Re: git: a18dfb61a2c9 - main - textproc/libxml2: Update to 2.14.4

Am 23.06.25 um 13:15 schrieb Charlie Li:
> Torsten Zuehlsdorff wrote:
>> Indeed. He got my (conditional) approval, like you can read in the 
>> linked comments.
>>
>> Since Daniel did not push any unapproved ports, I don’t see any basis 
>> for a formal warning here.
>>
> The wholesale update in the form that was pushed and reverted by me, 
> with desktop@ hat, was never approved by desktop@, end of story. Even 
> though the update included fixes for vuxml entries, it also included 
> much more than that, which goes beyond the strict scoping of ports- 
> secteam@ and thus needs maintainer approval. What I ultimately pushed 
> would have been a bit more okay under ports-secteam@ approval under 
> certain circumstances.

So whoever claims to be wearing which hat - and, prove me wrong if you 
can - I provoke and allege neither mat@ nor vishwin@ had a proper >50% 
aye on >50% of a team (>= 3 persons) quorum that I would recognize for a 
vote of being able to speak for their respective role.


The whole libxml2 thing is a story of stalling, obstruction and of utter 
disrespect for the people who really invest a LOT of their leisure time 
to get things forward.  There also seems to be power play at work here 
if people feel the need to discuss which role has power over which other 
role.

Daniel is one of the contributors who constantly delivers high-quality 
and properly tested material, and you can routinely find in his 
contributions their limitations.  We've had that transparency also in 
this case and Torsten was convinced and approved.

I also support moving obsolete ports to a version supported upstream, 
and if that means removing some cruft and other EOL ports from the tree, 
so be it.

On the other side, Torsten already mentioned that too, that the libxml2 
update has been sitting for so long, and that reason why it was not 
making progress is it was being obstructed.


Now, who will tell us that these three patches on top of 2.11.X isn't 
missing five other security issues?  In code nobody looked at because 
it's EOL?  Who will warn us if there were new stuff in 2.11 when most of 
the world has moved on? Has anyone conducted an audit of what we ship 
now?  What libxml2 advances to we miss because we don't update to 2.14?


We could have had 10 days before 2025Q3 to fix fallout, now Vishwin's 
and Mathieu's erratic and unwarranted actions (revert, and an illicit 
"formal warning" that still needs to be taken back) damage the tree 
because now we have a forked libxml2 with unclear security status, we 
have hurt feelings everywhere, and that cost us more than two days already.

What's worst is we have a public case of how to best demotivate skilled 
contributors.  If we want to be people who do their contributions 
thoroughly and carefully, and not those driving power games, we need to 
act now to protect the good contributions and their contributor.

We really need to be far more careful with VALUABLE contributions and 
contributors who invest countless hours in getting many things cleaned 
up and brought forward and drive things and act helpfully.


Both vishwin@'s and mat@'s behavior are inappropriate and damaging to 
the project because I see that as demotivating high-profile contributors 
and we can't afford to lose those.


Generally speaking, we cannot fully attain perfection of the ports tree 
in the expected life span of each of us, and change means compromise and 
if we lose 0.1% of leaf ports to an libxml2 update, that's a quite 
acceptable tradeoff.  Much unlike tying 11500 direct and indirect users 
of libxml2's to a forked obsolete version with unclear status.

My proposal is reinstating Daniel's work and getting libxml2 2.14.4 
rolling for us ASAP so we can fix remaining fallout before 2025Q3, and 
forget about forking 2.11.9.


-- 
Matthias Andree
FreeBSD ports committer