Re: libxml2 author overwhelmed with security requests

On Thu, Jun 19, 2025 at 09:24:32PM +0200, Jim Jones wrote:
> On 19.06.25 03:41, Bruce Momjian wrote:
> > This blog post explains the serious problems the single libxml2 author
> > is having in maintaining the library:
> >
> > https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-reports
> >
> > There are few learnings from this:
> >
> > * libxml2 is even less production-ready than we thought
> > * many projects don't have the resources we do
> >
>
> That's even worse than I thought. Especially this disclaimer consideration:
>
> “This is open-source software written by hobbyists, maintained by a
> single volunteer, badly tested, written in a memory-unsafe language and
> full of security bugs. It is foolish to use this software to process
> untrusted data.”
>
> No wonder other major databases opt for writing their own XML processing
> engines. Sadly, despite these issues, there doesn't seem to be a decent
> alternative to libxml2 :(

I think our solution to making Postgres more secure would be to just
remove XML support --- we aleady have the inclusion of libxml options at
configure time. I don't think there is community support to be
developing an XML library --- some Postgres companies might feel
differently, but that is not the community's concern.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com

Do not let urgent matters crowd out time for investment in the future.