On Sun, Jan 16, 2022 at 1:49 PM Dominik Psenner <[email protected]> wrote:
> I have no intention to tear apart the document. I am dealing with non > technical fellows on a daily basis and from my experience the document > still too technical. > That's what I was afraid of, and what I very much want to fix. Could a comparison with a house be of help? A house is something specially > made according to the specifications of the owner and adapted according to > meet its requirements and fulfill needs. A house can be built of bricks, > stone, wood, .. and there are various things that nees to be assembled by > experts of their own right. Maybe there is a good analogy to find what > logging means for a house. It could be a printer that protocols to paper > what the house is doing, a door gets opened and closed, water that is > running and stops to do so, an oven thats baking,... > > If one gets to understand what log4j is in this house, it is surely easier > to explain java, jndi and ldap with analogies as well? > I actually don't think we go there. Essentially there is a recall on a thingamabob. Most people don't know how cars work either, but when they get a recall, they take it in to get fixed. What's different here is that it is not just one model or even make of a car that is getting recalled, but rather a large number of different manufacturers that are affected. And they are wondering why this is, and want to make sure that it doesn't happen again. A good analogy could be electric cables interconnecting various components > so that they can fulfill their purpose, ie switches to turn on/off lights. > And hey, there are also pluggable components like power plugs where new > stuff can be plugged into. :-) What if someone could plug something, > unnoticed, with an adapter nobody thought of? > Unfortunately, I don't know of a good analogy for open source. Warm regards > -- > Sent from my phone. Typos are a kind gift to anyone who happens to find > them. > - Sam Ruby On Sun, Jan 16, 2022, 19:25 Matt Sicker <[email protected]> wrote: > > > Building blocks could potentially be “components”; that term applies to > > physical supply chains, too. > > > > Emphasizing that the volunteer developers are still professionals, > > academics, etc., is certainly important. I’ve seen enough people aghast > how > > we at the Log4j project are all unpaid; many of us have spent countless > > hours at work using and extending Log4j where we’ve been able to > contribute > > our changes back to the project. Sure, many of us also work on this in > our > > spare time, but the volunteer aspect is strictly that Apache doesn’t pay > us. > > > > JNDI can potentially be described as a standard programming component > used > > for looking up directory information from LDAP and other similar > > technology. It may help to mention that LDAP is a directory service > (maybe > > they’re familiar with Active Directory or some other phonebook-like > > directory service). > > -- > > Matt Sicker > > > > > On Jan 16, 2022, at 11:55, Sam Ruby <[email protected]> wrote: > > > > > > On Sun, Jan 16, 2022 at 12:40 PM Gilles Sadowski <[email protected] > > > > > wrote: > > > > > >> Le dim. 16 janv. 2022 à 17:13, Sam Ruby <[email protected]> a > > écrit : > > >>> > > >>> In discussions with US Senate Staffers, it became apparent that there > > is > > >>> a need for a less technical description of both open source > > >> > > >> Presenting the rationale for open source to code that "does not > > >> provide [...] competitive advantage" is self-deprecating IMHO. > > >> > > > > > > Fair. Some background: many of the people the ASF interacted with last > > > week came in with the impression that open source software was > primarily > > > written by amateur hobbyists with too much spare time on their hands. > > > After all, why would any business want to give away their hard own > work? > > > > > > Here's what we are up against, and this includes a quote from the > person > > > who called the meeting at the White House: > > > > > > Log4j is open-source software that’s maintained by a gaggle of > volunteer > > > programmers as a part of the nonprofit Apache Software Foundation, one > > > among dozens of open-source initiatives which have change into an > > important > > > part of worldwide commerce. > > > > > > Neuberger described open-source software as “a witch’s brew” that’s > > “built > > > by volunteers, broadly used, and not managed”. > > > > > > -- > > > > > > https://mywinet.com/some-federal-systems-affected-by-software-flaw-us-official-says/ > > > Is there a better way to capture the motivation of businesses to > > contribute > > > to open source? > > > > > > > > > > > >>> and the > > >>> Log4J vulnerability. > > >> > > >> Not using "jargon" in that section makes it more difficult to follow > for > > >> programmers while probably not any clearer for non-programmers. > > >> Since "code" and "library" have been defined in the first section, the > > >> usual terms could then be used afterwards as appropriate. > > >> > > > > > > I'm not convinced. Yes, building block is jarring to me, even though I > > > know what it meant. Think about how jarring code or library would be > to > > a > > > reader for which these are not common uses. > > > > > > I picked up the term building block from a lawyer who is experienced in > > > these matters. He repeated back to us what he heard us say, and used > > this > > > term. > > > > > >> I've taken a first stab at this, and placed it here: > > >>> > > >> > > > https://cwiki.apache.org/confluence/display/COMDEV/Log4j+vulnerability+background > > >> > > >> s/Software Build of Materials/Software Bill of Materials/ > > >> ? > > >> > > > > > > Fixed. Thanks! Feel free to directly update the page > > > > > > > > > > > >> Best regards, > > >> Gilles > > >> > > > > > > - Sam Ruby > > > > > > > > > > > >>> As always, this is on a wiki. You know what you need to do! > > >>> > > >>> - Sam Ruby > > >>> > > >> > > >> --------------------------------------------------------------------- > > >> To unsubscribe, e-mail: > > [email protected] > > >> For additional commands, e-mail: > > >> [email protected] > > >> > > >> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: > [email protected] > > For additional commands, e-mail: > > [email protected] > > > > >
