open source is broken
Signed-off-by: Xe <me@christine.website>
This commit is contained in:
parent
912fd7473d
commit
a66f15caeb
|
@ -0,0 +1,144 @@
|
|||
---
|
||||
title: '"Open Source" is Broken'
|
||||
date: 2021-12-11
|
||||
author: Mai
|
||||
tags:
|
||||
- rant
|
||||
---
|
||||
|
||||
or: Why I Don't Write Useful Software Unless You Pay Me
|
||||
|
||||
Recently there was a [massive
|
||||
vulnerability](https://www.lunasec.io/docs/blog/log4j-zero-day/) found in a
|
||||
critical Java ecosystem package. When fully weaponized, this allows attackers to
|
||||
coerce Java servers into executing arbitrary code that was fetched from an LDAP
|
||||
server.
|
||||
|
||||
[If this is news to you and you work at a Java shop, I'm sorry but you have a
|
||||
long couple days ahead.](conversation://Mara/hacker)
|
||||
|
||||
I believe this is a perfect microcosm of all of the major ecosystem problems
|
||||
with "Open Source" software. I have some thoughts about all this, as I think
|
||||
log4j2 is a _perfect_ example of one of the worst case scenarios for this. It is
|
||||
perfectly reasonable for everyone involved in this issue to have done all this
|
||||
for perfectly valid solutions to real-world problems and this also to have
|
||||
created a massive hole on accident in the process.
|
||||
|
||||
<center>
|
||||
|
||||
![the XKCD comic "Dependency", depicting all modern digital infrastructure being
|
||||
held up by some random project made by a thankless anonymous person in
|
||||
Nebraska.](https://imgs.xkcd.com/comics/dependency.png)
|
||||
|
||||
</center>
|
||||
|
||||
All software is made on top of the shoulders of giants. Consider something as
|
||||
basic as running an SSH server on the Linux kernel. In the mix you would have at
|
||||
least 10 vendors (assuming a minimal Alpine Linux system in its default
|
||||
configuration), which means that there are at least 10 separate organizations
|
||||
that still have bills to pay with actual money dollars regardless of the number
|
||||
of users of the software they are giving away for free. Alpine Linux is also a
|
||||
great example of this because it is used frequently in Docker contexts to power
|
||||
many, many companies in production. How many of those companies do you think
|
||||
fund the Alpine Linux project? How many of those companies do you think even
|
||||
would even THINK about funding the Alpine Linux project?
|
||||
|
||||
I've had this kind of conversation with people before and I've gotten a
|
||||
surprising amount of resistance to the prospect of actually making sure that the
|
||||
random smattering of volunteers that LITERALLY MAKE THEIR COMPANY RUN are able
|
||||
to make rent. There is this culture of taking from open source without giving
|
||||
anything back. It is like the problems of the people who make the dependencies
|
||||
are irrelevant.
|
||||
|
||||
<center>
|
||||
|
||||
![A meme based on the Tim and Eric "It's free real estate" template contrasting
|
||||
the idea of open source software maintained by passionate developers with a
|
||||
heartless taking without giving attitude](/static/blog/5xi3x7.jpg)
|
||||
|
||||
</center>
|
||||
|
||||
GitHub stars famously cannot be used to pay rent. An example of this is the
|
||||
[`core-js` debacle](https://github.com/zloirock/core-js/issues/767). `core-js`
|
||||
is a JavaScript library that gives JavaScript's standard library a lot of core
|
||||
primitives that can make you not need to reach out to other libraries. This
|
||||
library is also infamous for letting you know that the author is looking for a
|
||||
job every time you install it in CI. You probably have seen this message in your
|
||||
CI a thousand times:
|
||||
|
||||
```
|
||||
Thank you for using core-js ( https://github.com/zloirock/core-js ) for
|
||||
polyfilling JavaScript standard library!
|
||||
|
||||
The project needs your help! Please consider supporting of core-js on Open
|
||||
Collective or Patreon:
|
||||
> https://opencollective.com/core-js
|
||||
> https://www.patreon.com/zloirock
|
||||
|
||||
Also, the author of core-js ( https://github.com/zloirock ) is looking for a
|
||||
good job :-)
|
||||
```
|
||||
|
||||
The author of the project is either still in prison for vehicular manslaughter
|
||||
or has just been released. `core-js` is a dependency of React. How many of you
|
||||
have actually donated to this project? Especially if you use React?
