To support MIT Technology Review journalism, please consider becoming a subscriber.
For something so important, you might expect the world’s biggest tech companies and governments to hire hundreds of highly-paid experts to quickly fix the flaw.
The truth is different: Log4J, which has long been a staple of basic internet infrastructure, was founded as a voluntary project and is still run largely for free, even though there are many multi-million-billion-dollar companies. dollars depend on it and benefit from it. every day. Yazici and his team are trying to fix it for next to nothing.
This strange situation is common in the world of open source software, programs that allow anyone to inspect, modify, and use their code. It’s a decades-old idea that has become essential to the functioning of the Internet. When all goes well, open source is a collaborative triumph. When things go wrong, it is a major danger.
âOpen source manages the Internet and, by extension, the economy,â explains Filippo Valsorda, a developer who works on open source projects at Google. And yet, he explains, âIt is extremely common, even for basic infrastructure projects, to have a small team of maintainers, or even a single maintainer who is not paid to work on this project. . “
âThe team is working around the clock,â Yazici told me by email when I first contacted him. “And my 6am to 4am shift (no, there’s no typo in time) just ended.”
In the midst of his long days, Yazici took the time to point fingers at critics, tweet that âLog4j officials have been working sleeplessly on mitigation measures; fixes, documents, CVE, responses to inquiries, etc. Still, there’s nothing stopping people from criticizing us, for a job we don’t get paid for, for a feature we all don’t like but had to keep due to backward compatibility issues.
Before the Log4J vulnerability made this obscure but ubiquitous software headlines, project manager Ralph Goers had a grand total of three minor sponsors to support his work. Goers, who works on Log4J in addition to a full-time job, is tasked with fixing the faulty code and putting out the fire that is causing millions of dollars in damage. It’s a huge workload for a pursuit of free time.
Underfunding open source software is “a systemic risk for the United States, for critical infrastructure, for banking, for finance,” said Chris Wysopal, chief technology officer at security firm Veracode. âThe open source ecosystem is very important for critical infrastructures with Linux, Windows and fundamental Internet protocols. These are the main systemic risks for the Internet. “