Hi Sam, Thanks for putting this together. I broadly agree and like to add notes as follows.
There is more to contributions than just changes to the codebase with commits. There are contributors (like me) who act in the "background" by digging through moderation queues, respond to general questions and more. Just yesterday the logging PMC had a live call and 11 pmc members across many timezones attended. Some are long time contributors with more than ten years and some joined just recently. To me this is an indicator of health. Most discussions and all decisions take place on the mailing lists. This appears to me also as something to note because it is another proof of general healthiness. One other advantage I propose to note is, all happens in full transparency. There are only very few companies that would even consider such an approach. This enables for extended audit trails and encourages participation. Last, I do observe that only recently companies begin to take security measures more seriously. There are however still many deployments in the wild that are not maintained on a regular basis. I do know of deployments that have not been patched for more than ten years. This is a much larger risk and at the same time it is much harder to fix. It needs awareness and investments in resources that become hardly available as time passes by. I liked Ralph's analogy with a house that he just made during yesterdays call. If one does not paint a house, take care of maintaining the water pipes, .. it withers as time passes. If nobody knows where pipes have been laid, it may be expensive to find where a waterpipe has broken. Another analogy that is more security related: the chance of someone breaching the front door may become reality if nobody takes care of locking the door each and every evening. This is however not a responsibility of the supplier who made the door. Warm regards and a happy new year! Dominik -- Sent from my phone. Typos are a kind gift to anyone who happens to find them. On Fri, Dec 31, 2021, 04:57 Sam Ruby <[email protected]> wrote: > I've spent the last few hours reading articles on open source security > in general, and the response to log4j in particular. A first draft of > one possible way to start the conversation at White House Software > Security Meeting follows. > > Let's start with this quote[1], attributed to Ann Neuberger > who reportedly described open-source software as “a witch's brew” that > is “built by volunteers, broadly used, and not managed.”. > > We plead "no contest" to "witches brew" :-) > > No question that log4j is broadly used. > > We assert that Apache projects in general, and log4j in particular, > are indeed managed, and have provided links below[2], [3], [4], [5] > for useful background. > > It is the topic of "volunteers" that we think needs clarification.. > While all contributions to the ASF are indeed voluntary, the people > making the contributions are generally seasoned professionals. > > The history of log4j started at IBM Zurich in 2001, and has been > actively maintained, including a major rewrite, since that time. The > top contributors are a matter of public record[6], and the most active > contributors at this point in time include: > > * Principal Software Architect with Rocket Software > * System Architect, SMBC Nikko Securities Inc. > * Nextiva Fellow Architect > * Senior Software Engineer at CloudBees > > This level of contribution these individuals have made generally > indicate both an intent and a history of making use of these releases > in production. This example of software developed by professional > volunteers isn't atypical - to the contrary is generally the case with > widely used projects at the ASF. > > The reality is that a commodity function like logging is hard to > monetize - many companies find it better to collaborate with others - > often times developers who in other contexts are competitors. The > result of this collaboration generally results in products that are of > a higher quality than if each company went it alone. > > The results speak for themselves. Everything from the web to public > clouds to cell phones to embedded devices absolutely depend on open > source. > > We believe that this is important background worth establishing before > entering into discussions such as best practices, funding and regulation. > > - Sam Ruby > > [1] > https://mywinet.com/some-federal-systems-affected-by-software-flaw-us-official-says/ > [2] https://apache.org/theapacheway/index.html > [3] https://www.apache.org/foundation/how-it-works.html > [4] https://www.apache.org/dev/pmc.html > [5] https://apache.org/security/ > [6] https://github.com/apache/logging-log4j2/graphs/contributors > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: > [email protected] > > >
