|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129 |
- title: “Open Source” is Broken
- url: https://christine.website/blog/open-source-broken-2021-12-11
- hash_url: f57abf8bb9e96e5cb5cfe845d76729f5
-
- <p>or: Why I Don't Write Useful Software Unless You Pay Me</p>
- <p>Recently there was a <a href="https://www.lunasec.io/docs/blog/log4j-zero-day/">massive
- vulnerability</a> found in a
- critical Java ecosystem package. When fully weaponized, this allows attackers to
- coerce Java servers into executing arbitrary code that was fetched from an LDAP
- server.</p>
- <p></p><div class="conversation">
-
- <p class="conversation-chat"><<b>Mara</b>> If this is news to you and you work at a Java shop, I'm sorry but you have a
- long couple days ahead.</p>
- </div>
-
- <p>I believe this is a perfect microcosm of all of the major ecosystem problems
- with "Open Source" software. I have some thoughts about all this, as I think
- log4j2 is a <em>perfect</em> example of one of the worst case scenarios for this. It is
- perfectly reasonable for everyone involved in this issue to have done all this
- for perfectly valid solutions to real-world problems and this also to have
- created a massive hole on accident in the process.</p>
- <center>
- <p><img src="https://imgs.xkcd.com/comics/dependency.png" alt='the XKCD comic "Dependency", depicting all modern digital infrastructure being held up by some random project made by a thankless anonymous person in Nebraska.'></p>
- <p><a href="https://xkcd.com/2347/">XKCD #2347: Dependency</a></p>
- </center>
- <p>All software is made on top of the shoulders of giants. Consider something as
- basic as running an SSH server on the Linux kernel. In the mix you would have at
- least 10 vendors (assuming a minimal Alpine Linux system in its default
- configuration), which means that there are at least 10 separate organizations
- that still have bills to pay with actual money dollars regardless of the number
- of users of the software they are giving away for free. Alpine Linux is also a
- great example of this because it is used frequently in Docker contexts to power
- many, many companies in production. How many of those companies do you think
- fund the Alpine Linux project? How many of those companies do you think even
- would even THINK about funding the Alpine Linux project?</p>
- <p>I've had this kind of conversation with people before and I've gotten a
- surprising amount of resistance to the prospect of actually making sure that the
- random smattering of volunteers that LITERALLY MAKE THEIR COMPANY RUN are able
- to make rent. There is this culture of taking from open source without giving
- anything back. It is like the problems of the people who make the dependencies
- are irrelevant.</p>
- <center>
- <p><img src="https://christine.website/static/blog/5xi3x7.jpg" alt="A meme based on the Tim and Eric "It's free real estate" template contrasting the idea of open source software maintained by passionate developers with a heartless taking without giving attitude"></p>
- </center>
- <p>GitHub stars famously cannot be used to pay rent. An example of this is the
- <a href="https://github.com/zloirock/core-js/issues/767"><code>core-js</code> debacle</a>. <code>core-js</code>
- is a JavaScript library that gives JavaScript's standard library a lot of core
- primitives that can make you not need to reach out to other libraries. This
- library is also infamous for letting you know that the author is looking for a
- job every time you install it in CI. You probably have seen this message in your
- CI a thousand times:</p>
- <pre><code>
- <span>Thank you for using core-js ( https://github.com/zloirock/core-js ) for
- </span><span>polyfilling JavaScript standard library!
- </span><span>
- </span><span>The project needs your help! Please consider supporting of core-js on Open
- </span><span>Collective or Patreon:
- </span><span>> https://opencollective.com/core-js
- </span><span>> https://www.patreon.com/zloirock
- </span><span>
- </span><span>Also, the author of core-js ( https://github.com/zloirock ) is looking for a
- </span><span>good job :-)
- </span>
- </code></pre>
- <p>The author of the project is either still in prison for vehicular manslaughter
- or has just been released. <code>core-js</code> is a dependency of React. How many of you
- have actually donated to this project? Especially if you use React?</p>
- <p>Now let's turn our eyes to <code>log4j2</code>. This project is effectively in the standard
- library for Java users. This library is so ingrained into modern Java that
- you'd expect the developers of it would be well-funded and not need to focus on
- anything else but that library, right?</p>
- <p>No.</p>
- <center> </center>
- <p>As of yesterday, there were a grand total of three sponsors for this person's
- work. THREE. As of today, this number is now 14; however this is no excuse. This
- person should be funded in a level that is appropriate for how critical <code>log4j2</code>
- is used in the ecosystem. There is no excuse for this. This person's <em>spare time
- passion project</em> is responsible for half of the internet working the way it
- should. Vulnerable companies to this issue included Apple, Google, my cell phone
- carrier and basically everyone that uses JavaEE in its default configuration.</p>
- <p></p><div class="conversation">
-
- <p class="conversation-chat"><<b>Cadey</b>> Seriously, I could trigger some part of my cell carrier's infra reaching
- out to a DNS server with a specially crafted SMS
- message.</p>
- </div>
-
- <p>If <code>log4j2</code> is responsible for your company's success, you have a moral
- obligation to <a href="https://github.com/sponsors/rgoers">donate to the person who creates this library
- thanklessly</a>.</p>
- <p></p><div class="conversation">
-
- <p class="conversation-chat"><<b>Numa</b>> As for the problem that created this vulnerability in the first place: what
- where they THINKING when they allowed user-submitted untrusted strings to
- contain JDNI references that would then cause the JVM to load arbitrary bytecode
- into ram and then run it without having to specify that in the format string to
- begin with? Like why would you even need to do that in the <em>user-supplied</em> part
- of the format string? What would this even accomplish other than being a great
- way to get a shell whenever you wanted?</p>
- </div>
-
- <p>There is a friend of mine who has been thanklessly maintaining an online radio
- station stack for a long time. He has been abused by his users. Users will throw
- 5 bucks in the tip jar and then get very angry when he doesn't drop everything
- and fix their incredibly specific problems on a moment's notice. He has tried to
- get jobs at places, but every time they keep trying to screw him out of
- ownership of his own projects and he has to turn them down. Meanwhile the cash
- bleed continues.</p>
- <p>This is why I am very careful about how I make "useful" software and release it
- to the world without any solid way for me to get paid for my efforts. I simply
- do not want to be in a situation where my software that I develop as a passion
- project on the side is holding people's companies together. That's why I make
- software how and where I do. Like, no offense, but I really do not want to go
- unpaid for my efforts. The existing leech culture of "Open Source" being a pool
- of free labor makes it hard for me to want to have my side projects be actually
- useful like that unless you pay me.</p>
- <p></p><div class="conversation">
-
- <p class="conversation-chat"><<b>Cadey</b>> Okay, part of this may also be an ADHD thing and not really being able to stick
- to projects longer term.</p>
- </div>
-
- <p>TL;DR: If you want me to make you useful software, pay me. If you use software
- made by others in their spare time and find it useful, pay them. This should not
- be a controversial opinion. This should not be a new thing. This should already
- be the state of the world and it is amazingly horrible for us to have the people
- that make the things that make our software work at all starve and beg for
- donations.</p>
|