Downloads
Home   >   mailing lists

Thread: Re: libxml2 author overwhelmed with security requests

Re: libxml2 author overwhelmed with security requests

From
Álvaro Herrera
Date:
On 2025-Jun-18, Bruce Momjian wrote:

> This blog post explains the serious problems the single libxml2 author
> is having in maintaining the library:
> 
>     https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-reports
> 
> There are few learnings from this:
> 
> *  libxml2 is even less production-ready than we thought
> *  many projects don't have the resources we do

Maybe some of the companies doing business with Postgres can chime in to
let Nick Wellnhofer (the aforementioned maintainer) spend more time on
libxml2 maintenance:
  https://opencollective.com/libxml2

Currently, looking at the OpenCollective reports, it seems USD 50 come
monthly from Airbnb to libxml2's Wellnhofer.  That's unlikely to pay
very many bills.

-- 
Álvaro Herrera               48°01'N 7°57'E  —  https://www.EnterpriseDB.com/
"Once again, thank you and all of the developers for your hard work on
PostgreSQL.  This is by far the most pleasant management experience of
any database I've worked on."                             (Dan Harris)
http://archives.postgresql.org/pgsql-performance/2006-04/msg00247.php

Re: libxml2 author overwhelmed with security requests

From
Pavel Stehule
Date:


čt 19. 6. 2025 v 11:00 odesílatel Álvaro Herrera <alvherre@kurilemu.de> napsal:
On 2025-Jun-18, Bruce Momjian wrote:

> This blog post explains the serious problems the single libxml2 author
> is having in maintaining the library:
>
>       https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-reports
>
> There are few learnings from this:
>
> *  libxml2 is even less production-ready than we thought
> *  many projects don't have the resources we do

Maybe some of the companies doing business with Postgres can chime in to
let Nick Wellnhofer (the aforementioned maintainer) spend more time on
libxml2 maintenance:
  https://opencollective.com/libxml2

Currently, looking at the OpenCollective reports, it seems USD 50 come
monthly from Airbnb to libxml2's Wellnhofer.  That's unlikely to pay
very many bills.

plus - there is not any free alternative for C

Regards

Pavel
 

--
Álvaro Herrera               48°01'N 7°57'E  —  https://www.EnterpriseDB.com/
"Once again, thank you and all of the developers for your hard work on
PostgreSQL.  This is by far the most pleasant management experience of
any database I've worked on."                             (Dan Harris)
http://archives.postgresql.org/pgsql-performance/2006-04/msg00247.php