The whole #Log4Shell kerfuffle is yet another reminder that the relationship between enterprises and the open source ecosystem is just broken. We, and I am sure many other foundations, are getting requests from enterprise IT depts "is version X from 2014 of project Y affected?"
These are B$ companies that have never ever contributed to these projects in any way. Not a single issue, patch, dollar, or even a thank you. And yet when the shit hits the fan the software is "strategic" or "critical infrastructure".
As a gross generalization I think tech companies have largely figured out that they should contribute/support the projects that they have dependencies on. It's not perfect, but it's certainly improving.
Enterprises still have not figured out that with digitalization they are also now tech companies and their dependencies on open source are business critical and need to be nurtured. Open source is free as in free puppies. You need to take care of it.
And enterprise OSPOs are not helping, at least not yet. Focusing on inbound compliance is not going to fix this abusive relationship. That's part of the reason why we support OSPO Zone and its Good Governance Initiative which promotes participation ospo.zone/ggi/
Continuing to push more stuff onto the backs of individual open source developers and their projects is failing. I do think foundations may be part of the solution, but other than (perhaps) the LF none have the resources to build the infra and support required
<end>
<end>
• • •
Missing some Tweet in this thread? You can try to
force a refresh
