The lone volunteer maintainer of libxml2, one of the open source ecosystem’s most widely used XML parsing libraries, has announced a policy shift that drops support for embargoed security vulnerability reports. This change highlights growing frustration among unpaid maintainers bearing the brunt of big tech’s security demands without compensation or support.
[…]Wellnhofer’s blunt assessment is that coordinated disclosure mostly benefits large tech companies while leaving maintainers doing unpaid work. He criticized the OpenSSF and Linux Foundation membership costs as a financial barrier to single person maintainers gaining additional support.
↫ Sarah Gooding
The problem is that, according to Wellnhofer, libxml2 was never supposed to be widely used, but now every major technology company with billions in quarterly revenue are basically expecting an unpaid maintainer to fix the security issues – many of which questionable – they throw his way.
The point is that libxml2 never had the quality to be used in mainstream browsers or operating systems to begin with. It all started when Apple made libxml2 a core component of all their OSes. Then Google followed suit and now even Microsoft is using libxml2 in their OS outside of Edge. This should have never happened. Originally it was kind of a growth hack, but now these companies make billions of profits and refuse to pay back their technical debt, either by switching to better solutions, developing their own or by trying to improve libxml2.
The behavior of these companies is irresponsible. Even if they claim otherwise, they don’t care about the security and privacy of their users. They only try to fix symptoms.
↫ Nick Wellnhofer
It’s wild that a library never intended to be widely used in any critical infrastructure is now used all over the place, even though it just does not have the level of quality and security needed to perform such a role. These are the words of Wellnhofer himself – an addition to the project’s readme now makes this point very clear, and I absolutely love the wording:
This is open-source software written by hobbyists, maintained by a single
↫ libxml2’s readme
volunteer, badly tested, written in a memory-unsafe language and full of
security bugs. It is foolish to use this software to process untrusted data.
As such, we treat security issues like any other bug. Each security report
we receive will be made public immediately and won’t be prioritized.
If you want libxml2 to fulfill a role it was never intended to fulfill, make it happen. With contributions. With money. Don’t just throw a whole slew of security demands a sole maintainer’s way and hope he will do the work for you.
“The behavior of these companies is irresponsible. Even if they claim otherwise, they don’t care about the security and privacy of their users. They only try to fix symptoms.”
And with a bells and whistles user interface like Liquid Glass to hide the mess under the carpet.
It’s interesting to hear the story of this lone FOSS developer, but I think if you pulled back the layers on the whole industry you’d probably find this is the norm and not the exception. Those who pay are the exception.
It’s so unfair that tech giants exploit the work of unpaid FOSS coders, but on the other hand the FOSS licenses do allow leaching. So for me there is this struggle to balance the concept of “fairness” with the fact that license explicitly permits using the software without compensation.. Part of me thinks our FOSS licenses hurt developers’ ability to collect compensation.
I am guilty of using unpaid FOSS software as well, and I feel a sense of hypocrisy for it. But then I’m a struggling middle class worker and not sitting on millions/billions/trillions.
And this is why “L” in FLOSS is important. If you want companies to give back, GPL and derivatives is the only option. libxml2 is MIT licensed, so companies can take it, modify it, and close it up.
I don’t care about how GPL makes life hard for companies, they leech everything, and never give back (I know, I’ve been in one…) while ruining everything for everyone.
You want your software to be used and developed, not stolen and bitrotting.
GPL isn’t the proper choice for everything (in the grand scheme of things), but it is a way to force companies to take note of what they’re actually using.
“This should have never happened. ” QED…
Edit: the GPL isn’t a save-all either, just look at Chromium. That’s open, but essentially stolen. Ah I miss KHTML.
Serafean,
Since the GPL only applies to companies that distribute software, you might extend your list to include the AGPL to stop companies using and modifying GPL software internally without giving back.
Yeah GPL has critics too. Here on osnews some argue that distros like rocky and alma linux are taking redhat’s work (and customers) from redhat and giving nothing back, which is a similar debate.
https://www.osnews.com/story/136259/red-hat-limits-rhel-source-code-to-centos-stream/
https://www.osnews.com/story/136275/red-hat-comments-on-its-controversial-source-code-availability-change/
There are a lot of people who wish the GPL worked the way the FUD says it does.
RHEL was using the GPL the way Stallman intended it to be used. It’s not in the spirit of FOSS, but it’s what the law of FOSS says.
Kind of the same thing with Rocky. It follows the letter of the law, but not the spirit.
Alma follows the spirit of FOSS by forking from upstream (CentOS) and competing on their own merit. It’s a peer of RHEL.
They aren’t forking libxml2 which is the problem. If they would fork it locking up their changes, Nick’s life would be better.
The GPL is the best pro-capitalist license around. Think you want to start a business with some code go with GPL + CLA signing the code over. It also doesn’t particularly matter since most code is hidden behind a web page. GPL code isn’t technically distributed, so it doesn’t have to get released.
GPL + no CLA is better, but the FOSS licenses hasn’t kept up with corporate abuse, which I’m certain is by design. Open Source is a captured industry, and the FOSS intelligentsia are in on take. There is no copy-left; only copy-center-right.
