On Sun, Jan 16, 2022 at 1:25 PM Matt Sicker <[email protected]> wrote:
> Building blocks could potentially be “components”; that term applies to > physical supply chains, too. > That works. I would probably start by saying "building blocks or components", and then proceed with components from there. > Emphasizing that the volunteer developers are still professionals, > academics, etc., is certainly important. I’ve seen enough people aghast how > we at the Log4j project are all unpaid; many of us have spent countless > hours at work using and extending Log4j where we’ve been able to contribute > our changes back to the project. Sure, many of us also work on this in our > spare time, but the volunteer aspect is strictly that Apache doesn’t pay us. > Agreed. Earlier papers (such as the one sent to the white house) took that approach. My current thinking is to not mention volunteer at all, and lead with the description that we want them to understand. JNDI can potentially be described as a standard programming component used > for looking up directory information from LDAP and other similar > technology. It may help to mention that LDAP is a directory service (maybe > they’re familiar with Active Directory or some other phonebook-like > directory service). > We tried pretty much exactly that (it happened to be David talking at the time) with Senate Staff. Eyes glazed over. At the end one of the Staffers said that he had just picked up a book on Python for Dummies. My assumption is that that staffer is ahead of the curve with respect to other staffers, and that staffers in general are more technically savvy than the senators that they serve. -- > Matt Sicker > - Sam Ruby > > On Jan 16, 2022, at 11:55, Sam Ruby <[email protected]> wrote: > > > > On Sun, Jan 16, 2022 at 12:40 PM Gilles Sadowski <[email protected]> > > wrote: > > > >> Le dim. 16 janv. 2022 à 17:13, Sam Ruby <[email protected]> a > écrit : > >>> > >>> In discussions with US Senate Staffers, it became apparent that there > is > >>> a need for a less technical description of both open source > >> > >> Presenting the rationale for open source to code that "does not > >> provide [...] competitive advantage" is self-deprecating IMHO. > >> > > > > Fair. Some background: many of the people the ASF interacted with last > > week came in with the impression that open source software was primarily > > written by amateur hobbyists with too much spare time on their hands. > > After all, why would any business want to give away their hard own work? > > > > Here's what we are up against, and this includes a quote from the person > > who called the meeting at the White House: > > > > Log4j is open-source software that’s maintained by a gaggle of volunteer > > programmers as a part of the nonprofit Apache Software Foundation, one > > among dozens of open-source initiatives which have change into an > important > > part of worldwide commerce. > > > > Neuberger described open-source software as “a witch’s brew” that’s > “built > > by volunteers, broadly used, and not managed”. > > > > -- > > > https://mywinet.com/some-federal-systems-affected-by-software-flaw-us-official-says/ > > Is there a better way to capture the motivation of businesses to > contribute > > to open source? > > > > > > > >>> and the > >>> Log4J vulnerability. > >> > >> Not using "jargon" in that section makes it more difficult to follow for > >> programmers while probably not any clearer for non-programmers. > >> Since "code" and "library" have been defined in the first section, the > >> usual terms could then be used afterwards as appropriate. > >> > > > > I'm not convinced. Yes, building block is jarring to me, even though I > > know what it meant. Think about how jarring code or library would be to > a > > reader for which these are not common uses. > > > > I picked up the term building block from a lawyer who is experienced in > > these matters. He repeated back to us what he heard us say, and used > this > > term. > > > >> I've taken a first stab at this, and placed it here: > >>> > >> > https://cwiki.apache.org/confluence/display/COMDEV/Log4j+vulnerability+background > >> > >> s/Software Build of Materials/Software Bill of Materials/ > >> ? > >> > > > > Fixed. Thanks! Feel free to directly update the page > > > > > > > >> Best regards, > >> Gilles > >> > > > > - Sam Ruby > > > > > > > >>> As always, this is on a wiki. You know what you need to do! > >>> > >>> - Sam Ruby > >>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: > [email protected] > >> For additional commands, e-mail: > >> [email protected] > >> > >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: > [email protected] > >
