Log4j doesn't just blow a hole in your servers, it's reopening that can of worms: Is Big Biz exploiting open source?

https://xkcd.com/2347/

Frameworks...

There is an increasing tendency to use large and complex frameworks where only a small part is actually required.

Proper testing would then require testing the entire framework, which clearly doesn't happen.

Just cut down on all the massive bloated frameworks. At least make the default feature set as minimal as possible.

But sure, businesses don't put enough back into the open source that they rely on. This is inevitable when something is free.

But, but, but, but... Java is secure right?

Ignore all these megacorp whingers

who could fund massive teams of developers to audit and maintain every bit of open source software they use, and still profit hugely from the donation of time and effort of other people who've kindly donated useful software freely to the community. Any company using open source should see it as a massive head start in getting what they want, rather than a finished end product.

If they want quality assurance and support, then they should provide it themselves, instead of complaining that they can't make even more profit than they already do because community projects won't do what they demand.

This just sounds like wealthy people whining that the volunteer open source contributors aren't making them enough money. It's the companies that need to understand that it wasn't written for that purpose, it was to share around something they thought might be useful to others.

The solution is in their own hands

The exploitation of open-source software by companies that use freely available without giving back to the community has been a sore spot among open source project maintainers for years.

You can't give something away for free, and then complain that someone using it is "exploiting" it.

Long before "open source" became the trendy term for it, lots of developers made their software "freely distributable". Those who didn't want big corporations freeloading just added conditions to their licence to say that the software was only free for non-commercial use. Commercial users were either barred, or free to negotiate a paid licence agreement. What prevents current FOSS authors doing the same? The software author owns the copyright, which means they have the freedom to decide how it will be distributed.

Part of the problem is that many authors release their code in a genuine attempt to help other enthusiasts, and love the warm glow they get when seeing their weekend hack picked up and widely used/praised. It's only later,when they realise that someone else is making far more money out of it than they do, that they start to regret their initial well-meaning generosity.

JNDI concerns

the Log4j vulnerability underscores the problem of catering to big business because the bug arose from a feature maintained to appease companies concerned about backward compatibility LDAP/JNDI URLs.

So why was it enabled BY DEFAULT then? Let those one or two big businesses who need it enable it and keep everyone else running as expected!

"Corporations have a budget and are willing to spend, but it takes too much time,...Finding projects that need help and maintainers willing to help in exchange for money is hard."

No harder than finding the projects they want to use. Check which projects you use. Find the maintainers from GitHub or wherever the project lives. Offer them money.

I give to projects that I depend on

Not a lot(I am an individual), but I figure that several £20 by many will add up.

I encourage my customers to also give £20 to what they depend on - but I doubt that many do, in spite of spending a lot on the proprietary software that they use. They cannot see that giving little amounts will long term help what is vital to them - just expect others to pay. It is like climate change where everyone seems to expect everyone else to act to prevent a cataclysmic future.

I also release some of what I do as open source.

Licences

I've written lots of odd bits of code in my time; those which I've felt might be useful to others I've shared on github or other places. It's usually on a BSD licence, because it's simple, and these releases are more of a fire-and-forget thing. I have no expectation of making money off them.

The one big project I've been working on has, so far, not seen a public release. I'm in two minds about this, though. It's been a lot of work, but as a commercial venture I've probably got less potential customers than I have fingers on one hand.

Serves me right for mostly concentrating on stuff to support really obscure (these days) retro-tech I suppose! But it's fun, and makes me feel good, knowing I'm helping in some small way with preservation of our digital heritage.

(compared to if anybody needs some freelance BOS\COBOL support, I'd be happy to revisit my old day-job to help, but I'll need some pennies throwing my way to get the same level of enthusiasm!)

what's hard

"Finding projects that need help and maintainers willing to help in exchange for money is hard."

No.

OpenBSD, OpenSSH, OpenBGPD, LibreSSL...

Python

There are other organizations that distribute funding and equipment for open-source software.

Maybe Tech companies undertake to donate 1% of revenue a year to OS ?

Better than most of the virtue signalling they do.

> Is Big Biz exploiting open source

Can we stop this mindset? No one is being exploited. Every is a volunteer, and the licence they choose explicitly allows this. It is for this. Open source is not exploitable - the software is provided without warranty.

The issue doesn't re-open a can of worms; articles such as this do. Until we get past this silliness, we aren't going to improve anything. And if we stick with this silliness, we might drastically reduce the relevance of open source software worldwide.

Expensive software is rarely better though

Your main assumption, that big corps use 'free' software because it's free and good enough even when it breaks, ignores another equally important aspect. Paid-for software, often very expensive paid-for software doesn't do a great job of preemptively finding problems and correcting is, let's say, uneven. Moreover when you stumble into a major problem with their software, good luck getting it fixed unless you're a huge company or a nation-state.

resistance to paying for software

"Yet the notion that companies will ante up if just asked nicely using corporate vernacular, rather than gig economy tooling, doesn't sit well with everyone."

I've seen projects of mine save companies hundreds of millions of dollars whilst costing me thousands - and whist the companies in questions were happy to crow about the savings, a suggestion that they fund the project before it went under was usually met with an assertion that they couldn't afford to do that.

Until about 30 minutes after projects get permanently switched off - by which point it's just too late

For me the most shocking thing is the amount of vendors saying "we are okay as we ship a version that was before the problem was introduced". IE version 1.x.

