←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
276 points jwilk | 6 comments | 25 Jun 25 19:36 UTC | HN request time: 1.287s | source | bottom
1. otikik ◴[26 Jun 25 08:15 UTC] No.44385287[source]
I think they are not going far enough.

"All null-pointer-referencing issues should come with an accompanying fix pull request".

replies(2): >>44385352 #>>44385551 #
2. tzs ◴[26 Jun 25 08:25 UTC] No.44385352[source]
So if I find a null pointer dereference issue in something written in a language I don’t know, I shouldn’t report it because I can’t include a fix?
replies(1): >>44385374 #
3. otikik ◴[26 Jun 25 08:29 UTC] No.44385374[source]
If you don't know the language, why are you reporting null pointers?
replies(1): >>44385503 #
4. tzs ◴[26 Jun 25 08:54 UTC] No.44385503{3}[source]
Because the program crashed and the crash dump showed a null pointer dereference, and I found some inputs that reproduce it 100%, so I thought this might be useful to the developer?
replies(1): >>44385760 #
5. jeroenhd ◴[26 Jun 25 09:05 UTC] No.44385551[source]
I don't think putting the burden to fix the code should be on users. However, it also shouldn't be on developers.

I think something like "Null-pointer-referencing issues will not be looked at by core maintainers unless someone already provides a patch". That way, someone else who knows how to fix the problem can step in, and users aren't left with the false impression that merely reporting their bug will not guarantee a solution.

6. otikik ◴[26 Jun 25 09:47 UTC] No.44385760{4}[source]
In the context of libxml it does sound that for every hypothetical person like you that there's going to be 20 "security researchers" like the ones the article is mentioning; just running automated tools and trying to use security issues as a way to promote themselves.

If getting rid of your input gets rid of the other 20 issues, I would take it.