"While the lack of funding in open source is certainly a problem, could funding have prevented the Log4j vulnerabilities?" asks Mike Melanson's "This Week in Programming" column. Would funding prevent similar vulnerabilities in the future?
Is that an oversimplification? In a post for the Linux Foundation's Open Source Security Foundation (OpenSSF), Brian Behlendorf argued that open source foundations must work together to prevent the next Log4Shell scramble. Funding was not mentioned among the seven points, which include security scanning, outside audits, dependency tracking, test frameworks, organization-wide security teams, and requiring projects to remove old, vulnerable code. Too many organizations have failed to apply raised funds or set process standards to improve their security practices, and have tilted in favor of quantity over quality of code, according to Behlendorf. "None of the above practices is about paying developers more, or redirecting funds directly from users of software to developers," Behlendorf continued. Open source developers and the people who support them should be paid more and appreciated more. It would be an insult to most maintainers to suggest that they would have written more secure code if you'd just put more money in their pockets. It's fair to say a tragedy-of-the-commons hits when every downstream user assumes that these practices are being done and paid for by someone else.
He does make some points about funds and raising money, but his point is more about the allocation of funds and how they need to be focused on things like paid audits and providing resources to move critical projects or segments of code to memory-safe.
The OpenSSF will be working in the new year to raise the floor for security in open source.
He wrote that the only way to do this effectively is to develop tools, guidance, and standards that make adoption by the open source community encouraged and practical. Grants will be made to other open source projects to help them improve their security game.
_
The Apache Software Foundation was founded by Behlendorf, who was a founding member. He calls the Log4j vulnerabilities a "humbling reminder of just how far we still have to go."
