Would more money have prevented this security flaw? Would the cash be useful in other ways anyway?
Analysis The disclosure of a critical security hole in Log4j last week has renewed calls to rethink how open-source software gets developed, paid for, and maintained, not that the long-simmering issue ever really went away. The Log4j bug, an unauthenticated remote code execution flaw (CVE-2021-44228) in Apache’s open-source Log4j Java-based logging tool, is particularly serious and far-reaching because exploitation is not difficult and the software is widely used. Annoyance with the handful of project maintainers for failing to catch the bug prompted one, developer Volkan Yazici, to voice indignation about all the people bashing the maintainers for their unpaid, volunteer labor without offering any financial support or contributed code fixes. The exploitation of open-source software by companies that use freely available without giving back to the community has been a sore spot among open source project maintainers for years. It’s sometimes referred to as the open source sustainability problem, a characterization that downplays corporate determination to minimize costs and maximize profits. Among open-source projects that aspire to become profitable companies and to avoid having their uncompensated labor co-opted by more established rivals, the issue has been described in adversarial terms – predatory tech giants strip-mining open source – instead of ecological euphemisms that avoid assigning blame. Weighing in on the current state of affairs, Filippo Valsorda, a Google cryptographer and security lead of the internet giant’s Go programming language, on Saturday called for open source maintainers to engage with companies using their software on a more professional level, in order to get paid and make open source more sustainable. “Maintainers need to be legible to the big company department that approves and processes those invoices,” he wrote in a personal blog post. “Think about it: no company pays their law firm on Patreon.” Dan Lorenc, who left Google in October after almost nine years to found security startup Chainguard, said that in terms of Google’s interactions with open-source projects, the problem was distribution rather than funding. “Corporations have a budget and are willing to spend, but it takes too much time,” he said via Twitter. “Finding projects that need help and maintainers willing to help in exchange for money is hard.
