Most active commenters
  • OkayPhysicist(3)
  • tzs(3)

←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
277 points jwilk | 42 comments | 25 Jun 25 19:36 UTC | HN request time: 1.063s | source | bottom
1. kibwen ◴[25 Jun 25 22:01 UTC] No.44382195[source]
> Ariadne Conill, a long-time open-source contributor, observed that corporations using open source had responded with ""regulatory capture of the commons"" instead of contributing to the software they depend on.

I'm only half-joking when I say that one of the premier selling points of GPL over MIT in this day and age is that it explicitly deters these freeloading multibillion-dollar companies from depending on your software and making demands of your time.

replies(4): >>44382211 #>>44383593 #>>44385565 #>>44385638 #
2. xxpor ◴[25 Jun 25 22:03 UTC] No.44382211[source]
Why bother open sourcing if you're not interested in getting people to use it?
replies(10): >>44382234 #>>44382266 #>>44382290 #>>44382308 #>>44382317 #>>44382433 #>>44382714 #>>44382762 #>>44383194 #>>44384358 #
3. itsanaccount ◴[25 Jun 25 22:06 UTC] No.44382234[source]
you seem to have mistaken corporations for people.
replies(1): >>44382250 #
4. kortilla ◴[25 Jun 25 22:08 UTC] No.44382250{3}[source]
You seem to think corporations aren’t made of people
replies(3): >>44382321 #>>44383088 #>>44384543 #
5. bigfatkitten ◴[25 Jun 25 22:11 UTC] No.44382266[source]
So that if they find it useful, they will contribute their own improvements to benefit the project.

I don’t think many projects see acquiring unpaying corporate customers as a goal.

6. meindnoch ◴[25 Jun 25 22:15 UTC] No.44382290[source]
Trillion dollar corporations are not "people".
replies(1): >>44383067 #
7. gizmo686 ◴[25 Jun 25 22:19 UTC] No.44382308[source]
A decent part of my job is open source. Our reason for doing it is simple: we would rather have people who are not us do the work instead of us.

On some of our projects this has been a great success. We have some strong outside contributors doing work on our project without us needing to pay them. In some cases, those contributors are from companies that are in direct competition with us.

On other projects we've open sourced, we've had people (including competitors) use, without anyone contributing back.

Guess which projects stay open source.

replies(1): >>44382456 #
8. lelandbatey ◴[25 Jun 25 22:21 UTC] No.44382317[source]
You can want to be helpful without wanting to have power or responsibility.

I'm interested in people (not companies, or at least I don't care about companies) being able to read, reference, learn from, or improve the open source software that I write. It's there if folks want it. I basically never promote it, and as such, it has little uptake. It's still useful though, and I use it, and some friends use it. Hooray. But that's all.

9. dsr_ ◴[25 Jun 25 22:22 UTC] No.44382321{4}[source]
Sheds are made of wood, but they aren't trees.
10. OkayPhysicist ◴[25 Jun 25 22:40 UTC] No.44382433[source]
The GPL does not prohibit anyone from using a piece of software. It exclusively limits the actions of bad faith users. If all people engaged with FOSS in good faith, we wouldn't need licenses, because all most FOSS licenses require of the acceptors is to do a couple of small, free activities that any decent person would do anyway. Thank/give credit to the authors who so graciously allowed you to use their work, and if you make any fixes or improvements, share alike.

Security issues like this are a prime example of why all FOSS software should be at least LGPLed. If a security bug is found in FOSS library, who's the more motivated to fix it? The dude who hacked the thing together and gave it away, or the actual users? Requesting that those users share their fixes is farrr from unreasonable, given that they have clearly found great utility in the software.

replies(2): >>44382798 #>>44382937 #
11. OkayPhysicist ◴[25 Jun 25 22:43 UTC] No.44382456{3}[source]
We have a solution to this. It's called the (L)GPL. If people would stop acting like asking for basic (zero cost) decency in exchange for their gift is tantamount to armed robbery, we could avoid this whole mess.
replies(1): >>44388585 #
12. freeone3000 ◴[25 Jun 25 23:20 UTC] No.44382714[source]
What’s the point in people using it if all that profit ends up in someone else’s pockets?
13. ben0x539 ◴[25 Jun 25 23:29 UTC] No.44382762[source]
When I, as a little child (or at least that is how it feels now), got excited about contributing to open source, it was not the thought that one day my code might help run some giant web platform's infrastructure or ship as part of some AAA videogame codebase that motivated me. The motivation was the idea that my code might be useful to people even with no corporation or business having to be involved!
14. charcircuit ◴[25 Jun 25 23:34 UTC] No.44382798{3}[source]
GPL doesn't force people to share their fixes and improvements. And there is nothing bad faith about not sharing all your hardwork for free.
replies(1): >>44382912 #
15. OkayPhysicist ◴[25 Jun 25 23:53 UTC] No.44382912{4}[source]
It does if you then share the resulting software. And I think if you make an improvement just for your own enjoyment, you'd be a better person if you shared it back than if you didn't.
replies(1): >>44384521 #
16. SpicyLemonZest ◴[25 Jun 25 23:57 UTC] No.44382937{3}[source]
The GPL "does not prohibit anyone" in a narrow legalistic sense. In colloquial discussions (see e.g. https://www.gnu.org/licenses/why-not-lgpl.en.html), the Free Software Foundation is quite clear that the GPL exists to stop proprietary software developers from using your code by imposing conditions they can't satisfy.
17. eikenberry ◴[26 Jun 25 00:21 UTC] No.44383067{3}[source]
No corporations are people, they are legal constructs. How much money they are worth makes no difference.
18. eikenberry ◴[26 Jun 25 00:24 UTC] No.44383088{4}[source]
Groups of people are not the same as the people that make them up. They think differently and have different motivations.
19. timewizard ◴[26 Jun 25 00:46 UTC] No.44383194[source]
People can use it. Corporations won't. I'm entirely unbothered by this outcome.

