Small correction: the CloudBees guy works at Apple these days. — Matt Sicker
> On Dec 30, 2021, at 21:57, Sam Ruby <[email protected]> wrote: > > I've spent the last few hours reading articles on open source security > in general, and the response to log4j in particular. A first draft of > one possible way to start the conversation at White House Software > Security Meeting follows. > > Let's start with this quote[1], attributed to Ann Neuberger > who reportedly described open-source software as “a witch's brew” that > is “built by volunteers, broadly used, and not managed.”. > > We plead "no contest" to "witches brew" :-) > > No question that log4j is broadly used. > > We assert that Apache projects in general, and log4j in particular, > are indeed managed, and have provided links below[2], [3], [4], [5] > for useful background. > > It is the topic of "volunteers" that we think needs clarification.. > While all contributions to the ASF are indeed voluntary, the people > making the contributions are generally seasoned professionals. > > The history of log4j started at IBM Zurich in 2001, and has been > actively maintained, including a major rewrite, since that time. The > top contributors are a matter of public record[6], and the most active > contributors at this point in time include: > > * Principal Software Architect with Rocket Software > * System Architect, SMBC Nikko Securities Inc. > * Nextiva Fellow Architect > * Senior Software Engineer at CloudBees > > This level of contribution these individuals have made generally > indicate both an intent and a history of making use of these releases > in production. This example of software developed by professional > volunteers isn't atypical - to the contrary is generally the case with > widely used projects at the ASF. > > The reality is that a commodity function like logging is hard to > monetize - many companies find it better to collaborate with others - > often times developers who in other contexts are competitors. The > result of this collaboration generally results in products that are of > a higher quality than if each company went it alone. > > The results speak for themselves. Everything from the web to public > clouds to cell phones to embedded devices absolutely depend on open > source. > > We believe that this is important background worth establishing before > entering into discussions such as best practices, funding and regulation. > > - Sam Ruby > > [1] > https://mywinet.com/some-federal-systems-affected-by-software-flaw-us-official-says/ > [2] https://apache.org/theapacheway/index.html > [3] https://www.apache.org/foundation/how-it-works.html > [4] https://www.apache.org/dev/pmc.html > [5] https://apache.org/security/ > [6] https://github.com/apache/logging-log4j2/graphs/contributors > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] >
