In a superb instance of one of the crucial overused XKCD photos, the libxml2 library has for a short time misplaced its solely maintainer, with [Nick Wellnhofer] making good on his plan to step down by the top of the 12 months.
Whereas this may not sound like a giant deal, the actual scope of this drawback is slightly profound. Not solely is libxml2 a part of GNOME, it’s additionally used as dependency by an enormous variety of tasks, together with net browsers and absolutely anything that processes XML or XSLT. Not having a maintainer within the occasion {that a} recent, high-risk CVE pops up would clearly be lower than fascinating.
As for why [Nick] stepped down, it’s an extended story. It begins within the early 2000s when the unique creator [Daniel Veillard] determined he now not had time for the challenge and left [Nick] in cost. It must be stated right here that each of them labored as volunteers on the challenge, for no monetary compensation. This when giant corporations started to make use of tasks like libxml2 of their software program, and have been blissful to ship bug experiences. Past a single Google donation it was successfully unpaid work that required quite a lot of time spent on researching and processing potential safety flaws despatched in.
Of word is that when such a safety report is available in, the expectation is that you just as a volunteer software program developer drop all the things you’re engaged on and work out the trigger, repair and patched-by-date alongside submitting a CVE. This slightly than you getting despatched a merge request or comparable with an accompanying take a look at case. Clearly these type of circumstances appears to have performed a significant position in making [Nick] burn out on sustaining each libxml2 and libxslt.
Fortuitously for the challenge two new builders have stepped up to take over as maintainers, but it surely must be apparent that such churn isn’t signal. It additionally highlights the central drawback with the conflicting expectations of open supply software program being each completely free in a financial vogue and unburdened with essential bugs. That is sadly a difficulty that doesn’t appear to have a simple answer, with e.g. software program bounties leading to largely a headache.
