Bunch of people were using Log4j, opensource library, which had remote code execution vulnerability. Now half of hackernews wants to throw money at the maintainer and the other half says things are fine the way they are, there's no reason to spend money on something that's free.
Here's other thread of people pooping on Log4j for fricking up something as simple as logging. https://news.ycombinator.com/item?id=29523608
Jump in the discussion.
No email address required.
how would money have fixed the stupid design here? Thatโs not at all the problem
Jump in the discussion.
No email address required.
they never claimed that money would have prevented the problem. they are saying it's stupid that a critical component of so much software is maintained by some random guy who does it for free
Jump in the discussion.
No email address required.
yes but the ratio of whining about other stuff : worrying about a critical logging library having a by design RCE for like five years seems low imo. Like every Minecraft player for the past however many years was trivially frickable with one message. Every single java application using log4j (which seems like most) just dies. Thatโs much worse. An evil user could probably have destroyed billions of dollars and thousands of lives!!! That is bad!!!!
Fortunately recent java versions mitigate it. Who knows how well though
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
Iโll never admit this again but lawlz is my favorite poster of all time. -carpathianflorist
Snapshots:
https://news.ycombinator.com/item?id=29523608:
Jump in the discussion.
No email address required.
More options
Context