(This post was originally written in January 2022. It might seem a bit dated now, but just wait until the next time Open Source Discourse rears its ugly head; it will seem prescient then.)
My condolences go out to the log4j developers, whom I’m sure have had a busy month. I’m not going to recap the finer points of what happened, because that’s been done to death already. But the very condensed story is that lots of projects, including many important projects by for-profit corporations, depend on log4j, and then it turned out that log4j had a critical vulnerability that compromised all these projects, and that fixing the vulnerability turned out to be a major undertaking.
Being an open source developer during a zero-day is like being a volunteer firefighter. You’re underappreciated and underfunded. When things go right, no one notices you. When things go wrong, people demand that you fix it. It’s a stressful, thankless job that doesn’t come with any guarantee of pay or respect, even though anyone willing to undertake such stress and such risks for the sake of a public good certainly deserves both. It’s a position motivated by the desire to help your community, and it comes with freeloaders who profit from the service without paying for it.
The difference is, we tend not to call people who depend on volunteer fire departments “freeloaders.”
log4j was released under an Apache License 2.0, which allows every company who used log4j to do so without requiring payment, or any obligation to give back to the open-source community. It’s not entirely for free however; in return, these companies release log4j of any liability stemming from the use of their library… liability which, at the moment there seems to be a rather lot of.
The log4j developers were not liable for what happened. I’m sure they knew that. Yet, they knew the potential for collateral damage to innocent users that this vulnerability held, recognized that they were in a unique position to fix it, and took it upon themselves to patch the vulnerability and help users mitigate the damage. One of the developers, Volkan Yazici, voluntarily worked 22 hour shifts to help users mitigate the damage. (https://www.technologyreview.com/2021/12/17/1042692/log4j-internet-open-source-hacking/ ) And then, feeling burned out and frustrated, he went to vent on Twitter. (https://twitter.com/yazicivo/status/1469349956880408583?lang=en)
This post would go on to fuel an incredible amount of discourse about the relationship between big tech companies and open source projects. About what is owed to these developers, and by whom.
Yazici’s position deserves a lot of sympathy, not just in spite of the fact that he volunteered, but because of the fact that he volunteered. We often encounter situations where people are unfairly burdened by circumstances, where we have the power, but not the obligation, to relieve that burden. And when doing so puts a burden on us, we reserve the right to complain about it, even though this is the outcome we chose.
I hope that if I were in their position, I would do the same. Although if I were in their position, I would be sorely tempted to wait until one of the major companies using log4j agreed to pay a generous hourly rate for my support. The point wouldn’t be to hold these innocent users hostage until the companies pay up, but rather to acknowledge that these companies also have the power to fix this mess they created, by using the same free market that they live and die by. To remind these companies that there are costs to relying on software that has no promise of support, that if they want the guarantee of safety, they need to either take on that support burden themselves or pay someone else to. If I’m going to be donating my time and energy to patch a major vulnerability, I want to make sure that I’m bailing out the innocent people affected, not the companies that put them in peril in the first place.
But the log4j developers didn’t try to use this crisis to coax funding from corporations, because their motivation wasn’t to profit, but to help a community in crisis. It wasn’t about payment or recognition, but about creating something good and putting it into the world. This was, after all, why the project was published under such a permissive license in the first place.
A brief aside about licenses: Picking a license is important. For example, this blog is a Creative Commons By Attribution license. Is that the right license for this? Do I believe that I am entitled to attribution for my work? I’m not sure. Would attribution be nice? Certainly. If someone uses the content in this blog without giving me credit, am I going to sue them? Probably not. Lawsuits are a massive headache, and more importantly, it’s not clear how someone using my content without attribution harms me, and I’m a staunch believer that lawsuits should prove some demonstrable harm in order to be moral.
So if attribution is more of a preference than an actual practical requirement, why choose a license that requires it? Why not choose a minimal CC license and just add a bit about “if you use this, it sure would be nice to give me a shout-out”? Because I can’t predict how people will use my work once it’s been released into the world, and it’s completely possible that someone will come up with a creative use of my work that I never would have thought of and that I find objectionable. Choosing a specific license gives me the right to enforce my rights later in response to unforseen circumstances, but only if that behavior runs afoul of the license. If I went with a minimal CC license, and then someone uses my work in a way that I believe is unfair but is fully within the scope of the license, then I have every right to complain about it, but the world has every right to think I’m being rather silly for getting mad at someone for doing something I explicitly allowed them to do by choosing such a minimal license.
My point is that choosing a license is not a decision to be made lightly. I’m a huge proponent of open licensing, but I would strongly urge anyone considering publishing under such a license to make sure that they understand the ramifications of the license they choose, because these licenses are non-revocable.
log4j was published under a license that explicitly allows large companies to profit off of the code, without requiring any contribution in return. It’s possible that the devs fully anticipated that this would happen. It’s also possible that they didn’t. But the choice of license gives us insight into the project’s values and intent.
As far as I saw, no one directly involved with log4j was saying anything about feeling obligated to make the bigger users pony up. This was done entirely by the community on their behalf. The developers recognized that this was a situation that they put themselves in voluntarily, because they recognized that they were uniquely qualified to prevent the suffering of a lot of innocent bystanders. And they deserve to get credit for it. I’d even say that they deserve funding for providing such an important public service. But where that funding ought to come from is a nuanced question, and it’s not at all clear that the answer is, “from the people who used our code in accordance with the license that it was published under.”
But this isn’t the end of the story. Yazici’s plight didn’t just lead to discourse and debate. Clearly, it wouldn’t be enough to just react to fires.
It was a matter of time until one person decided to start one.
Next week we talk about faker.js, and what happens when the fire comes from inside the house.