This isn't a popularity contest and I'm sick of gamification of literally everything.

20. spott ◴[26 Jun 25 02:03 UTC] No.44383593[source]
This makes an assumption that a bunch of companies are maintaining their own forks of MIT software with bug fixes and features and not giving it back.

I find that hard to believe.

replies(5): >>44383803 #>>44384019 #>>44385553 #>>44386007 #>>44386138 #
21. canyp ◴[26 Jun 25 02:47 UTC] No.44383803[source]
Not really. A company that does not bother contributing to a liberally-licensed project will 100% avoid GPL software like the plague. In either case, they won't contribute. In the latter case, they don't get to free-ride like a parasite.
replies(2): >>44384552 #>>44384660 #
22. adastra22 ◴[26 Jun 25 03:47 UTC] No.44384019[source]
No, they're mostly not. They're throwing the maintenance demand back on the unpaid, understaffed open source developers. That's what TFA is about.
23. riedel ◴[26 Jun 25 05:13 UTC] No.44384358[source]
There is tons of reasons. E.g. public money public code. We are in research and we are open sourcing because we know that we cannot maintain anything, giving people the chance to pick up stuff without having buy stuff that is constantly losing value and becomes abandon ware very soon these days (at this point we often don't even have the resources to open source). So what you most get from us is 'public money crappy unmaintained code'
24. ahtihn ◴[26 Jun 25 05:47 UTC] No.44384521{5}[source]
A lot of software out there runs on servers and is never shared with users in a manner that matters for GPL.
replies(1): >>44384691 #
25. codedokode ◴[26 Jun 25 05:53 UTC] No.44384543{4}[source]
Corporations are made of rich stock owners.
26. ninjin ◴[26 Jun 25 05:54 UTC] No.44384552{3}[source]
It is reasonable to assume that this is true. But an equally effective way other than making your license unpalatable to them, is just to say no and state clearly: "Patches or GTFO". Also, have a homepage to link with your (hefty?) consulting rates?

I have mentioned this in the past, but there was this weird shift in culture just after 2000 where increasingly open source projects were made to please their users, whether they were corporate or not, and "your project is your CV" became how their maintainers would view their projects. It does not have to be this way and we should (like it seems to be the case with libxml2) maybe try to fix this culture?

replies(1): >>44385597 #
27. jenadine ◴[26 Jun 25 06:17 UTC] No.44384660{3}[source]
> will 100% avoid GPL software like the plague.

Not true. Many companies uses Linux for example.

They will just avoid using GPL software in ways that would impact their own intellectual property (linking a GPL library to their proprietary software). Sometimes they will even use it with dubious "workaround" such as saying "we use a deamon with IPC so that's ok"

replies(1): >>44386022 #
28. jenadine ◴[26 Jun 25 06:24 UTC] No.44384691{6}[source]
That's why there is AGPL to fix that "bug"

Anyway, the GPL is there to protect final users and not the maintainer of the project. And if a software is running on someone else server, you are not the user of that software. (Although you use the service and give the data, but that's another problem)

29. roryirvine ◴[26 Jun 25 09:06 UTC] No.44385553[source]
One of the comments on the LWN article is an analysis of exactly that happening with this very library - https://lwn.net/Articles/1026956/

In short, Apple maintain a 448 kB diff which they 'throw across the wall' in the form of an opaque tarball, shorn of all context. Many of the changes contained within look potentially security-related, but it's been released in a way which would require a huge amount of work to unpick.

That level of effort is unfeasible for a volunteer upstream developer, but is a nice juicy resource for a motivated attacker. Apple's behaviour, therefore, is going to be a net negative from a security point of view for all other users of this library.

replies(1): >>44388460 #
30. c2h5oh ◴[26 Jun 25 09:08 UTC] No.44385565[source]
With SAAS swallowing big chunk of software business GPL is much less effective.

There isn't much difference between MIT and GPL unless you are selling a product that runs locally or on premisses and with the latter some companies try to work around GPL by renting servers with software on it - either as physical boxes or something provided on cloud provider marketplace.

