Wow, this is a whole thing. Like: absolutely, unpaid volunteers shouldn't feel like they're on deadlines to fix security bugs in open source code. They're not. But you're reading this and assuming, "ok, they're getting a lot of dumb reports from random bounty seekers or whatever", and, nope, he's complaining about GPZ.
Which, again, fair enough! But the bugs he's apparently talking about are presumably very serious.
(If maintainers of projects like libxslt stop fixing bugs, Google will ultimately just fix them.)
mdaniel•7mo ago
It took me a second: "Google Project Zero" which I accept responsibility for because I come to the comments before TFA but I hadn't seen that initialism before
ndiddy•7mo ago
This library was originally written to parse GNOME configuration XML files. It was never intended for parsing untrusted data. From GNOME's perspective, if you can crash the XML parser with a malformed config file, that's just a regular bug. If an attacker is able to write to arbitrary files in your home directory, he's already won.
I agree with the maintainer's perspective that it's irresponsible for Apple, Microsoft, and Google to rely on this library for parsing untrusted data in products that they make billions of dollars off of, not provide him any monetary or other support, and expect him to prioritize fixing "security bugs" that don't impact security for his use case. If I was the maintainer, I'd make the same decision he made.
tptacek•7mo ago
All of us agree!
Aurornis•7mo ago
I definitely have empathy for OSS maintainers but getting to the bottom of what was going on here was a rollercoaster.
They mentioned Google Project Zero “breathing down our necks” but then later said Google Project Zero hadn’t even reported anything this year:
> That said, Project Zero has notably reported zero security vulnerabilities in libxml2 since the start of this year.
windward•7mo ago
Michael and Nick are different people
runningmike•7mo ago
“ These organizations are very exclusive clubs and anything but open.” This is so true! Many tests of the OpenSSF Scorecards do not make sense when you e.g do not use github actions and have a one persons project…..
tptacek•7mo ago
Which, again, fair enough! But the bugs he's apparently talking about are presumably very serious.
(If maintainers of projects like libxslt stop fixing bugs, Google will ultimately just fix them.)
mdaniel•7mo ago
ndiddy•7mo ago
I agree with the maintainer's perspective that it's irresponsible for Apple, Microsoft, and Google to rely on this library for parsing untrusted data in products that they make billions of dollars off of, not provide him any monetary or other support, and expect him to prioritize fixing "security bugs" that don't impact security for his use case. If I was the maintainer, I'd make the same decision he made.
tptacek•7mo ago
Aurornis•7mo ago
They mentioned Google Project Zero “breathing down our necks” but then later said Google Project Zero hadn’t even reported anything this year:
> That said, Project Zero has notably reported zero security vulnerabilities in libxml2 since the start of this year.
windward•7mo ago