When this problem gets brought up “Open Source” people get really antsy and talk about “unintended consiquences (TM)”.
Umm… Yeah, that’s why we need to have these conversations. The SSPL is a bonkers AGPL,and the GPL, itself, is very pro-capitalist.
FOSS licenses needed to be updated to be much more anti-capitalist and much more pro-public. Corps have figured out the loopholes, and we need to figure out how to close those holes. No one wants to cut out big corps through because who would exploit the poor FOSS devs then (I guess)?
@Alfman, I do agree but with nuances. First of all, biggest thank you to libxml2 and Nick! Secondly, I am sure that people have noticed that quite a few important OS libraries are from Europe! Often not the shiny front-runners, but the solid bread-and-butter libraries of the foundation of the OS stack. So here is my take:
– yes, more fairness will be needed
– I think the EU should engage even more in sponsoring the EU OS champions and also make OS mandatory for all public tenders. Btw, the EU has brought some stuff like DORIS forward already which forces the corporates to think about the libraries they are using (and its maintenance scenarios too)
– where I disagree though is the whiny part: Nick does not owe anybody anything. Not even a justification. If I get reports or tickets for my OS projects, I apply simple triage (when I have time):
a) is it a bug that can harm my reputation and so aligns with my interest –> I will fix it (at my own terms of course)
b) is it a feature request that aligns with my own interest –> I acknowledge the idea and implement it (at my own terms)
c) is it some thing else –> “Sponsor needed” tag with a fixed daily rate and a floor price.
d) PRs are welcome of course and I will do my best to support promising new contributors in the hope they will come back for more
They key word here is: “on my own terms”. Reduces stress, keeps the fun alive and sponsors are actually showing up when you just have the patience to sit it our.
As a German, I can tell you about one big weakness: We can’t say now and always want to proof useful first. That makes us great engineers but bad business man. Took me 20plus years abroad to learn finding a balance (and I am still terrible at it).
Best and cheers
I agree that this seems an excellent case for getting some money from the EU OSS sponsorships.
Tbh, whenever I take a look at the existing founding rounds, I’m often surprised by the list of software they pick – there seems to be a bit more not-very-well-known and corner-use-case stuff in there that I’d like to, such as eg. IOT projects.
But I’m sure that, depending your own background does inevitably skew your viewpoint about important things (I myself come from a web development environment). Also, in order to get money one has to apply first, and in the end it might be that big/successful OSS projects are in fact doing ok, despite a lot of developers burning out and complaining about funding, whereas the smaller / fresher projects are more likely to go look for $…
Let me play the advocatus diaboli here: Maybe just being the best programmer in the world alone does not work. Maybe coming in second or third, but with some presentation and entrepreneurial skills (or even with a suit :-)) helps.
I compare it with artists and chefs (who are also artists in my book) where the greatest geniuses die very young and poor while the “McDonalds” rake millions.
“EU should engage even more in sponsoring the EU OS” – the only thing EU does is to defraud public money which are funneled through various “sponsored by EU” “projects”. The project doesn’t have to make sense. It doesn’t even have to work. The only thing you need is a guy who knows people who accept the applications for EU funding and knows how to fill it using correct words, then you split money 50/50. If you try to apply by yourself, epsecially with something that is useful, it’s very high chance that you are not going to get any funding, because legitimate beneficiaries would be killed by the paperwork required to be submitted.
XKCD has this covered:
https://xkcd.com/2347/
Ha! Got there just before I went to post that. As usually, XKCD already has us set.
The developer and project does have the power of their labour.
They are an unpaid volunteer, yes. But that doesn’t guarantee anything.
Id probably look to have a bounty system for security vulnerabilities if i was in the place this project is.
X security vulnerability costs Y amount to fix (t+m). Up to you to sponsor that effort or not.
Anyone can then step in and pick it up (or not) then.
The developer is complaining about bugs in his own code that he presumably put there himself and doesn’t want to fix? and doesn’t seem to care that his users are consequently vulnerable? If he has so little interest in his own software one wonders why he bothered releasing it in the first place.
Nope, the UNPAID developer is complaining about the enormous support burden that is being placed upon him by mostly big tech companies that want proper coordinated security vulnerability release, etc, etc. If they were paying him a reasonable wage, I think he’d be mostly fine with it. After all, that’s BE his job. But he’s just one person, not a team of dozens (including QA, etc) that something so widely used should be.
Said developer doesn’t have “users”. He have peer hobbyists who may or may not like what he did. The fact that some of these “hobbyists” are huge companies with billions of users is irrelevant: developer still is doing things that interest said developer and not what these companies and/or users want/need.
I wish FOSS maintainers have started that pushback earlier, but better later than never: to get timely support one need to PAY for it. Period. End of story.
Otherwise bugs that developer wants to see fixed (that is: the ones that affect said developer programs) would be fixed quickly and other bugs (that don’t affect said developer) would be fixed late or not at all.
To NOT provide unpaid support for a billion-dollar corporations is the only weapon developers have against abuse, ultimately.