- cross-posted to:
- hackaday@ibbit.at
- cross-posted to:
- hackaday@ibbit.at
In an excellent example of one of the most overused XKCD images, the libxml2 library has for a little while lost its only maintainer, with [Nick Wellnhofer] making good on his plan to step down by the end of the year.
While this might not sound like a big deal, the real scope of this problem is rather profound. Not only is libxml2 part of GNOME, it’s also used as dependency by a huge number of projects, including web browsers and just about anything that processes XML or XSLT. Not having a maintainer in the event that a fresh, high-risk CVE pops up would obviously be less than desirable.
Won’t someone think of the shareholders being deprived of their cost-free CVE fixes???
But really. Switching the license to GPL (ideally GLPv3 or compatible, although IMO we are due for a GPLv4) is a pretty good outcome, hopefully it works.
Actually that means that no company will use it anymore. Since if you have low-level library like that under GPL, then all the source code need to be GPL compatible as well. And 99% of the source code that is build on top of libxml2 is most likely not GPL / no GPL compatible.
Extractivists would be welcome to continue being stuck with the GPLv2’d version of the library. The sane world meanwhile can move on with a v3 version that sees community improvements, respects consumer rights, etc.
Current version is actually still MIT: https://gitlab.gnome.org/GNOME/libxml2#license (which is the most preferred license for a low-level library like this)
Ah yeah, same difference.