Most active commenters
  • mschuster91(5)

←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
277 points jwilk | 12 comments | 25 Jun 25 19:36 UTC | HN request time: 0.676s | source | bottom
Show context
DeepYogurt ◴[25 Jun 25 21:52 UTC] No.44382139[source]
It'd be great if some of these open source security initiatives could dial up the quality of reports. I've seen so so many reports for some totally unreachable code and get a cve for causing a crash. Maintainers will argue that user input is filtered elsewhere and the "vuln" isn't real, but mitre don't care.
replies(3): >>44382170 #>>44382407 #>>44382413 #
mschuster91 ◴[25 Jun 25 21:57 UTC] No.44382170[source]
> I've seen so so many reports for some totally unreachable code and get a cve for causing a crash.

There have been a lot of cases where something once deemed "unreachable" eventually was reachable, sometimes years later, after a refactoring and now there was an issue.

replies(2): >>44382232 #>>44383832 #
1. DeepYogurt ◴[25 Jun 25 22:06 UTC] No.44382232[source]
At what rate though? Is it worth burning out devs we as a community rely upon because maybe someday 0.000001% of these bugs might have real impact? I think we need to ask more of these "security researchers". Either provide a real world attack vector or start patching these bugs along with the reports.
replies(2): >>44382273 #>>44382336 #
2. bigfatkitten ◴[25 Jun 25 22:12 UTC] No.44382273[source]
“PoC or GTFO” is an entirely reasonable response.
replies(3): >>44382466 #>>44382698 #>>44384612 #
3. mschuster91 ◴[25 Jun 25 22:25 UTC] No.44382336[source]
IMHO, at least the foundations of what makes the Internet tick - the Linux kernel, but also stuff like SSL libraries, format parsers, virtualization tooling and the standard libraries and tools that come installed by default on Linux systems - should be funded by taxpayers. The EU budget for farm subsidies is about 40 billion euros a year - cut 1% off of it, so 400 million euros, and invest it into the core of open source software, and we'd get an untold amount of progress in return.
replies(2): >>44382828 #>>44384416 #
4. marcusb ◴[25 Jun 25 22:45 UTC] No.44382466[source]
Also a wonderful zine!
5. duped ◴[25 Jun 25 23:18 UTC] No.44382698[source]
"PR or payment to fix or GTFO" is also a reasonable response
6. charcircuit ◴[25 Jun 25 23:39 UTC] No.44382828[source]
It's not the government's job to subsidize people's bad business models.
replies(2): >>44385380 #>>44387657 #
7. chronid ◴[26 Jun 25 05:26 UTC] No.44384416[source]
They should be funded by the companies using them. Do you believe any of the fortune top100 would be greatly impacted by funding libxml2? They probably all rely on it, one way or the other.

The foundation of the internet is something that gets bigger and bigger every year. I understand the sentiment and the reasoning of declaring software a "public good", but it won't scale.

replies(1): >>44385850 #
8. codedokode ◴[26 Jun 25 06:08 UTC] No.44384612[source]
I wouldn't bother to write PoC because it is a waste of time and it is faster to fix the potential bug rather than figure out what conditions are necessary to turn it into a vulnerability. I think that we all should stop writing PoCs for bugs and spend the lifetime for something more useful.
replies(1): >>44385332 #
9. mschuster91 ◴[26 Jun 25 08:21 UTC] No.44385332{3}[source]
That's not easy though, especially not for large and old code bases. As an outsider doing occasional bugfixes when I spot issues in an open-source project, I don't have the time to dig into how exactly I need to set up my computer to even have a minimum viable build setup, adhere to each project's different code standards, deal with the bullshit called "Contributor License Agreement" and associated paperwork, or wrap my head around how this specific project does testing and pipelines.

What I can and will do however is write a bug ticket that says what I think the issue is, where my closest suspicion is that causes the issue, and provide either a reproduction or a bugfix patch. Dealing with the remainder of the bureaucracy however is what I do not see as my responsibility.

10. mschuster91 ◴[26 Jun 25 08:30 UTC] No.44385380{3}[source]
Governments used to fund basic research all the time for decades to provide a common good. Governments fund education, universities, road infrastructure and other foundational stuff so that companies can work.
11. mschuster91 ◴[26 Jun 25 10:04 UTC] No.44385850{3}[source]
> They should be funded by the companies using them. Do you believe any of the fortune top100 would be greatly impacted by funding libxml2? They probably all rely on it, one way or the other.

I agree in theory but it's impractical to achieve due to the coordination effort involved, hence using taxes as a proxy.

> The foundation of the internet is something that gets bigger and bigger every year. I understand the sentiment and the reasoning of declaring software a "public good", but it won't scale.

For a long time, a lot of foundational development was funded by the government. Of course it can scale - the problem is most people don't believe in capable government any more after 30-40 years of neoliberal tax cuts and utter incompetence (California HSR comes to my mind). We used to be able to do great things funded purely by the government, usually via military funding: laser, radar, microwaves and generally a lot of RF technology, even the Internet itself originated out of the military ARPANET. Or the federal highways. And that was just what the Americans did.

12. viraptor ◴[26 Jun 25 14:15 UTC] No.44387657{3}[source]
It shouldn't be, but it is to a huge degree. Oil companies, corn production, milk subsidies, road network growth, etc. are all bad business subsidies in the US for example.