A new wave of moral panic about funding open-source is rolling through the IT circles with prominent Google dev ranting about #
log4j being developed by “2 devs, 1 unpaid” and that “open-source needs to grow up”.
The
Dependency xkcd cartoon has been frequently posted in response, as if in a kind of a ritual to shrug and move on. We saw the same reactions in the context of vulnerabilities in ImageMagick, Heartbleed, npm etc etc. And everybody
did move on.
For everyone wondering why, it’s simple: it’s because because shareholders prefer to pay themselves dividends rather than optional donations to FOSS.
In #
infosec we have a certain bias where we do not consider risk acceptance as a valid strategy. Vulnerabilities need to be removed or mitigated, otherwise we feel bad.
But business doesn’t work this way - risk acceptance (you know about a risk and you ignore it) and risk ignorance (you don’t know about potential risks and don’t want to) are perfectly valid strategies, that are successful in “evolutionary” terms simply because they do work.
Apart from a few social media rants nobody really abandoned Zoom, Microsoft or Adobe after series of truly devastating vulnerabilities, didn’t they? The companies continued to profit, and the industry at best was compassionate. These were critical vulnerabilities in
their paid-for code, and I know first-hand how hard it is to get funding for basic software security program in large companies.
So why should they even worry about open-source? Yes, I’m rather cynical here, but it’s well informed and mature cynicism.
I do open-source myself and don’t really depend on any funding because I do it for other reasons (self-development, fame, research).
Will I continue to do it tomorrow or in 5 years? No idea.
What will I say to anyone from a for-profit company complaining I didn’t fix a bug or discontinued development? “Fuck off, I owe nothing to you”.