Log4j vulnerability: Why your hot take on it is wrong

2021-12-15 09:56

Commentary: Those searching for a single cause for the Log4j vulnerability - whether it's open source is not secure, or open source is not sustainable - are getting it wrong.

Open source isn't a security problem, and open source sustainability is a complicated issue.

"I've avoided a hot take on the log4j situation because frankly I'm tired of tech hot takes. However, my not hot take hot take is that bugs happen, some of them very bad, and they occur for a set of complex reasons. Complaining about the villain of the day is a red herring, and over-focusing on one cause leads to no real improvement. We are all human and juggling a mountain of constraints; it's a miracle that tech works 1% as well as it does."

Regardless of whether you agree, and coming back to Shafer's point, we won't magically rid Log4j or any open source software of bugs simply by throwing money at them.

No, security is a process in open source, not something you get by licensing code under an open source license.

By all means, let's ensure open source contributors are paid, but let's not celebrate our silly hot takes that try to reduce the Log4j problem to one thing.

News URL

https://www.techrepublic.com/article/log4j-vulnerability-your-hot-take-is-wrong/#ftag=RSS56d97e7

#log4j #vulnerability