Cadey is coffee
<Cadey> Hello! Thank you for visiting my website. You seem to be using an ad-blocker. I understand why you do this, but I'd really appreciate if it you would turn it off for my website. These ads help pay for running the website and are done by Ethical Ads. I do not receive detailed analytics on the ads and from what I understand neither does Ethical Ads. If you don't want to disable your ad blocker, please consider donating on Patreon or sending some extra cash to xeiaso.eth or 0xeA223Ca8968Ca59e0Bc79Ba331c2F6f636A3fB82. It helps fund the website's hosting bills and pay for the expensive technical editor that I use for my longer articles. Thanks and be well!

"Open Source" is Broken

Read time in minutes: 9

or: Why I Don't Write Useful Software Unless You Pay Me

Recently there was a massive vulnerability found in a critical Java ecosystem package. When fully weaponized, this allows attackers to coerce Java servers into executing arbitrary code that was fetched from an LDAP server.

Mara is hacker
<Mara> If this is news to you and you work at a Java shop, I'm sorry but you have a long couple days ahead.

I believe this is a perfect microcosm of all of the major ecosystem problems with "Open Source" software. I have some thoughts about all this, as I think log4j2 is a perfect example of one of the worst case scenarios for this. It is perfectly reasonable for everyone involved in this issue to have done all this for perfectly valid solutions to real-world problems and this also to have created a massive hole on accident in the process.

the XKCD comic "Dependency", depicting all modern digital infrastructure being held up by some random project made by a thankless anonymous person in Nebraska.

XKCD #2347: Dependency

All software is made on top of the shoulders of giants. Consider something as basic as running an SSH server on the Linux kernel. In the mix you would have at least 10 vendors (assuming a minimal Alpine Linux system in its default configuration), which means that there are at least 10 separate organizations that still have bills to pay with actual money dollars regardless of the number of users of the software they are giving away for free. Alpine Linux is also a great example of this because it is used frequently in Docker contexts to power many, many companies in production. How many of those companies do you think fund the Alpine Linux project? How many of those companies do you think even would even THINK about funding the Alpine Linux project?

I've had this kind of conversation with people before and I've gotten a surprising amount of resistance to the prospect of actually making sure that the random smattering of volunteers that LITERALLY MAKE THEIR COMPANY RUN are able to make rent. There is this culture of taking from open source without giving anything back. It is like the problems of the people who make the dependencies are irrelevant.

A meme based on the Tim and Eric "It's free real estate" template contrasting the idea of open source software maintained by passionate developers with a heartless taking without giving attitude

GitHub stars famously cannot be used to pay rent. An example of this is the core-js debacle. core-js is a JavaScript library that gives JavaScript's standard library a lot of core primitives that can make you not need to reach out to other libraries. This library is also infamous for letting you know that the author is looking for a job every time you install it in CI. You probably have seen this message in your CI a thousand times:


Thank you for using core-js ( https://github.com/zloirock/core-js ) for
polyfilling JavaScript standard library!

The project needs your help! Please consider supporting of core-js on Open
Collective or Patreon:
> https://opencollective.com/core-js 
> https://www.patreon.com/zloirock 

Also, the author of core-js ( https://github.com/zloirock ) is looking for a
good job :-)

The author of the project is either still in prison for vehicular manslaughter or has just been released. core-js is a dependency of React. How many of you have actually donated to this project? Especially if you use React?

Now let's turn our eyes to log4j2. This project is effectively in the standard library for Java users. This library is so ingrained into modern Java that you'd expect the developers of it would be well-funded and not need to focus on anything else but that library, right?

No.

As of yesterday, there were a grand total of three sponsors for this person's work. THREE. As of today, this number is now 14; however this is no excuse. This person should be funded in a level that is appropriate for how critical log4j2 is used in the ecosystem. There is no excuse for this. This person's spare time passion project is responsible for half of the internet working the way it should. Vulnerable companies to this issue included Apple, Google, my cell phone carrier and basically everyone that uses JavaEE in its default configuration.

Cadey is facepalm
<Cadey> Seriously, I could trigger some part of my cell carrier's infra reaching out to a DNS server with a specially crafted SMS message.

If log4j2 is responsible for your company's success, you have a moral obligation to donate to the person who creates this library thanklessly.

Numa is stare
<Numa> As for the problem that created this vulnerability in the first place: what where they THINKING when they allowed user-submitted untrusted strings to contain JDNI references that would then cause the JVM to load arbitrary bytecode into ram and then run it without having to specify that in the format string to begin with? Like why would you even need to do that in the user-supplied part of the format string? What would this even accomplish other than being a great way to get a shell whenever you wanted?

There is a friend of mine who has been thanklessly maintaining an online radio station stack for a long time. He has been abused by his users. Users will throw 5 bucks in the tip jar and then get very angry when he doesn't drop everything and fix their incredibly specific problems on a moment's notice. He has tried to get jobs at places, but every time they keep trying to screw him out of ownership of his own projects and he has to turn them down. Meanwhile the cash bleed continues.

This is why I am very careful about how I make "useful" software and release it to the world without any solid way for me to get paid for my efforts. I simply do not want to be in a situation where my software that I develop as a passion project on the side is holding people's companies together. That's why I make software how and where I do. Like, no offense, but I really do not want to go unpaid for my efforts. The existing leech culture of "Open Source" being a pool of free labor makes it hard for me to want to have my side projects be actually useful like that unless you pay me.

Cadey is coffee
<Cadey> Okay, part of this may also be an ADHD thing and not really being able to stick to projects longer term.

TL;DR: If you want me to make you useful software, pay me. If you use software made by others in their spare time and find it useful, pay them. This should not be a controversial opinion. This should not be a new thing. This should already be the state of the world and it is amazingly horrible for us to have the people that make the things that make our software work at all starve and beg for donations.

This article was posted on M12 11 2021. Facts and circumstances may have changed since publication Please contact me before jumping to conclusions if something seems wrong or unclear.

Tags: rant

This post was not WebMentioned yet. You could be the first!

The art for Mara was drawn by Selicre.

The art for Cadey was drawn by ArtZorea Studios.