Funding is only one piece of the puzzle Log4j – The New Stack
Last week, we looked at a number of Log4j vulnerability responses, all of which seemed to lead to one conclusion: a big “I told you so” regarding the effects of lack of funding in open source software.
One author called the whole situation “the perfect microcosm of all the major ecosystem problems with ‘open source’ software,” while another said the situation was a clear example that it was. time to “professionalize” the role of open source maintainer. PuTTY chief Andrew Ducker simply said that the Internet (and big business) relying on software run by people in their spare time, for free, “may not be sustainable.”
While the lack of open source funding is certainly an issue, could the funding have prevented the vulnerabilities in Log4j? Would the funding actually prevent similar vulnerabilities in the future?
I avoided a hot shot on the log4j situation because frankly I’m tired of technical shots. However, what I don’t understand is that bugs do occur, some of them are very serious, and they arise for a complex set of reasons.
– Matt Klein (@ mattklein123) December 14, 2021
The Open Source Security Foundation (OpenSSF), among many others, has challenged this simplistic way of approaching a much more complex problem. If open source maintainers say “I told you so,” it really is more than just open source funding.
In a blog post for OpenSSF, Brian Behlendorf argued that open source foundations must work together to prevent the upcoming Log4Shell jamming, highlighting seven points OSS foundations could do to mitigate security risks. Among those seven points – which include security analysis, external audits, dependency tracking, test frameworks, organization-wide security teams, and the requirement for projects to remove the old vulnerable code – funding was never mentioned once. Instead, Behlendorf precedes these points by saying, “Too many organizations have failed to apply the funds raised or set process standards to improve their security practices, and have recklessly leaned in favor of quantity rather than the quality of the code ”.
Behlendorf continues after his list of seven suggested acts with a section that sums it all up perfectly:
“None of the above practices are to pay developers more or funnel funds directly from software users to developers. Make no mistake, open source developers and the people who support them should be paid more and more generally appreciated. However, it would be an insult to most maintainers to suggest that if you had simply put more money in their pockets, they would have written more secure code. At the same time, it’s fair to say that a commons tragedy strikes when every downstream user assumes these practices are in place, performed, and paid for by someone else. “
Behlendorf goes on to make a few remarks about funds and fundraising, but his point is less about the lack of funding and more about the allocation of those funds and how they should focus on things like paid audits and “providing resources to move critical projects or code segments to memory-safe languages, or fund bounties for more testing.
Behlendorf says that in the new year, OpenSSF will strive to “raise the bar” for open source security.
“The only way to do this effectively is to develop tools, guidance, and standards that make adoption by the open source community encouraged and practical rather than cumbersome or bureaucratic,” he wrote. “We will work with other open source projects and foundations and provide grants to other projects and foundations to help them improve their security game. “
Throwing in more money wouldn’t miraculously kill the bugs. Funding for OSS _is_ a problem, but it is orthogonal to VECs and how to avoid them. It’s good to fund OSS to thank backers and possibly fund larger developments, but I’m annoyed by the idea that money is the solution.
– Cédric Champeau (@CedricChampeau) 12 December 2021
So, in the end, it may not be a question of money … but also a question of money. Money won’t magically solve open source security problems, but put in the right directions it looks like it could definitely help.
This week in programming
- Vote on a Visual Studio dashboard: For all Visual Studio users, here is your chance to have your voice heard for a potential new feature. Senior Program Manager for Visual Studio Misty Hays writes in a blog post that for three months she read four years of user reviews about setting up and installing Visual Studio. The comments, she said, were “brutally honest” and “unbelievable.” In her efforts to design your Visual Studio dashboard, which will be “an experience that helps you stay on top of what’s important to your code by aggregating personalized content from all your tools and resources,” she would like to call again your thoughts, so go for it and make your voice heard!
- GitHub simplifies the handling of actions: GitHub has released a new “new workflow” experience for GitHub Actions that it says will make it easier to get started with GitHub Actions. The new feature examines your repository, examines things like the programming language, creates tools, frameworks, and package managers, and then makes recommendations based on what it finds. “For example, if a repository contains a Node.js application that has been containerized, scanning the repository will show you container and node related workflows as a priority,” they explain. The new feature also offers the ability to search and filter recommendations, which they say should “help you find the right workflow that matches your needs faster.”
Which one is it ?? #TeamReGex Where #TeamReJex?! Don’t hit me with that gegggeggeh pic.twitter.com/L1hQfLRe8r
– Nimay Ndolo (@nimayndolo) December 17, 2021
- The best time: An article peaked in Hacker News this week that really echoed a sentiment that resonated in my brain recently – there has never been a better time to build websites, he claims, and I don’t. could not agree more. If you remember the old days when you had to run your own server, re-upload everything via FTP every time you made a change, build pretty much everything by hand, let’s just say things have changed. “While there is absolutely a learning curve to begin with, once you gain momentum, modern web development feels like rocket boosters. The distance between idea and execution is as short as it has ever been, ”they write. And if that learning curve is intimidating, which it usually is, I would suggest this article as a place to start, as it introduces a number of tools that will get you up and running in no time. As he said: rocket boosters.
Some claim #Open source does not work and calls # log4j prove it. But it works great: great fixes in no time. Tons of free support. Lots of code reviews are underway right now. A lot of people are looking. To me, @ ASF just works very, very well.
– Christian Grobmeier (@grobmeier) December 21, 2021
Comments are closed.