Yes, but that version went EoL in 2015 and has a number of CVE listed against it which are unpatched so you are not in a safe place are you?

I am looking at Microsoft, ships this in the the Extensions folder for SQL 2019 and Visual studio 2017 and maybe others, SAP, IBM and numerous other other companies that really should know better.

If you are going to ship other companies products/plugins and other buggy crap you really need to make sure it is kept on a supported version and you bundle it up in to your own regular support releases, which is certainly not the case with Log4J and I suspect some of the other flavours of Log4 such .NET and PHP.

Misquotation

Gonzalez argues that Log4j is a symptom of a larger problem: that public companies are exploitative and abusive toward open-source projects.

She didn't. She actually wrote (in th eblog post to which you link) "The log4j incident is a symptom of a larger problem: many large and publicly-traded companies are exploitative and abusive and open source projects that simp for these large companies aren’t doing themselves any favors.". The closest she gets to your claim is a bit later: I’m not an expert on fixing this problem, but I also don’t believe that open source developers need to accept exploitative working conditions.

Deserves a bit of editing, I think.

Could it also be

similar to what Cliff Harris of Positech Games mentioned in his blog recently. That too many job applications require the applicant to be familiar with 10 different languages. He said this then you get someone who is mediocre in lots of different ways. Instead of asking people to speciallise and just be really good with one language.

A Feature of the System

I personally believe that the primary reason open source exists is to be exploited by big business. Big businesses fund open source because it would cost them a lot more to do all the development in house. Sure, there are some awesome developers who just post code because they can, but a lot of it is funded by big business, for big business and the rest of us just latch onto it like lampreys.

Java is so 1990's

You should have stopped using java decades ago, so.....

"At the end of the day, companies are responsible for ensuring the code they ship to production is safe, secure, and reliable,"

Open source maintainers dont ship to production. They ship to repository. The users of those repositories ship to production and are therefore responsible to ensure the code is safe and secure. Since open source has many advantages over closed source make this a value judgement. Is the poor chain of responsibility in open source worth it or not? There is no way to force the big open source users to connect with the open source producers but finding new ways to fund open source like patreon etc. could improve the situation.

Open Source created a culture of importing tons of third-party libraries. If they cost money, we would not do that - if a developer has to go to the management they would not do it for something that they can develop themselves.

Open Source also created a situation when nobody can make a living from developing tooling for others, as you can’t compete with free.

If you are a programmer, Open Source is not beneficial for you.

I don't think it is unreasonable to expect to get some support for a project and its team from the corporations that use the source in whatever form. In an honest world, the likes of Amazon would feel obligated to pay some meagre millions to each of the projects they've built their business on every year, the same way they make money off the sweat of those projects year after year.

But if anyone ever thought "industry" had "integrity", well, the truth is out there in the form of many tens of thousands of unsupported open source developers, if not millions.

It would almost have been worthwile to leverage something like the Log4J bug when it was discovered to enact some penalties on the industry. Unfortunately, the people who work on open source projects have too much pride in their work to actually do something like that, no matter how justified I think it might be... :)

Was CloudFlare open source?

I had a developer on my project that had a tendency to run into an issue and find a library to incorporate to solve it, rather than re-purposing an existing solution in a library we already had. Combine that with dependencies having their own dependencies, when it comes to a version bump it can quickly become unmanageable figuring out they all interact and what is even safe to bump. Consequently I've always thought the fewer externals the better, and if you do bring one in make good use of it.

One of the dependencies (indirectly) brought in was SLF4J which has proved to be a god-send and dodged a bullet for me with regards to this Log4J issue (hey, a stopped clock is right twice a day, right?). The gist of library being that it's an API abstraction of a logging library, the implementation of which can be wired up to a JUL (or Log4j, or even nothing) at deployment. The developer in question had somehow completely wired it up backward by using the slf4j-log4j compatibility layer instead (intended for codebases that have already used Log4J to move away without actually having to change code) but somehow brought IN log4j-core and a whole heap of errors on the console. After he left and I was cleaning up the mess of dependencies I actually read library's documentation(!), kept the abstraction and re-pointed the implementation to use the library the EE application server already had (payara itself uses JUL so I could piggy back off that), now happy that logging actually worked and (perversely) there were less errors in the console.

Long story short, thanks to that developer who horded libraries I discovered http://www.slf4j.org/index.html which ended up reducing the dependency footprint by allowing re-use of something already available. Can't help but think that other people may now find the compatibility layer quite useful. The theory goes that you can just replace the .jar with news ones at runtime - no compilation required http://www.slf4j.org/legacy.html#log4j-over-slf4j .

Funding FUDGE fogs up log jam FIGHT

Interesting?

Unless me and my ctrl+F are much mistaken, all mention of "funding" or even 'fund' seems to have disappeared from the blog post linked for #tailscale.

Given that tailscale has been mentioned elsewhere in a similar manner to systemd - too much of a good thing in one place - removal of references to funding for open source software a la logj (if that is indeed what happened) seems to sugest this is something of a sensitive subject?

If this was the old register, a headline might have been:

Funding FUDGE fogs up log jam FIGHT

Speaking of which, admins, what did happen to the SHOUTY headlines?

Really miss the irreverence. No more biting hands that feed?