Thread
-
libxml2 video about its abandonment
Bruce Momjian <bruce@momjian.us> — 2025-12-17T14:21:28Z
Here is a video about the current status of libxml2's abandonment status: https://www.youtube.com/watch?v=GDr4fKXmUvc The current libxml2 security text is below -- I think this is a positive development. It was rewritten on December 10 to create "a more positive Security section": This patch changes the security section in the README.md file to give more information. This removes the "unmaintained" text, as this project is maintained again. It also makes it clear that this is a community project, so anyone will know what to expect, and it also makes explicit that developers are volunteers and will work on the issues that they want, as a try to avoid pressure from bug reporters. The message tries to be positive, promoting collaboration instead of conflict. The idea is to make it clear that collaboration is welcome and the way to go is to do it yourself instead of asking the maintainers to do it for you. Here is the current Security section text: https://gitlab.gnome.org/GNOME/libxml2 Security This is open-source software written by hobbyists and maintained by volunteers. It's NOT recommended to use this software to process untrusted data. There is a lot of ways that a malicious crafted xml could exploit a hidden vulnerability in the software. The software is provided "as is", without warranty of any kind, express or implied. Use this software at your own risk. To report security bugs, you can create a confidential issue with the "security" label. We will review and work on it as a best effort. But remember that this is a community project, maintained by volunteer developers, so if you are concern about any important security bug that's critical for you, feel free to collaborate and provide a patch. The main rule is to be kind. Do not pressure developers to fix a CVE or to work on a functionality that you need, because that won't work. This is a community project, developers will work in the issues that they consider interesting and when they want. All contributions are welcome, so if something is important for you, you can always get involved, implement it yourself and be part of the open source community. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future. -
Re: libxml2 video about its abandonment
Iván Chavero <ichavero@chavero.com.mx> — 2025-12-17T16:12:48Z
Hello, As of december 9th libxml2 has two maintainers: Daniel Garcia Moreno and Iván Chavero (me), we're trying to steer the project in a more positive direction. Contributions are welcome! Cheers, Iván En 17/12/25 8:21 a.m., Bruce Momjian escribió: > Here is a video about the current status of libxml2's abandonment > status: > > https://www.youtube.com/watch?v=GDr4fKXmUvc > > The current libxml2 security text is below -- I think this is a positive > development. It was rewritten on December 10 to create "a more positive > Security section": > > This patch changes the security section in the README.md file to > give more information. > > This removes the "unmaintained" text, as this project is > maintained again. It also makes it clear that this is a > community project, so anyone will know what to expect, and it > also makes explicit that developers are volunteers and will work > on the issues that they want, as a try to avoid pressure from > bug reporters. > > The message tries to be positive, promoting collaboration instead > of conflict. The idea is to make it clear that collaboration is > welcome and the way to go is to do it yourself instead of asking > the maintainers to do it for you. > > Here is the current Security section text: > > https://gitlab.gnome.org/GNOME/libxml2 > > Security > > This is open-source software written by hobbyists and maintained > by volunteers. > > It's NOT recommended to use this software to process untrusted > data. There is a lot of ways that a malicious crafted xml could > exploit a hidden vulnerability in the software. > > The software is provided "as is", without warranty of any kind, > express or implied. Use this software at your own risk. > > To report security bugs, you can create a confidential issue > with the "security" label. We will review and work on it as a > best effort. But remember that this is a community project, > maintained by volunteer developers, so if you are concern about > any important security bug that's critical for you, feel free to > collaborate and provide a patch. > > The main rule is to be kind. Do not pressure developers to fix > a CVE or to work on a functionality that you need, because > that won't work. This is a community project, developers will > work in the issues that they consider interesting and when > they want. All contributions are welcome, so if something is > important for you, you can always get involved, implement it > yourself and be part of the open source community. >
-
Re: libxml2 video about its abandonment
Tom Lane <tgl@sss.pgh.pa.us> — 2025-12-17T18:45:57Z
=?UTF-8?Q?Iv=C3=A1n_Chavero?= <ichavero@chavero.com.mx> writes: > As of december 9th libxml2 has two maintainers: > Daniel Garcia Moreno and Iván Chavero (me), we're trying to > steer the project in a more positive direction. This is good news indeed. Best of luck! regards, tom lane
-
Re: libxml2 video about its abandonment
Andreas Karlsson <andreas@proxel.se> — 2025-12-22T19:28:21Z
On 12/17/25 5:12 PM, Iván Chavero wrote: > As of december 9th libxml2 has two maintainers: > > Daniel Garcia Moreno and Iván Chavero (me), we're trying to > > steer the project in a more positive direction. > > > Contributions are welcome! Great news, good luck! Andreas