A place to cache linked articles (think custom and personal wayback machine)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

преди 2 години
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300
  1. <!doctype html><!-- This is a valid HTML5 document. -->
  2. <!-- Screen readers, SEO, extensions and so on. -->
  3. <html lang="fr">
  4. <!-- Has to be within the first 1024 bytes, hence before the `title` element
  5. See: https://www.w3.org/TR/2012/CR-html5-20121217/document-metadata.html#charset -->
  6. <meta charset="utf-8">
  7. <!-- Why no `X-UA-Compatible` meta: https://stackoverflow.com/a/6771584 -->
  8. <!-- The viewport meta is quite crowded and we are responsible for that.
  9. See: https://codepen.io/tigt/post/meta-viewport-for-2015 -->
  10. <meta name="viewport" content="width=device-width,initial-scale=1">
  11. <!-- Required to make a valid HTML5 document. -->
  12. <title>“Open Source” is Broken (archive) — David Larlet</title>
  13. <meta name="description" content="Publication mise en cache pour en conserver une trace.">
  14. <!-- That good ol' feed, subscribe :). -->
  15. <link rel="alternate" type="application/atom+xml" title="Feed" href="/david/log/">
  16. <!-- Generated from https://realfavicongenerator.net/ such a mess. -->
  17. <link rel="apple-touch-icon" sizes="180x180" href="/static/david/icons2/apple-touch-icon.png">
  18. <link rel="icon" type="image/png" sizes="32x32" href="/static/david/icons2/favicon-32x32.png">
  19. <link rel="icon" type="image/png" sizes="16x16" href="/static/david/icons2/favicon-16x16.png">
  20. <link rel="manifest" href="/static/david/icons2/site.webmanifest">
  21. <link rel="mask-icon" href="/static/david/icons2/safari-pinned-tab.svg" color="#07486c">
  22. <link rel="shortcut icon" href="/static/david/icons2/favicon.ico">
  23. <meta name="msapplication-TileColor" content="#f7f7f7">
  24. <meta name="msapplication-config" content="/static/david/icons2/browserconfig.xml">
  25. <meta name="theme-color" content="#f7f7f7" media="(prefers-color-scheme: light)">
  26. <meta name="theme-color" content="#272727" media="(prefers-color-scheme: dark)">
  27. <!-- Documented, feel free to shoot an email. -->
  28. <link rel="stylesheet" href="/static/david/css/style_2021-01-20.css">
  29. <!-- See https://www.zachleat.com/web/comprehensive-webfonts/ for the trade-off. -->
  30. <link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
  31. <link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
  32. <link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
  33. <link rel="preload" href="/static/david/css/fonts/triplicate_t3_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
  34. <link rel="preload" href="/static/david/css/fonts/triplicate_t3_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
  35. <link rel="preload" href="/static/david/css/fonts/triplicate_t3_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
  36. <script>
  37. function toggleTheme(themeName) {
  38. document.documentElement.classList.toggle(
  39. 'forced-dark',
  40. themeName === 'dark'
  41. )
  42. document.documentElement.classList.toggle(
  43. 'forced-light',
  44. themeName === 'light'
  45. )
  46. }
  47. const selectedTheme = localStorage.getItem('theme')
  48. if (selectedTheme !== 'undefined') {
  49. toggleTheme(selectedTheme)
  50. }
  51. </script>
  52. <meta name="robots" content="noindex, nofollow">
  53. <meta content="origin-when-cross-origin" name="referrer">
  54. <!-- Canonical URL for SEO purposes -->
  55. <link rel="canonical" href="https://christine.website/blog/open-source-broken-2021-12-11">
  56. <body class="remarkdown h1-underline h2-underline h3-underline em-underscore hr-center ul-star pre-tick" data-instant-intensity="viewport-all">
  57. <article>
  58. <header>
  59. <h1>“Open Source” is Broken</h1>
  60. </header>
  61. <nav>
  62. <p class="center">
  63. <a href="/david/" title="Aller à l’accueil"><svg class="icon icon-home">
  64. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-home"></use>
