The "severe security issue" in libxml2 they mention is actually a non-issue and the code in question isn't even used by Chrome. I'm all for switching to memory-safe languages but badmouthing OSS projects is poor style.
It is also kinda a self-burn. Chromium an aging code base [1]. It is written in a memory unsafe language (C++), calls hundreds of outdated & vulnerable libraries [2] and has hundreds of high severity vulnerabilities [3].
Given Google's resources, I'm a little surprised they having created an LLM that would rewrite Chromium into Go/Rust and replace all the stale libraries.
Google is too cheap to fund or maintain the library they've built their browser with after its hobbyist maintainers got burnt out, for more than a decade so they're ripping out the feature.
Their whole browser is made up of unsafe languages and their attempt to sort of make c++ safer has yet to produce a usable proof of concept compiler. This is a fat middle finger in the face of all the people's free work they grabbed to collect billions for their investors.
Nobody is badmouthing open source. It's the core truth, open source libraries can become unmaintained for a variety of reasons, including the code base becoming a burden to maintain by anyone new.
And you know what? That's completely fine. Open source doesn't mean something lives forever
The issue in question is just one of the several long-unfixed vulnerabilities we know about, from a library that doesn't have that many hands or eyes on it to begin with.
Maintaining web standards without breaking backwards compatibility is literally what they signed up for when they decided to make a browser. If they didn't want to do that job, they shouldn't have made one.
Chromium is open source and free (both as in beer and speech). The license says they've made no future commitments and made no warrants.
Google signed up to give something away for free to people who want to use it. From the very first version, it wasn't perfectly compatible with other web browsers (which mostly did IE quirks things). If you don't want to use it, because it doesn't maintain enough backwards compatibility... Then don't.
The license would be relevant if I'd claimed that removing XSLT was illegal or opened them up to lawsuits, but I didn't. The obligation they took on is social/ethical, not legal. By your logic, chrome could choose to stop supporting literally anything (including HTML) in their "browser" and not have done anything that we can object to.
iIRC, lack of IE compatibility is fundamentally different, because the IE specific stuff they didn't implement was never part of the open web standards, but rather stuff Microsoft unilaterally chose to add.
> By your logic, chrome could choose to stop supporting literally anything (including HTML) in their "browser" and not have done anything that we can object to.
Literally this. Microsoft used to ship a free web browser. Then they stopped. That's not something anybody can object to.
> because the IE specific stuff they didn't implement was never part of the open web standards, but rather stuff Microsoft unilaterally chose to add.
Standards aren't holy books. It's actually more important to support real customer use cases than to follow standards.
But you know this. If standards are more important that real use cases, then the fact that XSLT has been removed from the html5 standard is enough justification to remove it from Chrome.
> Literally this. Microsoft used to ship a free web browser. Then they stopped. That's not something anybody can object to.
There is a fundamental difference between ceasing to make a browser and continuing to make a browser, while not meeting your expectations as a browser maker.
> If standards are more important that real use cases, then the fact that XSLT has been removed from the html5 standard is enough justification to remove it from Chrome.
Browsers very much have not depreciated support for non-HTML5 markup (e.g. the HTML4 era <center> tag still works). This is because upholding devs and users expectation that standards compliant websites that once worked will continue to work is important.
The license is the way it is not by choice. We should be clear about that and acknowledge KHTML, and both Safari and Chromium origins. Some parts remain LGPL to this day.
Sounded like the maintainers of libxml2 have stepped-back, so there needs to be a supported replacement, because it is widely used. (Or if you are worried the reputation of "OSS", you can volunteer!)
Where's the best collection or entry point to what you've written about Chrome's use of Gnome's XML libraries, the maintenance burden, and the dearth of offers by browser makers foot the bill?
It will all make sense once you realize who works at the UN, basically nepo babies of all colors and variety, including second cousins of Saudi royalty etc.
