Everyone heard of log4j by now Link to heading
You might not know what the log4j vulnerability is, or what it means — but the memes are everywhere!
The log4j vulnerability has developed to nothing less than a wide scale catastrophe. it seemed that anywhere you look, new issues revolving log4j are found in anything that runs Java. And to make things worse, its as if there is no one to blame as this is open source.
The OSS model is broken Link to heading
It is true that the Open Source Software (OSS) model is broken, as Filippo Valsorda so eloquently wrote in his blog titled “PROFESSIONAL MAINTAINERS: A WAKE-UP CALL”.
This issue is deeper than developers getting recognition or payment. The problem is in the very structure of how these products work and allocate resources to resolve issues.
It is easy to think of an open source library as someone else’s problem. You don’t pay for it, and thus you don’t actually care. But as soon as there are problems, we look for someone to take the blame.
In the reddit thread above, an emotional outburst was directed at the entire situation and the developers in particular. This is not an isolated case, we saw this happen on Twitter, in WhatsApp groups and other places people vent their feelings.
Who is responsible? Link to heading
Reviewing the list of vendors and products affected by log4j is astounding. For example, in this list, maintained by CISA the list just goes on and on. A huge list of big name corporations most affected to some degree by this vulnerability, and by extension using that open source package in their product.
This library is maintained by just a few people, in their spare time, and not getting paid to do that.
The amount of capital built on top of their work and dedication is staggering. The expectation that a couple of people in their free time can dedicate the resources, QA, security audits etc. available to large corporations is just absurd. But, this is the OSS model.
What is really the issue is that people have begun bashing and blaming the maintainers for this library for the vulnerability.
From our view point at Profero this is absurd. All software products have bugs and vulnerabilities, but the amount of memes, comments and harsh language really shift the discussion from where we think it should be.
Where are the companies profiting from their work? Link to heading
Obviously a huge list of companies made use of their library to build their product and make money off of it. None of it flowed back to the project. such a huge piece of the infrastructure, and not one of these companies is stepping forward to fund, in any degree, the work that was done, or needs to be done.
How can we make the situation better? Link to heading
Although we do not use Java at all in our technical stack, we decided that the right thing to do was to pledge a donation of $5,000 to the project to make a statement.
Open Source projects need funding, and if we, a company that does not use the library at all, can donate, the large multi-national corporations can fund it a hundred times over. Even more so, considering that is one of the core capabilities of their product.
We invite every company affected (and on those lists) to do the minimal effort of donating to the success of the project, to compensate the developers and maintainers for their sleepless nights supporting their product through building open source software.