainer now after the > recent commits done to remove the existing ones: > https://gitlab.gnome.org/GNOME/libxslt/-/commit/c8b1ea4b89a9b81fa611f32c80f47df0c3b3b004 > https://gitlab.gnome.org/GNOME/libxslt/-/commit/923903c59d668af42e3144bc623c9190a0f65988 > After reading this thread I've stepped in to maintain libxslt and me and other Mexican developers are going to be on top of libxml2. We use this libraries and their Rust bindings because we're writing libraries for handling Mexican taxes and they are wrapped in XML. So at least me and another developer will be helping with this libraries and will make our best effort to keep them up to date both in securities and functionalities (eg. XSLT 2.0 support). Cheers, Iván