  65. </svg> Accueil</a> •
  66. <a href="https://christine.website/blog/open-source-broken-2021-12-11" title="Lien vers le contenu original">Source originale</a>
  67. </p>
  68. </nav>
  69. <hr>
  70. <p>or: Why I Don't Write Useful Software Unless You Pay Me</p>
  71. <p>Recently there was a <a href="https://www.lunasec.io/docs/blog/log4j-zero-day/">massive
  72. vulnerability</a> found in a
  73. critical Java ecosystem package. When fully weaponized, this allows attackers to
  74. coerce Java servers into executing arbitrary code that was fetched from an LDAP
  75. server.</p>
  76. <p></p>
  77. <div class="conversation">
  78. <p class="conversation-chat">&lt;<b>Mara</b>&gt; If this is news to you and you work at a Java shop, I'm sorry but you have a
  79. long couple days ahead.</p>
  80. </div>
  81. <p>I believe this is a perfect microcosm of all of the major ecosystem problems
  82. with "Open Source" software. I have some thoughts about all this, as I think
  83. log4j2 is a <em>perfect</em> example of one of the worst case scenarios for this. It is
  84. perfectly reasonable for everyone involved in this issue to have done all this
  85. for perfectly valid solutions to real-world problems and this also to have
  86. created a massive hole on accident in the process.</p>
  87. <p><center></p>
  88. <p><img src="https://imgs.xkcd.com/comics/dependency.png" alt='the XKCD comic "Dependency", depicting all modern digital infrastructure being held up by some random project made by a thankless anonymous person in Nebraska.'></p>
  89. <p><a href="https://xkcd.com/2347/">XKCD #2347: Dependency</a></p>
  90. <p></center></p>
  91. <p>All software is made on top of the shoulders of giants. Consider something as
  92. basic as running an SSH server on the Linux kernel. In the mix you would have at
  93. least 10 vendors (assuming a minimal Alpine Linux system in its default
  94. configuration), which means that there are at least 10 separate organizations
  95. that still have bills to pay with actual money dollars regardless of the number
  96. of users of the software they are giving away for free. Alpine Linux is also a
  97. great example of this because it is used frequently in Docker contexts to power
  98. many, many companies in production. How many of those companies do you think
  99. fund the Alpine Linux project? How many of those companies do you think even
  100. would even THINK about funding the Alpine Linux project?</p>
  101. <p>I've had this kind of conversation with people before and I've gotten a
  102. surprising amount of resistance to the prospect of actually making sure that the
  103. random smattering of volunteers that LITERALLY MAKE THEIR COMPANY RUN are able
  104. to make rent. There is this culture of taking from open source without giving
  105. anything back. It is like the problems of the people who make the dependencies
  106. are irrelevant.</p>
  107. <p><center></p>
  108. <p><img src="https://christine.website/static/blog/5xi3x7.jpg" alt="A meme based on the Tim and Eric &quot;It's free real estate&quot; template contrasting the idea of open source software maintained by passionate developers with a heartless taking without giving attitude"></p>
  109. <p></center></p>
  110. <p>GitHub stars famously cannot be used to pay rent. An example of this is the
  111. <a href="https://github.com/zloirock/core-js/issues/767"><code>core-js</code> debacle</a>. <code>core-js</code>
  112. is a JavaScript library that gives JavaScript's standard library a lot of core
  113. primitives that can make you not need to reach out to other libraries. This
  114. library is also infamous for letting you know that the author is looking for a
  115. job every time you install it in CI. You probably have seen this message in your
  116. CI a thousand times:</p>
  117. <pre><code>
  118. <span>Thank you for using core-js ( https://github.com/zloirock/core-js ) for
  119. </span><span>polyfilling JavaScript standard library!
