PSA: Libxslt is unmaintained and has 5 unpatched security bugs

https://vuxml.freebsd.org/freebsd/b0a3466f-5efc-11f0-ae84-99047d0a6bcc.html

#HackerNews #Libxslt #Unmaintained #Security #Bugs #PSA #Vulnerability #Alert

Is that project open-source / free-software?

In practical effect, the answer to this question is not solely dependent on the project's license. It also depends on the project owner or leadership structure.

With community-based projects, this usually doesn't change the answer. But when you have a project with an open-source license which is controlled by a company, you need to ask an additional question:

If the community developers have a change that the project's users want, but which the company that owns the project feels are against its interests, does the change make it into the project or not? [1]

If the answer to this is "Yes, the change goes in, and the company deals with it", then the project is open-source.

If the answer is "No, the company won't include the contribution if it feels it threatens the company's interests", then the project is not open-source, regardless of what the license says. With an appropriate license, you could fork it, and turn it into a community-run project, and *that* would be open source, but the Google/Red Hat/IBM/Oracle/what-have-you original project is not.

Yes, inspired to post by #Google's tantrum about removing #XSLT from #Chrome because the #libxslt maintainer publicly called them out on their #BS.

[1] "If the company has a change the users don't want, does it go in?" too; just two ways of looking at it.

#OpenSource #FreeSoftware #community #project #company #control #BigTech #users #developers #contributors #maintainer