I have no intention to tear apart the document. I am dealing with non technical fellows on a daily basis and from my experience the document still too technical.
Could a comparison with a house be of help? A house is something specially made according to the specifications of the owner and adapted according to meet its requirements and fulfill needs. A house can be built of bricks, stone, wood, .. and there are various things that nees to be assembled by experts of their own right. Maybe there is a good analogy to find what logging means for a house. It could be a printer that protocols to paper what the house is doing, a door gets opened and closed, water that is running and stops to do so, an oven thats baking,... If one gets to understand what log4j is in this house, it is surely easier to explain java, jndi and ldap with analogies as well? A good analogy could be electric cables interconnecting various components so that they can fulfill their purpose, ie switches to turn on/off lights. And hey, there are also pluggable components like power plugs where new stuff can be plugged into. :-) What if someone could plug something, unnoticed, with an adapter nobody thought of? Warm regards -- Sent from my phone. Typos are a kind gift to anyone who happens to find them. On Sun, Jan 16, 2022, 19:25 Matt Sicker <[email protected]> wrote: > Building blocks could potentially be “components”; that term applies to > physical supply chains, too. > > Emphasizing that the volunteer developers are still professionals, > academics, etc., is certainly important. I’ve seen enough people aghast how > we at the Log4j project are all unpaid; many of us have spent countless > hours at work using and extending Log4j where we’ve been able to contribute > our changes back to the project. Sure, many of us also work on this in our > spare time, but the volunteer aspect is strictly that Apache doesn’t pay us. > > JNDI can potentially be described as a standard programming component used > for looking up directory information from LDAP and other similar > technology. It may help to mention that LDAP is a directory service (maybe > they’re familiar with Active Directory or some other phonebook-like > directory service). > -- > Matt Sicker > > > On Jan 16, 2022, at 11:55, Sam Ruby <[email protected]> wrote: > > > > On Sun, Jan 16, 2022 at 12:40 PM Gilles Sadowski <[email protected]> > > wrote: > > > >> Le dim. 16 janv. 2022 à 17:13, Sam Ruby <[email protected]> a > écrit : > >>> > >>> In discussions with US Senate Staffers, it became apparent that there > is > >>> a need for a less technical description of both open source > >> > >> Presenting the rationale for open source to code that "does not > >> provide [...] competitive advantage" is self-deprecating IMHO. > >> > > > > Fair. Some background: many of the people the ASF interacted with last > > week came in with the impression that open source software was primarily > > written by amateur hobbyists with too much spare time on their hands. > > After all, why would any business want to give away their hard own work? > > > > Here's what we are up against, and this includes a quote from the person > > who called the meeting at the White House: > > > > Log4j is open-source software that’s maintained by a gaggle of volunteer > > programmers as a part of the nonprofit Apache Software Foundation, one > > among dozens of open-source initiatives which have change into an > important > > part of worldwide commerce. > > > > Neuberger described open-source software as “a witch’s brew” that’s > “built > > by volunteers, broadly used, and not managed”. > > > > -- > > > https://mywinet.com/some-federal-systems-affected-by-software-flaw-us-official-says/ > > Is there a better way to capture the motivation of businesses to > contribute > > to open source? > > > > > > > >>> and the > >>> Log4J vulnerability. > >> > >> Not using "jargon" in that section makes it more difficult to follow for > >> programmers while probably not any clearer for non-programmers. > >> Since "code" and "library" have been defined in the first section, the > >> usual terms could then be used afterwards as appropriate. > >> > > > > I'm not convinced. Yes, building block is jarring to me, even though I > > know what it meant. Think about how jarring code or library would be to > a > > reader for which these are not common uses. > > > > I picked up the term building block from a lawyer who is experienced in > > these matters. He repeated back to us what he heard us say, and used > this > > term. > > > >> I've taken a first stab at this, and placed it here: > >>> > >> > https://cwiki.apache.org/confluence/display/COMDEV/Log4j+vulnerability+background > >> > >> s/Software Build of Materials/Software Bill of Materials/ > >> ? > >> > > > > Fixed. Thanks! Feel free to directly update the page > > > > > > > >> Best regards, > >> Gilles > >> > > > > - Sam Ruby > > > > > > > >>> As always, this is on a wiki. You know what you need to do! > >>> > >>> - Sam Ruby > >>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: > [email protected] > >> For additional commands, e-mail: > >> [email protected] > >> > >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: > [email protected] > >
