Was busy doing a review post of my new #1 Linux ‘Desktop Duty‘ OS, when I decided to take my daily nap. Took care of some lingering chores when I woke up, then went back to this computer, and started doing the review post again; however, first I wanted to see what was happening at LWN.net.
‘What was happening‘ wasn’t what caught my attention, but ‘What had already happened‘ in the Archives certainly did!? 🤔
snip.. The reaction to this vulnerability has been swift and strong. Some commenters are asserting that “open source is broken“. Anybody who hadn’t seen xkcd #2347 before has probably encountered it by now. Has our community failed as badly as some would have it? In short, there would appear to be two broad shortcomings highlighted by this episode, relating to dependencies and maintainers.
snip.. “Stepping up” means supporting maintainers as well as developers; it is with maintainers that the problem is often most acute. Even a project like the Linux kernel, which has thousands of developers who are paid for their work, struggles to find support for maintainers. Companies, it seems, see maintainership work as overhead at best, helping competitors at worst, and somebody else’s problem in any case. Few companies reward their employees for acting as maintainers, so many of them end up doing that work on their own time. The result is projects with millions of downloads whose maintenance is done in somebody’s free time — if it is done at all.
I don’t know what 99% of the ‘Stuff‘ means, but people using Free Software because it’s free need to start forking over some financial support instead of Lip Service, IMHO. BTW, that’s a must read ‘n now Free Article!
I believe this is a perfect microcosm of all of the major ecosystem problems with “Open Source” software. I have some thoughts about all this, as I think log4j2 is a perfect example of one of the worst case scenarios for this. It is perfectly reasonable for everyone involved in this issue to have done all this for perfectly valid solutions to real-world problems and this also to have created a massive hole on accident in the process.
All software is made on top of the shoulders of giants. Consider something as basic as running an SSH server on the Linux kernel. In the mix you would have at least 10 vendors (assuming a minimal Alpine Linux system in its default configuration), which means that there are at least 10 separate organizations that still have bills to pay with actual money dollars regardless of the number of users of the software they are giving away for free. Alpine Linux is also a great example of this because it is used frequently in Docker contexts to power many, many companies in production. How many of those companies do you think fund the Alpine Linux project? How many of those companies do you think even would even THINK about funding the Alpine Linux project?
LINUX IS LIKE A BOX OF CHOCOLATES – you never know what you’re gonna get!