|
||||
|
||||
Now let's turn our eyes to `log4j2`. This project is effectively in the standard
|
||||
library for Java users. This library is so ingrained into modern Java that
|
||||
you'd expect the developers of it would be well-funded and not need to focus on
|
||||
anything else but that library, right?
|
||||
|
||||
No.
|
||||
|
||||
<center><blockquote class="twitter-tweet"><p lang="en" dir="ltr">This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage.<br><br>"I work on Log4j in my spare time"<br>"always dreamed of working on open source full time"<br>"3 sponsors are funding <a href="https://twitter.com/rgoers?ref_src=twsrc%5Etfw">@rgoers</a>'s work: Michael, Glenn, Matt"<br><br>People, what are we doing. <a href="https://t.co/2hAxUWCjuC">pic.twitter.com/2hAxUWCjuC</a></p>— Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile) <a href="https://twitter.com/FiloSottile/status/1469441487175880711?ref_src=twsrc%5Etfw">December 10, 2021</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></center>
|
||||
|
||||
As of yesterday, there were a grand total of three sponsors for this person's
|
||||
work. THREE. As of today, this number is now 14; however this is no excuse. This
|
||||
person should be funded in a level that is appropriate for how critical `log4j2`
|
||||
is used in the ecosystem. There is no excuse for this. This person's _spare time
|
||||
passion project_ is responsible for half of the internet working the way it
|
||||
should. Vulnerable companies to this issue included Apple, Google, my cell phone
|
||||
carrier and basically everyone that uses JavaEE in its default configuration.
|
||||
|
||||
[Seriously, I could trigger some part of my cell carrier's infra reaching
|
||||
out to a DNS server with a specially crafted SMS
|
||||
message.](conversation://Cadey/facepalm)
|
||||
|
||||
If `log4j2` is responsible for your company's success, you have a moral
|
||||
obligation to [donate to the person who creates this library
|
||||
thanklessly](https://github.com/sponsors/rgoers).
|
||||
|
||||
[As for the problem that created this vulnerability in the first place: what
|
||||
where they THINKING when they allowed user-submitted untrusted strings to
|
||||
contain JDNI references that would then cause the JVM to load arbitrary bytecode
|
||||
into ram and then run it without having to specify that in the format string to
|
||||
begin with? Like why would you even need to do that in the _user-supplied_ part
|
||||
of the format string? What would this even accomplish other than being a great
|
||||
way to get a shell whenever you wanted?](conversation://Numa/stare)
|
||||
|
||||
There is a friend of mine who has been thanklessly maintaining an online radio
|
||||
station stack for a long time. He has been abused by his users. Users will throw
|
||||
5 bucks in the tip jar and then get very angry when he doesn't drop everything
|
||||
and fix their incredibly specific problems on a moment's notice. He has tried to
|
||||
get jobs at places, but every time they keep trying to screw him out of
|
||||
ownership of his own projects and he has to turn them down. Meanwhile the cash
|
||||
bleed continues.
|
||||
|
||||
This is why I am very careful about how I make "useful" software and release it
|
||||
to the world without any solid way for me to get paid for my efforts. I simply
|
||||
do not want to be in a situation where my software that I develop as a passion
|
||||
project on the side is holding people's companies together. That's why I make
|
||||
software how and where I do. Like, no offense, but I really do not want to go
|
||||
unpaid for my efforts. The existing leech culture of "Open Source" being a pool
|
||||
of free labor makes it hard for me to want to have my side projects be actually
|
||||
useful like that unless you pay me.
|
||||
|
||||
[Okay, part of this may also be an ADHD thing and not really being able to stick
|
||||
to projects longer term.](conversation://Cadey/coffee)
|
||||
|
||||
TL;DR: If you want me to make you useful software, pay me. If you use software
|
||||
made by others in their spare time and find it useful, pay them. This should not
|
||||
be a controversial opinion. This should not be a new thing. This should already
|
||||
be the state of the world and it is amazingly horrible for us to have the people
|
||||
that make the things that make our software work at all starve and beg for
|
||||
donations.
|
Binary file not shown.
After Width: | Height: | Size: 52 KiB |
Loading…
Reference in New Issue