On Tue, Jan 25, 2022, at 4:33 PM, Phil Smith III wrote: > > > Forty years ago, vendors barely spoke to each other; now we OEM and embed > each other's products. Same with open source: using random code from an > unknown author would have been unthinkable; now it's common.
Is that really what you think is going on? The economics of open source are about *reuse*. The overwhelming majority of software these days is built with it for that reason. Good developers are very careful about what open source that they use. Good companies have policies and processes for approving any open source used internally. What's the alternative, write everything from scratch? Surely there will be no vulnerabilities there :-) There are complex trade-offs here that haven't been touched as yet on ibm-main. What's shocking about the LOG4J vulnerability is that it has been a quality component used by thousands of projects for so long (20 years?, not sure exactly). People armed with no understanding of the vulnerability or even Java immediately began contacting all of their software vendors, even products that clearly don't even use java. This only made the problem worse. Kirk Wolf Dovetailed Technologies http://dovetail.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