Look at what you actually have installed on your computer - odds are that unless your job requires something like CAD, photo/video editing or other highly specialized software you have nothing made by large enterprise with exception of OS and Slack/Teams/Zoom.

replies(1): >>44386530 #
31. tzs ◴[26 Jun 25 09:14 UTC] No.44385597{4}[source]
> It is reasonable to assume that this is true. But an equally effective way other than making your license unpalatable to them, is just to say no and state clearly: "Patches or GTFO". Also, have a homepage to link with your (hefty?) consulting rates?

That's fine for feature requests, but the issue in the present case is bug reports.

replies(1): >>44386793 #
32. tzs ◴[26 Jun 25 09:24 UTC] No.44385638[source]
From a maintainers point of view there is no difference between someone from a large company reporting a bug and some random hobby programmer reporting a bug.
33. ◴[26 Jun 25 10:33 UTC] No.44386007[source]
34. quietbritishjim ◴[26 Jun 25 10:36 UTC] No.44386022{4}[source]
> > will 100% avoid GPL software like the plague.

> Not true. Many companies uses Linux for example.

I thought it was clear, given that this is a discussion about an open source library, that they were talking about GPL libraries. The way that standalone GPL software is used in companies is qualitatively quite different.

35. baobun ◴[26 Jun 25 10:59 UTC] No.44386138[source]
Oh, I've seen it plenty. Cultural awareness is just very low in places for some reason.
36. toyg ◴[26 Jun 25 11:57 UTC] No.44386530[source]
> With SAAS swallowing big chunk of software business GPL is much less effective.

Which is why we have the AGPL.

37. ninjin ◴[26 Jun 25 12:33 UTC] No.44386793{5}[source]
I fail to see how that is different. Ultimately, you have released a piece of software into the wild with a clause stating: "The software is provided 'as is' and the author disclaims all warranties with regard to this software including all implied warranties of merchantability and fitness". Thus, it is purely cultural that somehow others and yourself expect you to cancel your family time on a Saturday night solely because an issue has been found in a piece of software you have given away for free. This "value add" is wearing people out and if we want this expectation to remain, maybe it is time for those profiting or those with a monopoly on violence to explore ways to support those that kindly provide free labour like this?
replies(1): >>44390051 #
38. spott ◴[26 Jun 25 15:39 UTC] No.44388460{3}[source]
My reading of this wasn’t that Apple has a bunch of security bug fixes they aren’t upstreaming, it is that they are maintaining their own forks of an old version and back porting security bug fixes from upstream into their fork.

Maybe they are doing their own security fixes, but at this point they are so far diverged from upstream that it isn’t clear that those security bugs exist in upstream.

But that is my guess, I don’t really have enough information to say much for sure.

replies(1): >>44388699 #
39. ilc ◴[26 Jun 25 15:52 UTC] No.44388585{4}[source]
The GPL doesn't do anything when the project is just used internally by another company.

They never trigger the distribution clauses, and they own the copyrights of all the work being done. So if you NEVER distribute binaries outside your company's walls. The GPL is a giant nothing, for most practical cases.

That's why we're starting to see the AGPL more now. But even then, for INTERNAL applications. It's still a nothing.

The GPL doesn't cure people being greedy. It just changes how they are allowed to be greedy.

40. roryirvine ◴[26 Jun 25 16:04 UTC] No.44388699{4}[source]
Digging into it further, it looks like there's a mix - backported bugfixes, Apple-specific fixes, and security issues which may or may not have been fixed by upstream long ago.

Some of it almost certainly would be useful upstream (eg. the clang warnings, and any unfixed security issues), and some might warrant being reimplemented in a different way (those Apple-specific ifdefs in the middle of platform-independent code blocks). But that's not ever going to happen, because of the way Apple jumbles it all together.

replies(1): >>44389315 #
41. om2 ◴[26 Jun 25 17:16 UTC] No.44389315{5}[source]
We have contributed a number of upstream fixes

  $ cd gnome-libxml2.git
  $ git log --oneline --author=@apple.com | wc -l
      43
The main reason we have a fork at all is that upstream libxml2 has broken source and binary compatibility in various ways, and we can't take those changes because libxml2 is public API on our platforms. We do make an effort to upstream all security fixes, though we sometimes get to it only after we ship.
42. tzs ◴[26 Jun 25 18:36 UTC] No.44390051{6}[source]
> I fail to see how that is different.

A feature request is for something new. A bug report is reporting an error in the already released and distributed software. Here is why that is relevant.

> Ultimately, you have released a piece of software into the wild with a clause stating: "The software is provided 'as is' and the author disclaims all warranties with regard to this software including all implied warranties of merchantability and fitness".

When there is a bug in that released software the 'as is' is not the 'as is' that the developer intended. Probably 99% of free software developers would like to be informed about this, especially if it is software that they are continuing to develop and distribute.

> Thus, it is purely cultural that somehow others and yourself expect you to cancel your family time on a Saturday night solely because an issue has been found in a piece of software you have given away for free

Huh? If I report a bug on a Saturday night (to a free software project or a proprietary project) I expect that someone will look at the report during the normal hours when they look at bug reports and if they decide it is something that needs fixing the work will be scheduled the same way they schedule work to fix bugs that their own testing reveals.