[tptacek]

I know it's hard to believe this given the circumstances --- that maintainer has a very good reason for stepping back, absolutely no shade to give there --- but GPZ is doing a service for these projects. The vulnerabilities they find are there whether or not Google or anybody else steps up on the implementation side. They are simple facts of the software, and it's difficult, expensive, and important to uncover those facts.

[mananaysiempre]

Both can be true at the same time, I think. It’s true that the vulnerabilities exist regardless of whether anyone’s reporting them, and that it’s better to know about them than not. It’s also true that almost any course of action that makes a project effectively stop existing does it a disservice, and that includes vulnerability reporting.

I’ve not really made up my mind about what happened with libxml2, to be clear. Perhaps in this world some projects really are vulnerable enough that they deserve to die. But as we see, this can entail essentially punishing people who decide to take up e.g. parsers as a hobby. And not doing that is something I feel I value higher than even security of the software ecosystem as a whole.

[some_furry]

There seems to be a missing component:

Some open source software becomes critical infrastructure for a large part of the Internet, and that comes with a lot of responsibility that the maintainer didn't necessarily want to sign up for. Especially when it's unpaid labor with the demands of a large tech company hammering down on them.

How can we better support the people that run these projects? How can we take pressure off of them if they don't want it?

There isn't a one-size-fits-all solution here, I don't think. But I'm sure some combination of fund open source development and fork load-bearing projects that do not wish to be encumbered is going to be necessary for a lot of the community.