top | item 44385906

(no title)

sigilis | 8 months ago

The importance of the system in question is not a factor in whether something is a security bug for a dependency. The threat model of the important system should preclude it from using dependencies that are not developed with a similar security paradigm. Libxml2 simplly operates under a different regime than, as an arbitrary example, the nuclear infrastructure of a country.

The library isn't a worm, it does not find its way into anything. If the bank cares about security they will write their own, use a library that has been audited for such issues, sponsor the development, or use the software provided as is.

You may rejoin with the fact that it could find its way into a project as a dependency of something else. The same arguments apply at any level.

If those systems crash because they balanced their entire business on code written by randos who contribute to an open source project then the organizations in question will have to deal with the consequences. If they want better, they can do what everyone is entitled to: they can contribute to, make, or pay for something better.

discuss

cedws|8 months ago

None of that addresses the point I made. DoS is a security bug. It doesn't matter with who or where the problem lies.