One of my family members was a research director at the UN and came from a middle class American family. It has its problems (he certainly has his share of complaints) but the idea that they are all nepo babies is incorrect and they do have serious researchers. Also, are we sure that the $10.5 trillion is a UN generated number? Other people in the comments seem to think it was made up by some other organization.
A relative of mine worked for the UN and interfaced with the UN after they left for a non-profit. Anyone that knows anything about them and also just simply observing what and how they are doing things should have no doubt that it is filled with people that got there by using their connections. And you absolutely constantly run into people that have no business being there other than through nepotism. Btw. I am sure that US staff is less likely to be a total nepo baby, but because the UN "has" to hire from all over the world, most roles are not filled like that.
It might be including the cost of the entire cybersecurity business sector? Salaries of security engineers, security vendors, etc. Not just fallout from hacks.
At least it seems that they won't assign CVE IDs and credit researchers without compensating them at all (which is what happened when I reported CVE-2024-27811, for example):
> We want those researchers to have an encouraging experience — so in addition to CVE assignment and researcher credit as before, we will now also reward such reports with a $1,000 award.
Making this feature opt-out is a clear violation of the GDPR. Linkedin claims they have a "legitimate interest" in collecting this data for AI training without consent, but this argument is laughable.
Even as written in the regs "legitimate interest" shouts "we are your preference not to be stalked by advertisers or provide us with free training material, but fuck you and your silly little preferences we want to anyway so here have another hoop to jump through", and it is stretched even further from there.
There are degrees of unhappiness. There's no reason to assume a binary of loving everything about work or hating it so much that they'd be happier without it.
To be clear, this isn't intended as a criticism of your choices to step down from maintaining various projects; my point is that these choices are quite personal, and it's not always going to be obvious how to balance the tradeoffs. It's entirely possible that they are burnt out to the point that they might be happier in the long run if they did step down now, but it's also possible that they might be even more unhappy giving up something that they care a lot about and are willing to tolerate the less fun parts. I suspect you could provide a lot of valuable insight on these sorts of decisions given you experience, but even from having to make similar decisions for things with a tiny fraction of the exposure of the projects you've maintained, it's clear to me that there would need to be quite a lot more nuance in analyzing a situation like this, especially from the outside.
I think he's just pointing out current problems, as he's done many times. He likes to give talks and publicity to his project, as its maintainer, and that includes this sort of "what's going on with the project" talks.
I don't think he's unhappy. Frankly I think he's doing the right thing, and I say that as the founder of a project where I didn't do that sort of thing, but now realize I should have. This is what gets you contributors/donations/publicity.
The 11% number for Germany (and probably the whole table) is completely wrong. I guess it only shows federal taxes which are about 40% of all taxes including state and municipal taxes. So total taxes are roughly 24% of German GDP.
Ah, I did wonder how state level taxes were being accounted for, seems like the answer is they aren't. I guess I could have looked that up before posting. The values here[0] are markedly different. It shows Germany at 45%, France at 51.53%, US at 29.21% and Denmark at 50%. So I was way off the mark there, although I did think something seemed very off with those numbers. France is the 10th highest in the world, with many of the countries above it being tiny island countries or countries with vast oil reveres relative to their size like Norway and Kuwait. With this being the case, it does seem hard to imagine that more taxes will fix everything.
I see no benefit in ginning up tensions for myself, but I accept that there are power centers that do benefit from it. In a very practical sense, having a slightly less bad situation is better than a bad one.
I could offer a real life anecdote, but I am not certain where you are going with this conversation.
Trump is "making deals" by making the other option worse. But the problem is, if you take the current best option, that may not be the deal for long. He may do it again... and again...
"I am altering the deal. Pray that I do not alter it further."
When dealing with someone like this, don't play the game the first time.
I don't disagree. It is a reasonable and forward looking consideration. That said, it may be a little late to do that. Not to mention, for all the talk about how Americans being unable to handle hardship, higher prices and whatnot.. I am reasonably certain that this extends to most of the '1st world'.
