Kirk Wolf wrote: >Is that really what you think is going on? >The economics of open source are about *reuse*. The overwhelming majority of software these days is built with it for that reason. Good developers are very careful about what open source that they use. Good companies have policies and processes for approving any open source used internally. What's the alternative, write everything from scratch? Surely there will be no vulnerabilities there :-) There are complex trade-offs here that haven't been touched as yet on ibm-main.
I guess I didn't make myself clear, because what you wrote is precisely how I think. Not sure what you took from what I wrote that was different-not being pissy, just noting that we seem to be in violent agreement! Yes, in days of yore, you'd write it all from scratch. And I was trying to say that that was NOT necessarily more secure: it was a different environment, so things didn't matter as much. There weren't a million monkeys banging on the door with typewriters. > What's shocking about the LOG4J vulnerability is that it has been a quality component used by thousands of projects for so long (20 years?, not sure exactly). People armed with no understanding of the vulnerability or even Java immediately began contacting all of their software vendors, even products that clearly don't even use java. This only made the problem worse. Yes. I think I've noted before that the ""given enough eyeballs, all bugs are shallow" line, while not intended as a justification for blind use of open source, seems to have been used as such. The log4j debacle should (but won't) convince folks that it should not be. And what may be a repeat, but something I wrote elsewhere and perhaps here: It's also worth noting that a feature conceptually very, very similar to the log4j thing existed almost 40 years ago, in PROFS. DCF included a .sy command that would execute a system command. So, as a friend realized, you could send someone a document that did something nasty, like erase all their files or log them off (or send the CEO a message saying "You're a ****"), simply by reading it. IBM took this as a SEV1 and fixed it; decades later, we've spent the last while dealing with essentially the same dumb feechur. So over how many years, how many people saw this feature and didn't say "Hey, you could do Very Bad Things with that"??! Amazing. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN