Submission + - How Did Open Source Get Broken? (dev.to) 3
frank_adrian314159 writes: By now, most of the internet knows about the famous Log4Shell exploit, and if you don't, it's easy to get a sense of how disastrous it's been. To drive the point home: the US Department of Homeland Security is warning people about it.
There's been a lot of hand-wringing about how open source software, the lifeblood of many businesses today, is often totally unpaid and unthanked work, with some hot takes like 'Open source needs to grow the hell up.' and 'Open source' is broken.
What I want to touch on is something that's been bothering me for the past few days, and solidified after seeing Bloomberg's piece–the fact that the log4j developers had this massive security issue dumped in their laps, with the expectation that they were supposed to fix it. How did that happen? How did a group of smart, hard-working people get roped into a thankless, high-pressure situation with absolutely no upside for themselves? ...
It is this communal mythology I want to talk about, this great open source brainwashing that makes maintainers feel like they need to go above and beyond publishing source code under an open source license–that they need to manage and grow a community, accept contributions, fix issues, follow vulnerability disclosure best practices, and many other things. ...
In reality what is happening, is that open source maintainers are effectively unpaid outsourcing teams for giant corporations. The [engineer who reported the issue] told the log4j team: 'Please hurry up'
There's been a lot of hand-wringing about how open source software, the lifeblood of many businesses today, is often totally unpaid and unthanked work, with some hot takes like 'Open source needs to grow the hell up.' and 'Open source' is broken.
What I want to touch on is something that's been bothering me for the past few days, and solidified after seeing Bloomberg's piece–the fact that the log4j developers had this massive security issue dumped in their laps, with the expectation that they were supposed to fix it. How did that happen? How did a group of smart, hard-working people get roped into a thankless, high-pressure situation with absolutely no upside for themselves?
It is this communal mythology I want to talk about, this great open source brainwashing that makes maintainers feel like they need to go above and beyond publishing source code under an open source license–that they need to manage and grow a community, accept contributions, fix issues, follow vulnerability disclosure best practices, and many other things.
In reality what is happening, is that open source maintainers are effectively unpaid outsourcing teams for giant corporations. The [engineer who reported the issue] told the log4j team: 'Please hurry up'
