ViraptorJun 22
Ben Ramsey

libxslt project maintainer steps down, citing the amount of time it takes to triage embargoed security issues.

“I’ve been doing this long enough to know that most of the secrecy around security issues is just theater. All the ‘best practices’ like OpenSSF Scorecards are just an attempt by big tech companies to guilt trip OSS maintainers and make them work for free.”

https://gitlab.gnome.org/GNOME/libxml2/-/issues/913

Triaging security issues reported by third parties (#913) · Issues · GNOME / libxml2 · GitLab

I have to spend several hours each week dealing with security issues reported by third parties. Most of these issues aren't critical but it's still a lot of...

GitLab
Jun 18 at 2:09pmWeb
Show threadJan Lehnardt Jun 18
@ramsey I read it as stepping down from libxml and applying the new policy to libxml2, but ai may be mistaken.
Show threadBen RamseyJun 18
@janl They say this at the bottom: “I just stepped down as libxslt maintainer and it's unlikely that this project will ever be maintained again. It's even more unlikely with Google Project Zero, the best white-hat security researchers money can buy, breathing down the necks of volunteers.”
Show threadJan Lehnardt Jun 18
@ramsey I read that, but the project it is posted on is libxml2, so not entirely sure.
Show threadBen RamseyJun 18
@janl Yeah. It’s not very clear.
Show threadJan Lehnardt Jun 18
@ramsey it’s an important development either way. Too bad it took burning out yet another human.
Show threadBen RamseyJun 18
@janl I think the point about OpenSSF is very important. I’ve received a bunch of emails from them over the years regarding my projects and making sure I was in compliance with their standards. They make it sound like they’re helping you, when they’re really getting you to do free labor and making you feel bad if you don’t participate.
Show threadPaul ReinheimerJun 18

@ramsey @janl As a business owner who has obtained SOC 2 reports. It makes my life a lot easier when my suppliers have a SOC 2 report to show me. I expect to pay for that privilege. My very small company is on the Github "ENTERPRISE" plan for that reason alone.

So like I have higher requirements, but there's money attached to my higher requirements.

"Hey a lot of companies use the software you built. Could you bring yourself up to this standard and maintain it for a year for $xxx?"

Show threadBen RamseyJun 18
@preinheimer @janl Are you suggesting companies pay for open source software?! 🙃
Show threadKevin CheekJun 22

@ramsey @preinheimer @janl I think it's more that companies should pay for customization and support of open source software. If the software as-is doesn't meet one's business needs, one should be willing to pay for the changes needed and for the support of those changes.

An analogous situation would be if ongoing support and maintenance of software is something one needs for business purposes, it's simply logical that one should be willing to pay to support that.

Maybe that's what you meant, but I think there's a real difference between "paying for open source software" and paying for the business requirements that go beyond simply being a passive consumer of something that is made freely available. As soon as one starts making demands of the developers/maintainers, one should feel obligated to contribute in some way.

Show threadMansourJun 24
@ramsey Dear free software developers/maintainers: when Google asks for an embargo, you send an invoice.