Libxml2's "no security embargoes" policy
10 months ago
- #sustainability
- #security
- #open-source
- Libxml2's maintainer rejects security embargoes due to unsustainable workload and lack of corporate support.
- Libxml2, initially developed for GNOME, became widely adopted by major tech companies like Apple, Google, and Microsoft.
- Maintainer Nick Wellnhofer highlights the lack of funding and support from corporations benefiting from libxml2.
- Security researchers often report bugs without providing fixes, adding burden to unpaid maintainers.
- Wellnhofer argues that treating security issues as regular bugs could encourage more contributions and reduce burnout.
- Discussion around 'MAINTENANCE-TERMS.md' files to clarify project maintenance expectations and protect maintainers.
- The situation reflects broader issues in open-source sustainability and corporate responsibility.