←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
276 points jwilk | 2 comments | 25 Jun 25 19:36 UTC | HN request time: 0.449s | source
Show context
bawolff ◴[26 Jun 25 03:05 UTC] No.44383868[source]
So reading this, it sounds like the maintainer got burned out.

That's reasonable, being a maintainer is a thankless job.

However i think there is a duty to step aside when that happens. If nobody can take the maintainer's place, then so be it, its still better than the alternative. Being burned out but continuing anyways just hurts everyone.

Its absolutely not the security researcher's fault for reporting real albeit low severity bugs (to be clear though, entirely reasonable for maintainers to treat low severity security bugs as public. The security policy is the maintainer's decision, its not right to blame researchers for following the policy maintainers set)

replies(2): >>44385346 #>>44386746 #
1. firesteelrain ◴[26 Jun 25 08:24 UTC] No.44385346[source]
Curl has the same issue and the problem is that these reports are just noise. It wastes everyone’s time and even lacks a Proof of Concept.
replies(1): >>44390441 #
2. bawolff ◴[26 Jun 25 19:21 UTC] No.44390441[source]
Afaik, curl was complaining about AI generated reports that were bullshit. They were not complaining about reports that legit caused crashes. Totally different thing.