Follow

I feel bad for maintainers of now that their hard volunteer work is widely ridiculed for serious flaws that were found.

This while every corporate club and your grandma used it in their million $$ projects without anyone thinking of doing a security scan or otherwise contributing to the project with time or funds.

A lessons-learned for the corporates:

"Nurture before you milk!"

And keep on nurturing. For god sake, can't you do anything sustainably?

ariadne.space/2021/12/11/to-se

@humanetech Side note. Thanks to this:

> because of recursive nesting of substitutions

This vulnerability is far worse than one might be led to believe when just skimming the news. The interpolation doesn't have to be in the format string, every string interpolated is a format string.

@humanetech so very much this!

We've seen this with Heartbleed before, too. Exactly the same problem.

@humanetech "For God's sake, can't you do anything sustainably?" (of corporations) has got to be the quote of the day.

@humanetech The reason why the #log4j developers are ridiculed is not because they have a remote code execution capability in a logging library, although they probably should be.

Its because the vulnerability was known till 2016

blackhat.com/docs/us-16/materi

@humanetech as someone who does maintain software widely used it would be, for me at least, better that someone fully tested/audited it.

I can't speak for the #log4j developers, but I'm pretty sure if someone said hey there is this security bug they'd fix it quickly, the trouble comes from not knowing and not having the time or skills to know.

Paying me might make me slightly more responsive, but I doubt it would mean some latent security bug would surface earlier.

@smallsees yes, I understand.

I think in the market there exists a broad niche for anyone that is working on bridging the gap that exists on FOSS developers and their projects on the one hand, and corporate and government world on the other hand.

The niche where FOSS is made sustainable and the Tragedy of the Commons is addressed. This niche must address the needs of FOSS development first and foremost and safeguard the values that drive the free software movement.

@humanetech they should learn from the torrent community, dont forget to seed!

Sign in to participate in the conversation
Mastodon

The original server operated by the Mastodon gGmbH non-profit