Hi all, Some interesting reading:
https://www.theregister.com/2022/01/13/opensource_apacheplc4x_payment/ https://www.theregister.com/2021/12/14/log4j_vulnerability_open_source_funding/ As established thus far, there is no impact on NetBeans for the log4j situation in terms of attack vectors, since NetBeans doesn't use v2 and the v1 scenario doesn't apply to NetBeans. However, there are other issues involved here, as described in the links above. When I see out of nowhere e-mails arriving here from addresses that we've never heard of, with domain names that are clearly large multinational enterprises, who we never hear of except now that there is potentially a security hole in the software they've been freeloading without contributing anything to, well, it's unacceptable. And we never hear from those e-mail addresses again after calming their concern, until the next time, etc. For me personally, I may be arriving at a situation where I'm going to be ignoring e-mails clearly coming from corporations and (to avoid those people switching to gmail accounts) to people not participating at all other than raising issues and demanding immediate assistance and asking for help in one way or another. The choices you have are simple: pay money to a commercial provider or pay time to the open source projects you're using. Time does not mean filing an issue and it does not mean writing a mail voicing your frustration. It means responding to other people when they have questions and at least investigating the issue you're reporting since after all you're a developer on all of NetBeans is on GitHub for you to investigate. I'm not writing this on behalf of the PMC but just under my own name and title. :-) Gj
