Comment by rectang
2 months ago
I think Wellnhofer is accurate in his assessment of the current state of the library and its support infrastructure institutions. Software without adequate ongoing maintenance should not be used in production.
(Disclosure: I'm a past collaborator with Nick on other projects. He's a fantastic engineer and a responsible and kind person.)
The crux is these seemingly bogus security “bugs”. If there were quality issues, the amount of software and people using libxml by virtue of testing in production/wild would have found most issues by now.
There is plenty of software today that is tested within cost and schedule that’s closed source and it’s running in production. I get the point but libxml is not one of those cases