This while every corporate club and your grandma used it in their million $$ projects without anyone thinking of doing a security scan or otherwise contributing to the project with time or funds.
A lessons-learned for the corporates:
"Nurture before you milk!"
And keep on nurturing. For god sake, can't you do anything sustainably?
> because of recursive nesting of substitutionsThis vulnerability is far worse than one might be led to believe when just skimming the news. The interpolation doesn't have to be in the format string, every string interpolated is a format string.
@humanetech so very much this!
We've seen this with Heartbleed before, too. Exactly the same problem.
@humanetech "For God's sake, can't you do anything sustainably?" (of corporations) has got to be the quote of the day.
Its because the vulnerability was known till 2016
@humanetech as someone who does maintain software widely used it would be, for me at least, better that someone fully tested/audited it.
I can't speak for the #log4j developers, but I'm pretty sure if someone said hey there is this security bug they'd fix it quickly, the trouble comes from not knowing and not having the time or skills to know.
Paying me might make me slightly more responsive, but I doubt it would mean some latent security bug would surface earlier.
@smallsees yes, I understand.
I think in the market there exists a broad niche for anyone that is working on bridging the gap that exists on FOSS developers and their projects on the one hand, and corporate and government world on the other hand.
The niche where FOSS is made sustainable and the Tragedy of the Commons is addressed. This niche must address the needs of FOSS development first and foremost and safeguard the values that drive the free software movement.
The original server operated by the Mastodon gGmbH non-profit