[ad_1]
Please consider to support MIT Technology Review journalism subscribe to.
For something this important, you can expect the world’s biggest tech firms and governments to contract hundreds of highly paid experts to quickly fix the flaw.
The reality is different: Log4J, long a critical part of basic internet infrastructure, was founded as a volunteer project and is still largely run for free, although many millions and billion-dollar companies trust and profit from it. every day. Yazıcı and his team are trying to rectify the situation almost out of nowhere.
This awkward situation is routine in the world of open source software, which allows anyone to review, modify, and use its code. It’s a decades-old idea that has become critical to the functioning of the internet. When it goes right, open source is a collaborative triumph. When it goes wrong, it’s a far-reaching danger.
“Open source drives the internet and, by extension, the economy,” says Filippo Valsorda, a developer at Google who works on open source projects. Still, he explains, “even on key infrastructure projects it’s extremely common to have a small maintenance team, or even a single maintainer who isn’t paid to work on that project.”
no recognition
When I first reached him, Yazıcı said to me by e-mail, “The team works 24 hours a day”. “And my 6am to 4am (no, no typos in the time) shift has just ended.”
In the midst of the printer’s long days, Pointing fingers at critics, tweeting “Log4j maintainers are sleeplessly working on mitigation measures; corrections, docs, CVE, answers to questions, etc. Still, nothing stops people from crushing us because we’re not being paid for a feature we all dislike but need to keep because of backward compatibility concerns.”
Before the Log4J vulnerability made this obscure but ubiquitous software headline news, project leader Ralph Goers had a total of three minor sponsors backing his work. Working on Log4J alongside a full-time job, Goers is responsible for fixing the faulty code and putting out the fire that caused millions of dollars in damage. An enormous workload for leisure tracking.
Chris Wysopal, chief technology officer at security firm Veracode, says underfunding of open source software is “a systemic risk to the United States, critical infrastructure, banking and finance.” “The open source ecosystem is essential for critical infrastructure with Linux, Windows and basic internet protocols. These are the most important systemic risks of the internet.”
[ad_2]
Source link