Libxml2 Narrowly Avoids Becoming Unmaintained
hackaday.com
In an excellent example of one of the most overused XKCD images, the libxml2 library has for a little while lost its only maintainer, with [Nick Wellnhofer] making good on his plan to step down by …

In an excellent example of one of the most overused XKCD images, the libxml2 library has for a little while lost its only maintainer, with [Nick Wellnhofer] making good on his plan to step down by the end of the year.

While this might not sound like a big deal, the real scope of this problem is rather profound. Not only is libxml2 part of GNOME, it’s also used as dependency by a huge number of projects, including web browsers and just about anything that processes XML or XSLT. Not having a maintainer in the event that a fresh, high-risk CVE pops up would obviously be less than desirable.

  • melroy@kbin.melroy.org
    10·
    4 days ago

    Another maintainer already jumped in and he is now maintaining it. The original author forked it actually his own project, and is planning to release it under gpl license (instead of MIT), basically making it open source in a sense I can’tbe used by big tech. Since that was his point, large software projects and companies relied on his work. Yet nobody is paying him.

    • lambalicious@lemmy.sdf.orgEnglish
      2·
      2 days ago

      Won’t someone think of the shareholders being deprived of their cost-free CVE fixes???

      But really. Switching the license to GPL (ideally GLPv3 or compatible, although IMO we are due for a GPLv4) is a pretty good outcome, hopefully it works.

      • melroy@kbin.melroy.org
        1·
        2 days ago

        Switching the license to GPL (ideally GLPv3 or compatible, although IMO we are due for a GPLv4) is a pretty good outcome, hopefully it works.

        Actually that means that no company will use it anymore. Since if you have low-level library like that under GPL, then all the source code need to be GPL compatible as well. And 99% of the source code that is build on top of libxml2 is most likely not GPL / no GPL compatible.

    • melroy@kbin.melroy.org
      4·
      4 days ago

      Also he was getting every week cve issues, which are often not urgent issues. Yet it costs him a lot of time. He also considers security issues now just the same as a normal issue. Not giving it priority anymore, since that doesn’t make sense anymore for him.