Here is a video about the current status of libxml2's abandonment
status:
https://www.youtube.com/watch?v=GDr4fKXmUvc
The current libxml2 security text is below -- I think this is a positive
development. It was rewritten on December 10 to create "a more positive
Security section":
This patch changes the security section in the README.md file to
give more information.
This removes the "unmaintained" text, as this project is
maintained again. It also makes it clear that this is a
community project, so anyone will know what to expect, and it
also makes explicit that developers are volunteers and will work
on the issues that they want, as a try to avoid pressure from
bug reporters.
The message tries to be positive, promoting collaboration instead
of conflict. The idea is to make it clear that collaboration is
welcome and the way to go is to do it yourself instead of asking
the maintainers to do it for you.
Here is the current Security section text:
https://gitlab.gnome.org/GNOME/libxml2
Security
This is open-source software written by hobbyists and maintained
by volunteers.
It's NOT recommended to use this software to process untrusted
data. There is a lot of ways that a malicious crafted xml could
exploit a hidden vulnerability in the software.
The software is provided "as is", without warranty of any kind,
express or implied. Use this software at your own risk.
To report security bugs, you can create a confidential issue
with the "security" label. We will review and work on it as a
best effort. But remember that this is a community project,
maintained by volunteer developers, so if you are concern about
any important security bug that's critical for you, feel free to
collaborate and provide a patch.
The main rule is to be kind. Do not pressure developers to fix
a CVE or to work on a functionality that you need, because
that won't work. This is a community project, developers will
work in the issues that they consider interesting and when
they want. All contributions are welcome, so if something is
important for you, you can always get involved, implement it
yourself and be part of the open source community.
--
Bruce Momjian <[email protected]> https://momjian.us
EDB https://enterprisedb.com
Do not let urgent matters crowd out time for investment in the future.
