In addition to exposing a lot of attack surfaces hiding in plain sight the recent log4j exploit has exposed a rift in open source software. The log4j packages are being maintained by a very small number of people, and a single person created the patch that needed to be applied to protect the software from the attacks that have cost so many working hours for IT teams this week.
Christine Dodrill has a perspective on this too. Being a software developer means seeing large companies take your passion projects and turn them into money. That money rarely finds it way back to the people that maintain the projects. In essence, that means that the entire Internet is running on software built by volunteers that will never get the rewards they deserve for all their hard work.
Christine goes on to talk about how this kind of system is driving developers to be very cautious about how their software is being used and what it feels like to have your hard work appropriated:
This is why I am very careful about how I make “useful” software and release it to the world without any solid way for me to get paid for my efforts. I simply do not want to be in a situation where my software that I develop as a passion project on the side is holding people’s companies together. That’s why I make software how and where I do. Like, no offense, but I really do not want to go unpaid for my efforts. The existing leech culture of “Open Source” being a pool of free labor makes it hard for me to want to have my side projects be actually useful like that unless you pay me.
Read more here: “Open Source” is Broken