You just shook my tree to start contributing again, I have been a bit quiet lately due to time constraints, but I do mean to get back on the horse.
On Fri, 14 Jan 2022 at 22:08, Geertjan Wielenga <geert...@apache.org> wrote: > Hi all, > > Some interesting reading: > > https://www.theregister.com/2022/01/13/opensource_apacheplc4x_payment/ > > > https://www.theregister.com/2021/12/14/log4j_vulnerability_open_source_funding/ > > As established thus far, there is no impact on NetBeans for the log4j > situation in terms of attack vectors, since NetBeans doesn't use v2 and the > v1 scenario doesn't apply to NetBeans. > > However, there are other issues involved here, as described in the links > above. > > When I see out of nowhere e-mails arriving here from addresses that we've > never heard of, with domain names that are clearly large multinational > enterprises, who we never hear of except now that there is potentially a > security hole in the software they've been freeloading without contributing > anything to, well, it's unacceptable. And we never hear from those e-mail > addresses again after calming their concern, until the next time, etc. > > For me personally, I may be arriving at a situation where I'm going to be > ignoring e-mails clearly coming from corporations and (to avoid those > people switching to gmail accounts) to people not participating at all > other than raising issues and demanding immediate assistance and asking for > help in one way or another. > > The choices you have are simple: pay money to a commercial provider or pay > time to the open source projects you're using. Time does not mean filing an > issue and it does not mean writing a mail voicing your frustration. It > means responding to other people when they have questions and at least > investigating the issue you're reporting since after all you're a developer > on all of NetBeans is on GitHub for you to investigate. > > I'm not writing this on behalf of the PMC but just under my own name and > title. :-) > > Gj >
