Обсуждение: libxml2 video about its abandonment

Here is a video about the current status of libxml2's abandonment
status:

    https://www.youtube.com/watch?v=GDr4fKXmUvc

The current libxml2 security text is below -- I think this is a positive
development.  It was rewritten on December 10 to create "a more positive
Security section":

        This patch changes the security section in the README.md file to
        give more information.

        This removes the "unmaintained" text, as this project is
        maintained again. It also makes it clear that this is a
        community project, so anyone will know what to expect, and it
        also makes explicit that developers are volunteers and will work
        on the issues that they want, as a try to avoid pressure from
        bug reporters.

        The message tries to be positive, promoting collaboration instead
        of conflict. The idea is to make it clear that collaboration is
        welcome and the way to go is to do it yourself instead of asking
        the maintainers to do it for you.

Here is the current Security section text:

    https://gitlab.gnome.org/GNOME/libxml2
    
    Security
    
        This is open-source software written by hobbyists and maintained
        by volunteers.

        It's NOT recommended to use this software to process untrusted
        data.  There is a lot of ways that a malicious crafted xml could
        exploit a hidden vulnerability in the software.

        The software is provided "as is", without warranty of any kind,
        express or implied. Use this software at your own risk.

        To report security bugs, you can create a confidential issue
        with the "security" label. We will review and work on it as a
        best effort. But remember that this is a community project,
        maintained by volunteer developers, so if you are concern about
        any important security bug that's critical for you, feel free to
        collaborate and provide a patch.

        The main rule is to be kind. Do not pressure developers to fix
        a CVE or to work on a functionality that you need, because
        that won't work. This is a community project, developers will
        work in the issues that they consider interesting and when
        they want. All contributions are welcome, so if something is
        important for you, you can always get involved, implement it
        yourself and be part of the open source community.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  Do not let urgent matters crowd out time for investment in the future.

Hello,


As of december 9th libxml2 has two maintainers:

Daniel Garcia Moreno and Iván Chavero (me), we're trying to

steer the project in a more positive direction.


Contributions are welcome!


Cheers,

Iván


En 17/12/25 8:21 a.m., Bruce Momjian escribió:
> Here is a video about the current status of libxml2's abandonment
> status:
>
>     https://www.youtube.com/watch?v=GDr4fKXmUvc
>
> The current libxml2 security text is below -- I think this is a positive
> development.  It was rewritten on December 10 to create "a more positive
> Security section":
>
>          This patch changes the security section in the README.md file to
>          give more information.
>
>          This removes the "unmaintained" text, as this project is
>          maintained again. It also makes it clear that this is a
>          community project, so anyone will know what to expect, and it
>          also makes explicit that developers are volunteers and will work
>          on the issues that they want, as a try to avoid pressure from
>          bug reporters.
>
>          The message tries to be positive, promoting collaboration instead
>          of conflict. The idea is to make it clear that collaboration is
>          welcome and the way to go is to do it yourself instead of asking
>          the maintainers to do it for you.
>
> Here is the current Security section text:
>
>     https://gitlab.gnome.org/GNOME/libxml2
>     
>     Security
>     
>          This is open-source software written by hobbyists and maintained
>          by volunteers.
>
>          It's NOT recommended to use this software to process untrusted
>          data.  There is a lot of ways that a malicious crafted xml could
>          exploit a hidden vulnerability in the software.
>
>          The software is provided "as is", without warranty of any kind,
>          express or implied. Use this software at your own risk.
>
>          To report security bugs, you can create a confidential issue
>          with the "security" label. We will review and work on it as a
>          best effort. But remember that this is a community project,
>          maintained by volunteer developers, so if you are concern about
>          any important security bug that's critical for you, feel free to
>          collaborate and provide a patch.
>
>          The main rule is to be kind. Do not pressure developers to fix
>          a CVE or to work on a functionality that you need, because
>          that won't work. This is a community project, developers will
>          work in the issues that they consider interesting and when
>          they want. All contributions are welcome, so if something is
>          important for you, you can always get involved, implement it
>          yourself and be part of the open source community.
>

=?UTF-8?Q?Iv=C3=A1n_Chavero?= <ichavero@chavero.com.mx> writes:
> As of december 9th libxml2 has two maintainers:
> Daniel Garcia Moreno and Iván Chavero (me), we're trying to
> steer the project in a more positive direction.

This is good news indeed.  Best of luck!

            regards, tom lane