> When I see out of nowhere e-mails arriving here from addresses that we've > never heard of, with domain names that are clearly large multinational > enterprises, who we never hear of except now that there is potentially a > security hole in the software they've been freeloading without contributing > anything to, well, it's unacceptable.
One possible response is: "My company, Foobar LLC, specializes in NetBeans development, and can offer to do a security review of NetBeans wrt. the aforementioned log4j vulnerability. This will cost $1,500 and can be completed by Tuesday." There are some companies that will actually pay for these things. (See e.g. https://www.sqlite.org/purchase/license ) -- Eirik -----Original Message----- From: Geertjan Wielenga <[email protected]> Sent: Friday, January 14, 2022 6:07 AM To: dev <[email protected]> Subject: Log4J and its consequences for NetBeans and open source in general Hi all, Some interesting reading: https://www.theregister.com/2022/01/13/opensource_apacheplc4x_payment/ https://www.theregister.com/2021/12/14/log4j_vulnerability_open_source_funding/ As established thus far, there is no impact on NetBeans for the log4j situation in terms of attack vectors, since NetBeans doesn't use v2 and the v1 scenario doesn't apply to NetBeans. However, there are other issues involved here, as described in the links above. When I see out of nowhere e-mails arriving here from addresses that we've never heard of, with domain names that are clearly large multinational enterprises, who we never hear of except now that there is potentially a security hole in the software they've been freeloading without contributing anything to, well, it's unacceptable. And we never hear from those e-mail addresses again after calming their concern, until the next time, etc. For me personally, I may be arriving at a situation where I'm going to be ignoring e-mails clearly coming from corporations and (to avoid those people switching to gmail accounts) to people not participating at all other than raising issues and demanding immediate assistance and asking for help in one way or another. The choices you have are simple: pay money to a commercial provider or pay time to the open source projects you're using. Time does not mean filing an issue and it does not mean writing a mail voicing your frustration. It means responding to other people when they have questions and at least investigating the issue you're reporting since after all you're a developer on all of NetBeans is on GitHub for you to investigate. I'm not writing this on behalf of the PMC but just under my own name and title. :-) Gj --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
