Everyone is shitting bricks about the log4j vulnerability but no one seems to be shitting bricks about the corporate game of chicken in taking critical dependencies on OSS libraries without actually paying for the cost of their maintenance. You can't pray away the black swan
We definitely should throw out the system, but even capitalist economies could treat open source infrastructure like they do roads and bridges and neglect it .. er, I mean, invest at least a modicum of continued funding in it.
The Core Infrastructure Initiative dramatically scaled back as soon as the initial funding dried up ~3 years in. Just about enough time to forget about the importance of maintenance...
There is a newer project that is not quite up and running yet... that might be able to do some of what CII was intended for:
@ehashman same arguments go into fighting critical infrastructures like bike and bus lanes, or elevators to the metro – in real life
who uses those things anyway?
probably just poor people.
yeah, okay, but these poor people are trying to get to your work, to your shop
it's so bizarre.
@ehashman the UK government famously scrapped our pandemic preparedness team as an "efficiency saving" literally 6 months before covid hit
an ounce of prevention is worth a pound of cure, whatever those units mean. but nobody takes responsibility under capitalism
@ehashman I don't disagree, but I actually learned this lesson from an ex soviet who worked on the databases used by communists to try to optimize the economy. He was a really good database professor.
He said they often failed because they didn't account for risk and so didn't bake in any slack. It was seen as wasteful to overproduce.
Capitalistic frames do put their own special twist to this kind of screwup tho.
@ehashman that's what companies usually have risk management for. You can not prevent all disasters, and there is nothing obvious that money could have done to prevent this one.
Log4j is used almost everywhere. So a "predisclosure" to (all) vendors using it, would almost be like publishing it in first place.
From my experience, this whole thing wasn't handled super bad, lots of processes just worked.
@ehashman just adding to the fear "we learn about a vuln like that every seven years", who knows how many state actors have in their toolbox because of issues like this
@ehashman I must be in a weird bubble because I've observed primarily people pointing out the fundamental unsustainability of the situation and not much else. part of that might be because we lucked out by just happening to standardize on slf4j at work I guess?
@ehashman every time something like this happens I start wondering how long it's going to be until the Clojure community gets bitten again by the catastrophically awful default binding of *read-eval* and Rich's refusal to fix it.
and then I realize it's probably already been exploited plenty of times; it just never makes the headlines when it does.
@ehashman Our dev team lead regularly asks around the team where the company should send support.
With it would be like that everywhere.
But we still had no one working on log4j. We’ll need to figure out why.
@ehashman The said thing is FOSS specifically aims to provide the tools to prevent these crises by providing the necessary transparancy to locate the bugs. Yet these big businesses don't put time into auditting their dependencies.
Am I seriously a more responsible dev than those at Apple or Microsoft?
Yes. Corporate developers are paid to ship product, not audit dependencies. Doing work outside their job description ends up being detrimental to their careers as it creates conflict as well as redirecting their time to efforts that are not demonstrably productive. Not only are the developers thus employed disincentivized from doing that work, but the environment also selects against those who do continuing to participate in that labor pool
On the internet, everyone knows you're a cat — and that's totally okay.