Sam Ruby wrote on Sun, 16 Jan 2022 21:26 +00:00: > On Sun, Jan 16, 2022 at 1:49 PM Dominik Psenner <[email protected]> wrote: >> Could a comparison with a house be of help? A house is something specially >> made according to the specifications of the owner and adapted according to >> meet its requirements and fulfill needs. A house can be built of bricks, >> stone, wood, .. and there are various things that nees to be assembled by >> experts of their own right. Maybe there is a good analogy to find what >> logging means for a house. It could be a printer that protocols to paper >> what the house is doing, a door gets opened and closed, water that is >> running and stops to do so, an oven thats baking,... >> >> If one gets to understand what log4j is in this house, it is surely easier >> to explain java, jndi and ldap with analogies as well? >> > > I actually don't think we go there. Essentially there is a recall on a > thingamabob. Most people don't know how cars work either, but when they > get a recall, they take it in to get fixed. What's different here is that > it is not just one model or even make of a car that is getting recalled, > but rather a large number of different manufacturers that are affected. > And they are wondering why this is, and want to make sure that it doesn't > happen again. >
It's simply a cache invalidation problem. It has nothing to do with open source (either the class of licenses or the software development paradigm). Imagine you circulate a copy of a bill to N people, and then you revise the bill. You'll want to have some way to keep track of which N people you have sent the v1 to so you'll be able to send them the v2, lest someone wrongly continue to think that v1 is the latest. Furthermore, the responsibility of solving this problem rests with the distributor of the bill, as opposed to the bill's original author. To be explicit, the bill ≈ log4j. It makes no difference that the bill isn't code; it makes no difference what the bill's copyright license is; and it makes no difference whether the bill had been developed collaboratively or single-handedly. To drive the point home, anybody has statistics on how many Windows 3.1 / 95 / 98 machines are still online? On how many smartphones OSes are past their EOL? Anyway, this isn't a generic cache invalidation problem. Upgrading libraries is essentially a solved problem. There are tools that detect pending security updates, tools that install security updates automatically (https://packages.debian.org/bullseye/unattended-upgrades), tools that audit running processes to see if there are unlinked .so files in their address spaces (https://manpages.debian.org/checkrestart)… The problem may be — as is usual in security — that _not_ having these safety measures deployed isn't obvious until just after you need them. It's like fire alarms, seat belts, backup parachutes, and insurance policies: if you don't have one, nothing is _obviously_ wrong. If you buy a car and don't insure it, you can still drive it. If you jump off a plane wearing a parachute whose backup handle is superglued shut, you might not notice that until after landing. (Incidentally, in the parachute example, you'd then report the occurrence to the NTSB, who'd investigate it and post a report for all parachute operators to learn from.) Which is to say, it seems to me the answer to "What to do?" is a single sentence: "Follow existing best practice.". ---- Is the problem that log4j was used, in C terms, as a static library rather than as a dynamic library? That's an easy thing to explain: imagine an airplane cabin in which every seat has a copy of the emergency exits placard v. an airplane cabin in which the emergency exit placards is printed on the ceiling of the aisle where everyone can see it clearly. In the former case some of the copies can get out of date, or one seat might get two slightly different copies, etc.; in the latter case, there's just one copy per airplane, and it's the airline's responsibility to keep that copy up-to-date. (In this analogy, each seat would be manufactured by a different company and provided a placard by that company, and the pasted-on-the-ceiling copy would not be considered the "preferred form for making modifications".) Cheers, Daniel --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
