libxml2 no longer embargoing security issues

[vielmetti]

I'm reading https://gitlab.gnome.org/GNOME/libxml2/-/issues/913 where the author (Nick Wellnhofer) reports that libxml2 is no longer going to accept requests for security related bugs to be embargoed. As a consequence, any CVE related to libxml2 will be immediately published. The post also points out the challenges that Nick as a sole maintainer is having.

Since libxml2 is a dependency of Nokogiri, this could potentially have follow-on impact to how security bugs are reported to or handled by Nokogiri.

I opened this as a discussion not with any specific current concern, but it is a more widespread issue about maintaining a dependency and one that might be worth discussing. (If not, then OK to close.)

[flavorjones]

@vielmetti Thanks for opening. I'm happy to discuss this at length if people have actionable suggestions.

I suspect that Nick has posted this, in part, to help build the case for future funding from large, profitable tech companies who rely on libxml2. Those companies (with names that rhyme with Schnapple and Froogle) should be extremely motivated to keep libxml2 well-supported.

I have also seen that GNOME is providing some non-technical support around security responses; and it also looks like some users are trying to step up and contribute more. So I'm currently in a wait-and-see mode.

[vielmetti]

Thanks @flavorjones . I can understand that a company fueling by shanapples, and a company that's notably froogle, might be hesitant to contribute anything that they don't absolutely have to. Has anything changed since June 30 from your perspective?

[flavorjones]

Here's the latest in which Nick announced he is stepping down as maintainer and will only address regressions until the end of 2025:

https://discourse.gnome.org/t/stepping-down-as-libxml2-maintainer/31398

I'm honestly not sure what that means for the billions of devices that are running libxml2, or what that means for Nokogiri yet.

For the record, it would not be easy (actually it's probably not even possible) to migrate Nokogiri to another XML/XSLT library without removing features or greatly changing the API. But libxml2 has SO MANY dependent libraries and applications that are in the same situation that my prediction is that some company will step up to maintain it (or a fork of it) or pay for maintenance.

But honestly, nobody knows at this point and I'm not sure there's any action I should be taking with respect to Nokogiri (yet). Obviously if and when security issues are raised and patches are available I will vet and apply them to the vendored library, so for a bit the libxml2 users may be forced to act like a community and rely on each other.