from Hacker News

Libxml2 Maintainer Ends Embargoed Vulnerability Reports, Citing Unsustainable

by feross on 6/18/25, 3:01 AM with 8 comments

  • by usr1106 on 6/18/25, 4:07 AM

    Apple, Google, AWS, Microsoft, ... I would call it criminal neglect using hobby software like libxml2 written in a memory-unsafe language (to cite the maintainer) to process untrusted input in systems that need to protect personal data or are even safety-relevant.

    So what's the alternative? Microsoft has a longer history than many open source components. Nobody could see the source, but it was proven continuously that it was highly insecure. Less than hobbyist quality, but closed source so nobody could see the (lack of) quality explicitly. Some might claim 20 years later they would produce better software. Maybe marginally, but not fundamentally I'd dare to claim.

  • by anotherhue on 6/18/25, 4:05 AM

    Good for him, I just wish he made it more obvious how a cash rich but time poor BigTech product owner could help him.

  • by msla on 6/18/25, 3:42 AM

    Unsustainable what? The title got cut off.