  120. </span><span>
  121. </span><span>The project needs your help! Please consider supporting of core-js on Open
  122. </span><span>Collective or Patreon:
  123. </span><span>&gt; https://opencollective.com/core-js
  124. </span><span>&gt; https://www.patreon.com/zloirock
  125. </span><span>
  126. </span><span>Also, the author of core-js ( https://github.com/zloirock ) is looking for a
  127. </span><span>good job :-)
  128. </span>
  129. </code></pre>
  130. <p>The author of the project is either still in prison for vehicular manslaughter
  131. or has just been released. <code>core-js</code> is a dependency of React. How many of you
  132. have actually donated to this project? Especially if you use React?</p>
  133. <p>Now let's turn our eyes to <code>log4j2</code>. This project is effectively in the standard
  134. library for Java users. This library is so ingrained into modern Java that
  135. you'd expect the developers of it would be well-funded and not need to focus on
  136. anything else but that library, right?</p>
  137. <p>No.</p>
  138. <p><center> </center></p>
  139. <p>As of yesterday, there were a grand total of three sponsors for this person's
  140. work. THREE. As of today, this number is now 14; however this is no excuse. This
  141. person should be funded in a level that is appropriate for how critical <code>log4j2</code>
  142. is used in the ecosystem. There is no excuse for this. This person's <em>spare time
  143. passion project</em> is responsible for half of the internet working the way it
  144. should. Vulnerable companies to this issue included Apple, Google, my cell phone
  145. carrier and basically everyone that uses JavaEE in its default configuration.</p>
  146. <p></p>
  147. <div class="conversation">
  148. <p class="conversation-chat">&lt;<b>Cadey</b>&gt; Seriously, I could trigger some part of my cell carrier's infra reaching
  149. out to a DNS server with a specially crafted SMS
  150. message.</p>
  151. </div>
  152. <p>If <code>log4j2</code> is responsible for your company's success, you have a moral
  153. obligation to <a href="https://github.com/sponsors/rgoers">donate to the person who creates this library
  154. thanklessly</a>.</p>
  155. <p></p>
  156. <div class="conversation">
  157. <p class="conversation-chat">&lt;<b>Numa</b>&gt; As for the problem that created this vulnerability in the first place: what
  158. where they THINKING when they allowed user-submitted untrusted strings to
  159. contain JDNI references that would then cause the JVM to load arbitrary bytecode
  160. into ram and then run it without having to specify that in the format string to
  161. begin with? Like why would you even need to do that in the <em>user-supplied</em> part
  162. of the format string? What would this even accomplish other than being a great
  163. way to get a shell whenever you wanted?</p>
  164. </div>
  165. <p>There is a friend of mine who has been thanklessly maintaining an online radio
  166. station stack for a long time. He has been abused by his users. Users will throw
  167. 5 bucks in the tip jar and then get very angry when he doesn't drop everything
  168. and fix their incredibly specific problems on a moment's notice. He has tried to
  169. get jobs at places, but every time they keep trying to screw him out of
  170. ownership of his own projects and he has to turn them down. Meanwhile the cash
  171. bleed continues.</p>
  172. <p>This is why I am very careful about how I make "useful" software and release it
  173. to the world without any solid way for me to get paid for my efforts. I simply
  174. do not want to be in a situation where my software that I develop as a passion
  175. project on the side is holding people's companies together. That's why I make
  176. software how and where I do. Like, no offense, but I really do not want to go
  177. unpaid for my efforts. The existing leech culture of "Open Source" being a pool
  178. of free labor makes it hard for me to want to have my side projects be actually
  179. useful like that unless you pay me.</p>
  180. <p></p>
  181. <div class="conversation">
  182. <p class="conversation-chat">&lt;<b>Cadey</b>&gt; Okay, part of this may also be an ADHD thing and not really being able to stick
