> This policy will probably make some downstream users nervous, but maybe it encourages them to contribute a little more.
This is an understated but brilliant framing. Oh I know they won't contribute, users will continue to apply pressure through issue threads saying that their clueless security teams are breathing down their necks. But at least you'd hope this gives pause.
The linked issue is worth a read, it's a shame the burden that corporate leeches like apple and google have placed on him. To them this project is simply free labour they have assumed they are entitled to and by extension are subject to their individual security theatrics.
I'd note that the only thing Apple, Google and MS are said to have done is to use the software.
The bug has no actual example of them making demands, "leeching" or acting entitled.
The security issues would be security issues just the same even if the library was only used by Linux desktops. (And if the library is unfit for use in other operating systems like the author suggests, feels like it probably is equally unfit for use in Gnome.)
CaptainFever · 2h ago
Personally, the distinction I draw isn't between corporations and cooperation as per the article ("they make money" is kind of an arbitrary difference IMO), but just that in general maintainers have no obligation to do any sort of work for free.
So like, regardless of the user of the software, one should understand that there really is no warranty, or promise of quality or support from FOSS.
If one (whether it be Debian or Apple) needs a feature, bug fix, or security fix, one can ask for it, but don't expect anything.
The best way is to do it themselves, and share their code if they wish to or are obligated to under the GPL. Or commission a programmer or the maintainer to do it. Or buy a support contract from the maintainer. Or encourage it by doing micropatronage and voting for it.
anewhnaccount2 · 1h ago
I think this is correct and projects like DuckDB are doing a food job at supporting both halves by triaging issues also based on the identity and affiliation of the author (no anonymous issues) and converting them into supporters https://duckdblabs.com/community_support_policy/
This passive approach of libxml2 where the software remains community only is just fine and totally fair, but corporate users can pay up if there's a clear offering. What they actually get doesn't need to be much, but if it does need to be clear. Of course this does change the project into hybrid community/corperate open source but there can be a spectrum there where a lot of time and resources is carved out for the community approach and the corperate sponsors are given just enough to keep them happy. In a way some more corperate focussed Linux distributions are also an example of a hybrid approach really given the two worlds are very much linked.
This is an understated but brilliant framing. Oh I know they won't contribute, users will continue to apply pressure through issue threads saying that their clueless security teams are breathing down their necks. But at least you'd hope this gives pause.
The linked issue is worth a read, it's a shame the burden that corporate leeches like apple and google have placed on him. To them this project is simply free labour they have assumed they are entitled to and by extension are subject to their individual security theatrics.
https://gitlab.gnome.org/GNOME/libxml2/-/issues/913
The bug has no actual example of them making demands, "leeching" or acting entitled.
The security issues would be security issues just the same even if the library was only used by Linux desktops. (And if the library is unfit for use in other operating systems like the author suggests, feels like it probably is equally unfit for use in Gnome.)
So like, regardless of the user of the software, one should understand that there really is no warranty, or promise of quality or support from FOSS.
If one (whether it be Debian or Apple) needs a feature, bug fix, or security fix, one can ask for it, but don't expect anything.
The best way is to do it themselves, and share their code if they wish to or are obligated to under the GPL. Or commission a programmer or the maintainer to do it. Or buy a support contract from the maintainer. Or encourage it by doing micropatronage and voting for it.
This passive approach of libxml2 where the software remains community only is just fine and totally fair, but corporate users can pay up if there's a clear offering. What they actually get doesn't need to be much, but if it does need to be clear. Of course this does change the project into hybrid community/corperate open source but there can be a spectrum there where a lot of time and resources is carved out for the community approach and the corperate sponsors are given just enough to keep them happy. In a way some more corperate focussed Linux distributions are also an example of a hybrid approach really given the two worlds are very much linked.