Follow

Everyone is shitting bricks about the log4j vulnerability but no one seems to be shitting bricks about the corporate game of chicken in taking critical dependencies on OSS libraries without actually paying for the cost of their maintenance. You can't pray away the black swan

We seem to have a heartbleed-level vuln on the order of 1 in ~7 years, and less critical issues more frequently. "Patch after it's disclosed" is not insurance. The collective cost of this scramble surely exceeds non-volunteer maintenance costs

One of the worst aspects of capitalism is that it's often much cheaper to prevent crises but we don't because there's cost involved. If the crisis never happened, we don't measure that as a success in terms of resources, and those prevention costs become "inefficiencies"

We have no collective will to make things better because it goes against the terms of the perceived game. Everyone wants to selfishly defect even though keeping silent has a better outcome.

I don't know how we fix this without throwing out the system

@ehashman Minor technicality: you're mixing up Prisoner's Dilemma and Game of Chicken.

@kakure We are here because nobody swerved off the road of just working on your own secret sauce, hoping that someone else would take that turn first.

The Prisoner's Dilemma is the obvious game to map onto the situation, that's why using the game of chicken is a fun and dramatic rhetorical twist.

@ehashman

@ehashman

We definitely should throw out the system, but even capitalist economies could treat open source infrastructure like they do roads and bridges and neglect it .. er, I mean, invest at least a modicum of continued funding in it.

@eloquence @ehashman How is the Core Infrastructure Initiative doing? (The one formed after the previous heartbleed-level vuln)

@tzafrir @eloquence @ehashman

The Core Infrastructure Initiative dramatically scaled back as soon as the initial funding dried up ~3 years in. Just about enough time to forget about the importance of maintenance...

There is a newer project that is not quite up and running yet... that might be able to do some of what CII was intended for:

openssf.org

All we need is a continual #spectre of a #meltdown to keep our #heartbleed burning down the #log4j cabins. Vigilance!

@vagrantc @tzafrir @eloquence @ehashman Eh, from one LF project to another ... as long as the money keeps flowin' and paying their overhead bills

@ehashman there is no way, that's how the incentives are set up. we have to throw away the system

@ehashman same arguments go into fighting critical infrastructures like bike and bus lanes, or elevators to the metro – in real life

who uses those things anyway?
probably just poor people.

yeah, okay, but these poor people are trying to get to your work, to your shop

it's so bizarre.

@ehashman the UK government famously scrapped our pandemic preparedness team as an "efficiency saving" literally 6 months before covid hit

@petrichor @ehashman same shit in Canada. look up GPHIN

en.m.wikipedia.org/wiki/Global

an ounce of prevention is worth a pound of cure, whatever those units mean. but nobody takes responsibility under capitalism

@ehashman I don't disagree, but I actually learned this lesson from an ex soviet who worked on the databases used by communists to try to optimize the economy. He was a really good database professor.

He said they often failed because they didn't account for risk and so didn't bake in any slack. It was seen as wasteful to overproduce.

Capitalistic frames do put their own special twist to this kind of screwup tho.

@ehashman I've been studying how ants manage their supply chain.

One of aesop's fables is about this problem.
read.gov/aesop/052.html

@ehashman that's what companies usually have risk management for. You can not prevent all disasters, and there is nothing obvious that money could have done to prevent this one.

Log4j is used almost everywhere. So a "predisclosure" to (all) vendors using it, would almost be like publishing it in first place.

From my experience, this whole thing wasn't handled super bad, lots of processes just worked.

@ehashman just adding to the fear "we learn about a vuln like that every seven years", who knows how many state actors have in their toolbox because of issues like this

@ehashman I must be in a weird bubble because I've observed primarily people pointing out the fundamental unsustainability of the situation and not much else. part of that might be because we lucked out by just happening to standardize on slf4j at work I guess?

@ehashman every time something like this happens I start wondering how long it's going to be until the Clojure community gets bitten again by the catastrophically awful default binding of *read-eval* and Rich's refusal to fix it.

and then I realize it's probably already been exploited plenty of times; it just never makes the headlines when it does.

@ehashman Our dev team lead regularly asks around the team where the company should send support.

With it would be like that everywhere.

But we still had no one working on log4j. We’ll need to figure out why.

That’s Java dependencies. Don’t get me started on Javascript deps.

@ehashman The said thing is FOSS specifically aims to provide the tools to prevent these crises by providing the necessary transparancy to locate the bugs. Yet these big businesses don't put time into auditting their dependencies.

Am I seriously a more responsible dev than those at Apple or Microsoft?

@alcinnz
Yes. Corporate developers are paid to ship product, not audit dependencies. Doing work outside their job description ends up being detrimental to their careers as it creates conflict as well as redirecting their time to efforts that are not demonstrably productive. Not only are the developers thus employed disincentivized from doing that work, but the environment also selects against those who do continuing to participate in that labor pool

Sign in to participate in the conversation
Toot.Cat

On the internet, everyone knows you're a cat — and that's totally okay.