On Thu, Jun 19, 2025 at 09:24:32PM +0200, Jim Jones wrote: > On 19.06.25 03:41, Bruce Momjian wrote: > > This blog post explains the serious problems the single libxml2 author > > is having in maintaining the library: > > > > > > https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-reports > > > > There are few learnings from this: > > > > * libxml2 is even less production-ready than we thought > > * many projects don't have the resources we do > > > > That's even worse than I thought. Especially this disclaimer consideration: > > “This is open-source software written by hobbyists, maintained by a > single volunteer, badly tested, written in a memory-unsafe language and > full of security bugs. It is foolish to use this software to process > untrusted data.” > > No wonder other major databases opt for writing their own XML processing > engines. Sadly, despite these issues, there doesn't seem to be a decent > alternative to libxml2 :(
I think our solution to making Postgres more secure would be to just remove XML support --- we aleady have the inclusion of libxml options at configure time. I don't think there is community support to be developing an XML library --- some Postgres companies might feel differently, but that is not the community's concern. -- Bruce Momjian <br...@momjian.us> https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.