←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
278 points jwilk | 6 comments | 25 Jun 25 19:36 UTC | HN request time: 1.317s | source | bottom
1. JonChesterfield ◴[25 Jun 25 22:25 UTC] No.44382335[source]
This is an alarming read. Not so much the "security bugs are bugs, go away" sentiment which seems completely legitimate, but that libxml2 and libxslt have been ~ solo dev passion projects. These aren't toys. They're part of the infrastructure computing is built on.
replies(5): >>44384388 #>>44384598 #>>44384778 #>>44385323 #>>44385522 #
2. chronid ◴[26 Jun 25 05:20 UTC] No.44384388[source]
Exactly how openssl was (is?) when heartbleed happened. It's nothing new sadly, there are memes about the "unknown oss passion project" holding up the entire stack all over the internet.
3. ◴[26 Jun 25 06:03 UTC] No.44384598[source]
4. pabs3 ◴[26 Jun 25 06:41 UTC] No.44384778[source]
The Nebraska project in this diagram isn't just one project, its pretty much the entirety of our underlying software infrastructure.

https://xkcd.com/2347/

5. stavros ◴[26 Jun 25 08:20 UTC] No.44385323[source]
You got the timeline wrong: libxml2 has always been a solo dev passion project, then a bunch of megacorps used them for the infrastructure computing is built on. This is on them.
6. jeroenhd ◴[26 Jun 25 08:59 UTC] No.44385522[source]
These projects are toys. The real problem is that multi billion dollar companies are using toys to keep you safe. Maybe we shouldn't build our core infrastructure with LEGO blocks and silly putty.