Log4J and its consequences for NetBeans and open source in general

[Geertjan Wielenga <ge...@apache.org>]

Hi all,

Some interesting reading:

https://www.theregister.com/2022/01/13/opensource_apacheplc4x_payment/

https://www.theregister.com/2021/12/14/log4j_vulnerability_open_source_funding/

As established thus far, there is no impact on NetBeans for the log4j
situation in terms of attack vectors, since NetBeans doesn't use v2 and the
v1 scenario doesn't apply to NetBeans.

However, there are other issues involved here, as described in the links
above.

When I see out of nowhere e-mails arriving here from addresses that we've
never heard of, with domain names that are clearly large multinational
enterprises, who we never hear of except now that there is potentially a
security hole in the software they've been freeloading without contributing
anything to, well, it's unacceptable. And we never hear from those e-mail
addresses again after calming their concern, until the next time, etc.

For me personally, I may be arriving at a situation where I'm going to be
ignoring e-mails clearly coming from corporations and (to avoid those
people switching to gmail accounts) to people not participating at all
other than raising issues and demanding immediate assistance and asking for
help in one way or another.

The choices you have are simple: pay money to a commercial provider or pay
time to the open source projects you're using. Time does not mean filing an
issue and it does not mean writing a mail voicing your frustration. It
means responding to other people when they have questions and at least
investigating the issue you're reporting since after all you're a developer
on all of NetBeans is on GitHub for you to investigate.

I'm not writing this on behalf of the PMC but just under my own name and
title. :-)

Gj

Re: Log4J and its consequences for NetBeans and open source in general

[Eric Bresie <eb...@gmail.com>]

Eric Bresie
ebresie@gmail.com


On Sat, Jan 15, 2022 at 5:59 AM antonio <an...@vieiro.net> wrote:

> Hi,
>
> For me open source is a way to learn something, do some hacking and have
> some fun, so I'm not specially worried about other people's
> requirements, complaints or demands (*).
>
> Whoever is unsatisfied with this approach may either start giving a hand
>   or seek for commercial support elsewhere
> (https://netbeans.apache.org/help/commercial-support.html).
>
> Otherwise, and as someone once said: let's kick butt and have fun.
>
> Cheers,
> Antonio
>

Would inclusion of the Apache donation page mentioned be worth adding here
or elsewhere on Netbeans site?  Does "donation" support fall under
"commercial support" or is that out of scope of that page?

EB>> link / ...  to provide a way of donations

JT> FYI: https://www.apache.org/foundation/contributing.html

Re: Log4J and its consequences for NetBeans and open source in general

[antonio <an...@vieiro.net>]

Hi,

For me open source is a way to learn something, do some hacking and have 
some fun, so I'm not specially worried about other people's 
requirements, complaints or demands (*).

Whoever is unsatisfied with this approach may either start giving a hand 
  or seek for commercial support elsewhere 
(https://netbeans.apache.org/help/commercial-support.html).

Otherwise, and as someone once said: let's kick butt and have fun.

Cheers,
Antonio

(*)
But, of course, those requirements, complaints and demands from Matthias 
when he is kind enough to review the CND related PRs (or any other PR 
reviewer) :-) .

On 15/01/2022 12:08, Neil C Smith wrote:
> On Fri, 14 Jan 2022 at 15:56, antonio <an...@vieiro.net> wrote:
>>
>> Related (Apache PLC4x)
>>
>> "Your free trial version of “open-source” has expired, please update to
>> a commercial plan"
>>
>> https://github.com/chrisdutz/blog/blob/main/plc4x/free-trial-expired.adoc
> 
> Thanks for that link.  A good read, if depressingly familiar, even
> down to the bad timing around Covid, and the people from large
> aerospace, etc. companies hiding behind personal email addresses!
> Most of that for me being related to other open-source projects, not
> NetBeans related.  But yes, +1 to the sentiment in that and Geertjan's
> first email where NetBeans is concerned too.
> 
> Best wishes,
> 
> Neil
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
> For additional commands, e-mail: dev-help@netbeans.apache.org
> 
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
> 
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Re: Log4J and its consequences for NetBeans and open source in general

[Neil C Smith <ne...@apache.org>]

On Fri, 14 Jan 2022 at 15:56, antonio <an...@vieiro.net> wrote:
>
> Related (Apache PLC4x)
>
> "Your free trial version of “open-source” has expired, please update to
> a commercial plan"
>
> https://github.com/chrisdutz/blog/blob/main/plc4x/free-trial-expired.adoc

Thanks for that link.  A good read, if depressingly familiar, even
down to the bad timing around Covid, and the people from large
aerospace, etc. companies hiding behind personal email addresses!
Most of that for me being related to other open-source projects, not
NetBeans related.  But yes, +1 to the sentiment in that and Geertjan's
first email where NetBeans is concerned too.