  183. to projects longer term.</p>
  184. </div>
  185. <p>TL;DR: If you want me to make you useful software, pay me. If you use software
  186. made by others in their spare time and find it useful, pay them. This should not
  187. be a controversial opinion. This should not be a new thing. This should already
  188. be the state of the world and it is amazingly horrible for us to have the people
  189. that make the things that make our software work at all starve and beg for
  190. donations.</p>
  191. </article>
  192. <hr>
  193. <footer>
  194. <p>
  195. <a href="/david/" title="Aller à l’accueil"><svg class="icon icon-home">
  196. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-home"></use>
  197. </svg> Accueil</a> •
  198. <a href="/david/log/" title="Accès au flux RSS"><svg class="icon icon-rss2">
  199. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-rss2"></use>
  200. </svg> Suivre</a> •
  201. <a href="http://larlet.com" title="Go to my English profile" data-instant><svg class="icon icon-user-tie">
  202. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-user-tie"></use>
  203. </svg> Pro</a> •
  204. <a href="mailto:david%40larlet.fr" title="Envoyer un courriel"><svg class="icon icon-mail">
  205. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-mail"></use>
  206. </svg> Email</a> •
  207. <abbr class="nowrap" title="Hébergeur : Alwaysdata, 62 rue Tiquetonne 75002 Paris, +33184162340"><svg class="icon icon-hammer2">
  208. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-hammer2"></use>
  209. </svg> Légal</abbr>
  210. </p>
  211. <template id="theme-selector">
  212. <form>
  213. <fieldset>
  214. <legend><svg class="icon icon-brightness-contrast">
  215. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-brightness-contrast"></use>
  216. </svg> Thème</legend>
  217. <label>
  218. <input type="radio" value="auto" name="chosen-color-scheme" checked> Auto
  219. </label>
  220. <label>
  221. <input type="radio" value="dark" name="chosen-color-scheme"> Foncé
  222. </label>
  223. <label>
  224. <input type="radio" value="light" name="chosen-color-scheme"> Clair
  225. </label>
  226. </fieldset>
  227. </form>
  228. </template>
  229. </footer>
  230. <script src="/static/david/js/instantpage-5.1.0.min.js" type="module"></script>
  231. <script>
  232. function loadThemeForm(templateName) {
  233. const themeSelectorTemplate = document.querySelector(templateName)
  234. const form = themeSelectorTemplate.content.firstElementChild
  235. themeSelectorTemplate.replaceWith(form)
  236. form.addEventListener('change', (e) => {
  237. const chosenColorScheme = e.target.value
  238. localStorage.setItem('theme', chosenColorScheme)
  239. toggleTheme(chosenColorScheme)
  240. })
  241. const selectedTheme = localStorage.getItem('theme')
  242. if (selectedTheme && selectedTheme !== 'undefined') {
  243. form.querySelector(`[value="${selectedTheme}"]`).checked = true
  244. }
  245. }
  246. const prefersColorSchemeDark = '(prefers-color-scheme: dark)'
  247. window.addEventListener('load', () => {
  248. let hasDarkRules = false
  249. for (const styleSheet of Array.from(document.styleSheets)) {
  250. let mediaRules = []
  251. for (const cssRule of styleSheet.cssRules) {
  252. if (cssRule.type !== CSSRule.MEDIA_RULE) {
  253. continue
  254. }
  255. // WARNING: Safari does not have/supports `conditionText`.
  256. if (cssRule.conditionText) {
  257. if (cssRule.conditionText !== prefersColorSchemeDark) {
  258. continue
  259. }
  260. } else {
  261. if (cssRule.cssText.startsWith(prefersColorSchemeDark)) {
  262. continue
  263. }
  264. }
  265. mediaRules = mediaRules.concat(Array.from(cssRule.cssRules))
  266. }
  267. // WARNING: do not try to insert a Rule to a styleSheet you are
  268. // currently iterating on, otherwise the browser will be stuck
  269. // in a infinite loop…
  270. for (const mediaRule of mediaRules) {
  271. styleSheet.insertRule(mediaRule.cssText)
  272. hasDarkRules = true
  273. }
  274. }
  275. if (hasDarkRules) {
  276. loadThemeForm('#theme-selector')
  277. }
  278. })
  279. </script>
  280. </body>
  281. </html>