Re: libxml2 author overwhelmed with security requests
| От | Bruce Momjian |
|---|---|
| Тема | Re: libxml2 author overwhelmed with security requests |
| Дата | |
| Msg-id | aFRuYBmPyLTH32kc@momjian.us обсуждение исходный текст |
| Ответ на | Re: libxml2 author overwhelmed with security requests (Jim Jones <jim.jones@uni-muenster.de>) |
| Ответы |
Re: libxml2 author overwhelmed with security requests
|
| Список | pgsql-hackers |
On Thu, Jun 19, 2025 at 09:24:32PM +0200, Jim Jones wrote: > On 19.06.25 03:41, Bruce Momjian wrote: > > This blog post explains the serious problems the single libxml2 author > > is having in maintaining the library: > > > > https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-reports > > > > There are few learnings from this: > > > > * libxml2 is even less production-ready than we thought > > * many projects don't have the resources we do > > > > That's even worse than I thought. Especially this disclaimer consideration: > > “This is open-source software written by hobbyists, maintained by a > single volunteer, badly tested, written in a memory-unsafe language and > full of security bugs. It is foolish to use this software to process > untrusted data.” > > No wonder other major databases opt for writing their own XML processing > engines. Sadly, despite these issues, there doesn't seem to be a decent > alternative to libxml2 :( I think our solution to making Postgres more secure would be to just remove XML support --- we aleady have the inclusion of libxml options at configure time. I don't think there is community support to be developing an XML library --- some Postgres companies might feel differently, but that is not the community's concern. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.
В списке pgsql-hackers по дате отправления: