Nick Velnhofer (nick wellnhofer), along with the library libxml2, has announced a new approach to handling vulnerabilities. Moving forward, vulnerabilities will be treated as regular errors, rather than being prioritized. They will be addressed as time permits, with information about the nature of the vulnerability being made public immediately. This change means that fixes will not have to wait for patches to be created and distributed to operating systems.
In a related move, Nick also withdrew support for the accompanying library libxslt, expressing doubts about finding someone to take over its maintenance.
A recent update to the libxml2 project notes that the library, written by enthusiasts and maintained by a single volunteer, is unsafe due to poor testing and use of a memory-unsafe language. All security issues will now be treated like any other errors, with information being made public immediately to expedite fixes.
This change is expected to allow Nick to focus more on primary development tasks for Libxml2, rather than being sidetracked by addressing vulnerabilities. Currently, several hours per week are spent managing vulnerabilities and creating patches, which has become burdensome given the volunteer nature of the maintenance.
Nick criticizes the practice of withholding vulnerability information to pressure volunteers into working for free, calling it detrimental. While acknowledging that Libxml2 is not suitable for use in browsers and operating systems, Nick condemns major companies like Apple, Google, and Microsoft for using the library irresponsibly in their products. Rather than treating the symptoms, Nick believes it would be more beneficial for the project if these companies discontinued their use of Libxml2.