Security and Windows TCO

posted by Roy Schestowitz on Jul 03, 2025

• LWN ☛ Libxml2's "no security embargoes" policy

  Libxml2, an XML parser and toolkit, is an almost perfect example of the successes and failures of the open-source movement. In the 25 years since its first release, it has been widely adopted by open-source projects, for use in commercial software, and for government use. It also illustrates that while many organizations love using open-source software, far fewer have yet to see value in helping to sustain it. That has led libxml2's current maintainer to reject security embargoes and sparked a discussion about maintenance terms for free and open-source projects.

  [...]

  In the early 2000s, Veillard seemed eager to have others adopt libxml2 outside the GNOME project. It was originally hosted on its own site rather than on GNOME infrastructure. Libxml2 is written in C, but had language bindings for C++, Java, Pascal, Perl, PHP, Python, Ruby, and more. The landing page listed a slew of standards implemented by libxml2, as well as the variety of operating systems that it supported, and boasted that it ""passed all 1800+ tests from the OASIS XML Tests Suite"". The "reporting bugs and getting help" page gave extensive guidance on how to report bugs, and also noted that Veillard would attend to bugs or missing features ""in a timely fashion"". The page, captured by the Internet Archive in 2004, makes no mention of handling security reports differently than bug reports—but those were simpler times.

  One can see why organizations felt comfortable, and even encouraged, to adopt libxml2 for their software. Why reinvent the extremely complicated wheel when someone else has not only done it but also bragged about their wheel's suitability for purpose and given it a permissive license to boot?

• Windows TCO / Windows Bot Nets

  • The Record ☛ Hacker with ‘political agenda’ stole data from Columbia, university says

    The hacker told Bloomberg he obtained 460 gigabytes of data in total — after spending two months targeting and penetrating increasingly privileged layers of the university’s servers — and said he harvested information about financial aid packages, employee pay and at least 1.8 million Social Security numbers belonging to employees, applicants, students and their family members.

  • The Record ☛ Medical device company Surmodics reports cyberattack, says it’s still recovering

    Surmodics is the largest U.S. provider of outsourced hydrophilic coatings used to reduce friction for objects such as intravascular medical devices. Last month its IT team discovered unauthorized access in its network and took systems offline, while using alternative methods to accept customer orders and ship products.

    Law enforcement has been notified, according to a filing with the U.S. Securities and Exchange Commission (SEC).

  • Fortra LLC ☛ Swiss government warns attackers have stolen sensitive data, after ransomware attack

    The Swiss government has issued a warning after a third-party service provider suffered a ransomware attack, which saw sensitive information stolen from its systems and leaked onto the dark web.