This debate goes at least as far back as the first personal computer, the Altair 8800. A very young Bill Gates wrote an open letter to hobbyists complaining about widespread piracy. (PDF,...
This debate goes at least as far back as the first personal computer, the Altair 8800. A very young Bill Gates wrote an open letter to hobbyists complaining about widespread piracy. (PDF, Wikipedia)
Who can afford to do professional work for nothing? What hobbyist can put in 3 man-years into programming, finding all bugs, documenting his product and distrubute it for free?
It seems familiar? Shareware authors often had similar complaints.
Meanwhile the free software / open source movement has built huge amounts of software, often with a lot of the heavy lifting done by paid professionals, showing that it can be done, sometimes. Making services free for most people with paid accounts for some seems to have worked out, as the popularity of Github shows.
A variety of other funding models have been tried and results are uneven. I suspect that ​part of the issue is that log4j might be widely used, but it's not widely liked, at least among people who care about such things? Similarly for Java itself. Programmers who care about improving logging infrastructure will probably be contributing to newer logging packages for newer languages, not fixing the old and broken stuff? (A Hacker News search shows that shared links about log4j got a lot of upvotes in the last two days and then 4-6 years back when log4j 2 was launched, with nothing between.)
I assume log4j will get funding now, as OpenSSL did after the Heartbleed bug. The next time it happens will be in some other widely-used package that few people pay much attention to.
I'm somewhat optimistic about efforts to improve the entire system. Some people at Google are fuzzing all the dependencies. Also, the Linux Foundation has a project called the Open Source Security Foundation whose goal is to systematically improve open source security. From their FAQ, here is one of their goals:
The vision is an open source software ecosystem where the time to fix a vulnerability and deploy that fix across the ecosystem is measured in minutes, not months. Create a unified format and API for vulnerability reporting / coordinated disclosure and drive broad adoption.
I don't know what specifically they've done yet, but it seems promising? Hopefully we'll see something as well-regarded as Let's Encrypt for https certificates.
I think I agree with all your points. And yes, very excited about OSSF efforts especially, https://github.com/ossf/wg-securing-critical-projects in particular.
This debate goes at least as far back as the first personal computer, the Altair 8800. A very young Bill Gates wrote an open letter to hobbyists complaining about widespread piracy. (PDF, Wikipedia)
It seems familiar? Shareware authors often had similar complaints.
Meanwhile the free software / open source movement has built huge amounts of software, often with a lot of the heavy lifting done by paid professionals, showing that it can be done, sometimes. Making services free for most people with paid accounts for some seems to have worked out, as the popularity of Github shows.
A variety of other funding models have been tried and results are uneven. I suspect that ​part of the issue is that log4j might be widely used, but it's not widely liked, at least among people who care about such things? Similarly for Java itself. Programmers who care about improving logging infrastructure will probably be contributing to newer logging packages for newer languages, not fixing the old and broken stuff? (A Hacker News search shows that shared links about log4j got a lot of upvotes in the last two days and then 4-6 years back when log4j 2 was launched, with nothing between.)
I assume log4j will get funding now, as OpenSSL did after the Heartbleed bug. The next time it happens will be in some other widely-used package that few people pay much attention to.
I'm somewhat optimistic about efforts to improve the entire system. Some people at Google are fuzzing all the dependencies. Also, the Linux Foundation has a project called the Open Source Security Foundation whose goal is to systematically improve open source security. From their FAQ, here is one of their goals:
I don't know what specifically they've done yet, but it seems promising? Hopefully we'll see something as well-regarded as Let's Encrypt for https certificates.
I think I agree with all your points. And yes, very excited about OSSF efforts especially, https://github.com/ossf/wg-securing-critical-projects in particular.