[ad_1]
“We’re skiing on top of a pretty good avalanche of support… that is looking at how we help uplift the open source community.”
“They have a particular role in this ecosystem, they’re volunteer based, and a lot of the projects are governed according to how they want to run the projects, so there’s a lot of variety there, and they also have a lot of strong opinions about what should and shouldn’t be happening within their communities,” said Adkins. “We can learn alot about the benefits of the open source community having the freedom to run software the way they run software, but we also learned there are millions if not billions of people relying on them getting it right.”
Adkins said that many times the fixes in the open source community are being done “in the open,” meaning that anyone keeping an eye on the Apache Software Foundation’s (ASF) git pulls or looking at their release candidates may have noticed they were fixing the code in the JNDI functionality, even if they didn’t mark it specifically as a patch. Log4j was first reported on Nov. 24, 2021 by a security engineer from the People’s Republic of China (PRC)-based Alibaba Cloud Security team – but while ASF was working to devise a fix for the flaw, another PRC-based cybersecurity company, BoundaryX, disclosed the flaw on WeChat before ASF made a publicly available update. The board hypothesized that someone noticed Apache’s efforts to develop the patch before it could release an official fix and begin that mass patching phase, leading to mass exploitation, said Adkins.
“It was a moment for us to sit back and think, well, as we think about the software ecosystem and getting patches out quickly and that surge that had to happen… This is an opportunity for us to think about how we build a software ecosystem where we can all move very quickly because we know that things happen in the open, that bugs get discovered and they get exploited before they are disclosed,” said Adkins. “That was a really important finding for us in terms of how we want to shape the ecosystem.”
[ad_2]
Source link