Someone I work with shared a tweet claiming that Log4j, the logging library with the remote code execution vulnerability that was discovered late last week, is maintained by two unpaid developers. I cannot confirm the claim that the maintainers were unpaid (although I can believe it), but looking at the commit log, the claim about the project being maintained by only two people looks plausible.
I really feel for these two. It must be difficult to be one of these maintainers, working on a project, possibly on your own time, that is used by some of the richest companies in the world, and seeing little contribution in return. And now they have to respond to this vulnerability.
Maybe it’s time we reconsider how to approach open source projects before we start using them. Open source is a great thing in our industry, but it feels a little unfair to those volunteering their time to work on such critical libraries. They see very little of the upsides from that which is created using their work, but they have to deal with any issues that crop up from it.
✍️ Reply by email