this post was submitted on 24 Dec 2025
72 points (100.0% liked)

Linux

10819 readers
405 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
72
Libxml2 Narrowly Avoids Becoming Unmaintained | Hackaday (hackaday.com)
submitted 6 days ago by cm0002@mander.xyz to c/linux@programming.dev
8 comments fedilink hide all child comments
 

In an excellent example of one of the most overused XKCD images, the libxml2 library has for a little while lost its only maintainer, with [Nick Wellnhofer] making good on his plan to step down by the end of the year.

While this might not sound like a big deal, the real scope of this problem is rather profound. Not only is libxml2 part of GNOME, it’s also used as dependency by a huge number of projects, including web browsers and just about anything that processes XML or XSLT. Not having a maintainer in the event that a fresh, high-risk CVE pops up would obviously be less than desirable.

you are viewing a single comment's thread
view the rest of the comments
[–] melroy@kbin.melroy.org 10 points 6 days ago (2 children)

Another maintainer already jumped in and he is now maintaining it. The original author forked it actually his own project, and is planning to release it under gpl license (instead of MIT), basically making it open source in a sense I can'tbe used by big tech. Since that was his point, large software projects and companies relied on his work. Yet nobody is paying him.

[–] lambalicious@lemmy.sdf.org 2 points 4 days ago (1 children)

Won't someone think of the shareholders being deprived of their cost-free CVE fixes???

But really. Switching the license to GPL (ideally GLPv3 or compatible, although IMO we are due for a GPLv4) is a pretty good outcome, hopefully it works.

[–] melroy@kbin.melroy.org 1 points 3 days ago (1 children)

Switching the license to GPL (ideally GLPv3 or compatible, although IMO we are due for a GPLv4) is a pretty good outcome, hopefully it works.

Actually that means that no company will use it anymore. Since if you have low-level library like that under GPL, then all the source code need to be GPL compatible as well. And 99% of the source code that is build on top of libxml2 is most likely not GPL / no GPL compatible.

[–] lambalicious@lemmy.sdf.org 1 points 3 days ago (1 children)

Extractivists would be welcome to continue being stuck with the GPLv2'd version of the library. The sane world meanwhile can move on with a v3 version that sees community improvements, respects consumer rights, etc.

[–] melroy@kbin.melroy.org 2 points 3 days ago (1 children)

Current version is actually still MIT: https://gitlab.gnome.org/GNOME/libxml2#license (which is the most preferred license for a low-level library like this)

[–] lambalicious@lemmy.sdf.org 1 points 3 days ago

Ah yeah, same difference.

[–] melroy@kbin.melroy.org 4 points 6 days ago

Also he was getting every week cve issues, which are often not urgent issues. Yet it costs him a lot of time. He also considers security issues now just the same as a normal issue. Not giving it priority anymore, since that doesn't make sense anymore for him.