They don't host github enterprise server for you (though gitlab has something called gitlab dedicated which they host gitlab ee for you).

agreed it shouldn't be used to revoke non-malicious/your own keys

My main concern is supply chain compromise.

For the library to be secure, there needs to be funding, not by magic and expecting maintainers will do stuff on there free will.

And it leads to unmaintained libraries, since companies don't want to pay.

At some point, is open sourcing your work a liability?

The expectation of FOSS is that the users and maintainer work together to resolve bug fixes/features/security issues.

However many companies will dump these issues to the maintainer and take it for granted when they are resolved.

It's not a sustainable model, and will lead to burnout/unmaintained libraries.

If the companies don't have the engineering resources/specialization to complete bug fixes/features, they should sponsor the maintainers.

The patches need to fix a systemtic design flaw (which seems like you are trying to do).

You are eligible even if you are a contributor:

> Q: I'm a core developer working on one of the in-scope projects. Do my own patches qualify?

> A: They most certainly do.

Additionally, github has: https://resources.github.com/github-secure-open-source-fund/

Companies have changed after seeing the log4j incident and are open to funding open source security (but we still need more)

My point is if that FFmpeg, tried to raise more awareness of the issue, say talk to news outlets, they could get much more funding from MSFT.

Furthermore, big companies like Google, Microsoft care a lot about security. So they could raise money for security engineering like fixing memory corruption issues. Of course, FFmpeg could complain Google, Microsft doesn't care about all the high severity vulnerabilities in FFmpeg. That would be much more of an eye catcher.

However, the underlying infrastructure libraries, will not get any funding from this, even though they have much more users. For example, libxml2, xzutils, http parser ...

You can't build any product off of an infrastructure library, purchasing support doesn't make sense, and there are little bonus features to be made.

One way to remedy this, is to have well funded open source projects take ownership of its dependencies.

I think that this is an accurate description of working relationship. But, the fine print (MIT license) explicitly says that the companies are responsible:

> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED

Currently when new vulnerabilities pop up (i.e. xz-utils compromise, log4j shell), people are quick to blame the maintainers for it. Why shouldn't companies instead be responsible for these vulnerabilities?

Currently, companies treat open source code as someone else's, so they don't bother to audit, maintain it, or fund it. Clearly, this is wrong, and reflected in the oss license, which states that code is solely consumer's responsibility.

I think the real problem is that these applications (Entra ID) are multi-tenant, rather than a dedicated single-tenant instance.

Here, we have critical identity information that is being stored and shared in the same database with other tenants (malicious attackers). This makes multi-tenancy violations common. Even if Entra ID had a robust mechanism to perform tenancy checks i.e. object belongs to some tenant, there are still vulnerabilities. For example, as you saw in the blog post, multi-tenant requests (requests that span >= 2 tenants), are fundamentally difficult to authorize. A single mistake, can lead to complete compromise.

Compare this to a single tenant app. First, the attacker would need to be authenticated as an user within your tenant. This makes pre-auth attacks more difficult.

I can share you the repository if you want to integrate it in RubySAML (or any other library). Email me [alex]@[securesaml.com] (without the [ ])

We patched the gosaml2 (and other go saml libraries), by ensuring only the authenticated bytes are processed (not the original XML document). You can see the patches here: https://github.com/russellhaering/goxmldsig/commit/e1c8a5b89... https://github.com/russellhaering/gosaml2/commit/99574489327...

> I just wrote my own for my SAML.

Curious to see your implementation for SAML and XML Signatures.

[1]: https://bsky.app/profile/filippo.abyssdomain.expert/post/3le...

The problem of trying to ensure that each parser behaves the same for all input is twofold: - JSON and XML specifications are complex, lots of quirks. So not feasible. - Does not solve the fundamental issue of the processing layer not using the same data that is verified in the verification layer.

Note: the processing layer parses the original input bytes, while the verification layer verifies a struct that is parsed using another parser.

Processed: Proc(input) Verified: VerifyingParser(input)