I've spent the last few hours reading articles on open source security in general, and the response to log4j in particular. A first draft of one possible way to start the conversation at White House Software Security Meeting follows.
Let's start with this quote[1], attributed to Ann Neuberger who reportedly described open-source software as “a witch's brew” that is “built by volunteers, broadly used, and not managed.”. We plead "no contest" to "witches brew" :-) No question that log4j is broadly used. We assert that Apache projects in general, and log4j in particular, are indeed managed, and have provided links below[2], [3], [4], [5] for useful background. It is the topic of "volunteers" that we think needs clarification.. While all contributions to the ASF are indeed voluntary, the people making the contributions are generally seasoned professionals. The history of log4j started at IBM Zurich in 2001, and has been actively maintained, including a major rewrite, since that time. The top contributors are a matter of public record[6], and the most active contributors at this point in time include: * Principal Software Architect with Rocket Software * System Architect, SMBC Nikko Securities Inc. * Nextiva Fellow Architect * Senior Software Engineer at CloudBees This level of contribution these individuals have made generally indicate both an intent and a history of making use of these releases in production. This example of software developed by professional volunteers isn't atypical - to the contrary is generally the case with widely used projects at the ASF. The reality is that a commodity function like logging is hard to monetize - many companies find it better to collaborate with others - often times developers who in other contexts are competitors. The result of this collaboration generally results in products that are of a higher quality than if each company went it alone. The results speak for themselves. Everything from the web to public clouds to cell phones to embedded devices absolutely depend on open source. We believe that this is important background worth establishing before entering into discussions such as best practices, funding and regulation. - Sam Ruby [1] https://mywinet.com/some-federal-systems-affected-by-software-flaw-us-official-says/ [2] https://apache.org/theapacheway/index.html [3] https://www.apache.org/foundation/how-it-works.html [4] https://www.apache.org/dev/pmc.html [5] https://apache.org/security/ [6] https://github.com/apache/logging-log4j2/graphs/contributors --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
