Preferences

I feel bad for the libxml2 maintainer. The project was originally intended for parsing GNOME configuration files, but then a bunch of corporations started using it to parse untrusted data with much higher stakes. I hope that both the decision not to prioritize security issues and the new notice in the README saying it's foolish to use the project to parse untrusted data will encourage corporate users to either switch to a different project or do more to improve its security than dumping security reports onto an unpaid maintainer.

I will say that all of the comments saying that open source licenses should change to formally prohibit this behavior are a bit naive. Ever since the Open Source Initiative was founded in the late 90s, its express purpose has been to boost the adoption of free (now "open source") software by pitching it to corporations as a way to cut costs. This means that they'll never approve a license that requires certain users to contribute to the project, monetarily or otherwise. Of course anyone's allowed to license their project any way they see fit, but they'll have to call it something other than open source and accept the limited distribution and userbase they'll see as a result.


wavemode
> Of course anyone's allowed to license their project any way they see fit, but they'll have to call it something other than open source and accept the limited distribution and userbase they'll see as a result.

This doesn't require abandoning open source. The GPL and AGPL serve precisely the purpose of preventing open-source software from being exploited for closed-source purposes.

Obviously hindsight is 20/20, so this doesn't help maintainers who have already chosen a permissive license and don't want to rugpull their users. But to say solving this problem requires adopting a non-open-source license is not correct.

Another option is dual-licensing - GPL/AGPL for all, or a permissive license that can be purchased for a fee.

ndiddy OP
I was specifically talking about the people saying that the corporate users should be required by the license to provide compensation or assistance to the project. You're right that licensing as GPLv3 or AGPL generally limits corporate use of open source, and that selling license exemptions is a good way to let everybody win (although it means you'll have to either not accept contributions or make all your contributors sign a CLA).

This item has no comments currently.