Industry Analyst & Strategist
Another day, another story about the critical role open source software has for everyone. Let’s quickly remind ourselves of the last big open source crisis from less than a month ago, log4j. Justin Dorfman, writing at VentureBeat, What Log4Shell teaches us about open source security:
And, finally, why does it always seem to take the disclosure of a vulnerability in an open-source program before the world realizes how critical that program is? Is the industry doing enough to recognize what those software packages are and prioritizing their security?
Of course the industry isn’t and here’s a personal take by Christine Dodrill, “Open Source” is Broken:
TL;DR: If you want me to make you useful software, pay me. If you use software made by others in their spare time and find it useful, pay them. This should not be a controversial opinion. This should not be a new thing. This should already be the state of the world and it is amazingly horrible for us to have the people that make the things that make our software work at all starve and beg for donations.
So now we have everything we need to know and expect what happens next. Emma Roth covers the damage over at The Verge, Open source developer corrupts widely-used libraries, affecting tons of projects:
A developer appears to have purposefully [emphasis mine] corrupted a pair of open-source libraries on GitHub and software registry npm — “faker.js” and “colors.js” — that thousands of users depend on, rendering any project that contains these libraries useless, as reported by Bleeping Computer.
Yup, a sole developer of a critical project had enough. Please read through all the links. It’s really important to realize the people who started with great ideas ad passions are getting burned out by the disrespect of free loaders.