Best wishes,

Neil

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Re: Log4J and its consequences for NetBeans and open source in general

[Eric Bresie <eb...@gmail.com>]

Would it be worth putting a link / page maybe from the contribute" to
provide a way of donations and/or links to "service providers for hire for
Netbeans and/or Apache"?

Eric Bresie
ebresie@gmail.com


On Fri, Jan 14, 2022 at 9:56 AM antonio <an...@vieiro.net> wrote:

> Related (Apache PLC4x)
>
> "Your free trial version of “open-source” has expired, please update to
> a commercial plan"
>
> https://github.com/chrisdutz/blog/blob/main/plc4x/free-trial-expired.adoc
>
> Have fun,
> Antonio
>
> El 14/1/22 a las 14:06, antonio escribió:
> > Agreed!
> >
> > Now onto the task: let's kick butt and have fun!
> >
> > Cheers,
> > Antonio
> >
> > On 14/01/2022 12:07, Geertjan Wielenga wrote:
> >> For me personally, I may be arriving at a situation where I'm going to
> be
> >> ignoring e-mails clearly coming from corporations and (to avoid those
> >> people switching to gmail accounts) to people not participating at all
> >> other than raising issues and demanding immediate assistance and
> >> asking for
> >> help in one way or another.
> >>
> >> The choices you have are simple: pay money to a commercial provider or
> >> pay
> >> time to the open source projects you're using. Time does not mean
> >> filing an
> >> issue and it does not mean writing a mail voicing your frustration. It
> >> means responding to other people when they have questions and at least
> >> investigating the issue you're reporting since after all you're a
> >> developer
> >> on all of NetBeans is on GitHub for you to investigate.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
> For additional commands, e-mail: dev-help@netbeans.apache.org
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>
>
>

Re: Log4J and its consequences for NetBeans and open source in general

[antonio <an...@vieiro.net>]

Related (Apache PLC4x)

"Your free trial version of “open-source” has expired, please update to 
a commercial plan"

https://github.com/chrisdutz/blog/blob/main/plc4x/free-trial-expired.adoc

Have fun,
Antonio

El 14/1/22 a las 14:06, antonio escribió:
> Agreed!
> 
> Now onto the task: let's kick butt and have fun!
> 
> Cheers,
> Antonio
> 
> On 14/01/2022 12:07, Geertjan Wielenga wrote:
>> For me personally, I may be arriving at a situation where I'm going to be
>> ignoring e-mails clearly coming from corporations and (to avoid those
>> people switching to gmail accounts) to people not participating at all
>> other than raising issues and demanding immediate assistance and 
>> asking for
>> help in one way or another.
>>
>> The choices you have are simple: pay money to a commercial provider or 
>> pay
>> time to the open source projects you're using. Time does not mean 
>> filing an
>> issue and it does not mean writing a mail voicing your frustration. It
>> means responding to other people when they have questions and at least
>> investigating the issue you're reporting since after all you're a 
>> developer
>> on all of NetBeans is on GitHub for you to investigate.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Re: Log4J and its consequences for NetBeans and open source in general

[antonio <an...@vieiro.net>]

Agreed!

Now onto the task: let's kick butt and have fun!

Cheers,
Antonio

On 14/01/2022 12:07, Geertjan Wielenga wrote:
> For me personally, I may be arriving at a situation where I'm going to be
> ignoring e-mails clearly coming from corporations and (to avoid those
> people switching to gmail accounts) to people not participating at all
> other than raising issues and demanding immediate assistance and asking for
> help in one way or another.
> 
> The choices you have are simple: pay money to a commercial provider or pay
> time to the open source projects you're using. Time does not mean filing an
> issue and it does not mean writing a mail voicing your frustration. It
> means responding to other people when they have questions and at least
> investigating the issue you're reporting since after all you're a developer
> on all of NetBeans is on GitHub for you to investigate.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Re: Log4J and its consequences for NetBeans and open source in general

[Brett Ryan <br...@gmail.com>]

You just shook my tree to start contributing again, I have been a bit quiet
lately due to time constraints, but I do mean to get back on the horse.

On Fri, 14 Jan 2022 at 22:08, Geertjan Wielenga <ge...@apache.org> wrote:

> Hi all,
>
> Some interesting reading:
>
> https://www.theregister.com/2022/01/13/opensource_apacheplc4x_payment/
>
>
> https://www.theregister.com/2021/12/14/log4j_vulnerability_open_source_funding/
>
> As established thus far, there is no impact on NetBeans for the log4j
> situation in terms of attack vectors, since NetBeans doesn't use v2 and the
> v1 scenario doesn't apply to NetBeans.
>
> However, there are other issues involved here, as described in the links
> above.
>
> When I see out of nowhere e-mails arriving here from addresses that we've
> never heard of, with domain names that are clearly large multinational
> enterprises, who we never hear of except now that there is potentially a
> security hole in the software they've been freeloading without contributing
> anything to, well, it's unacceptable. And we never hear from those e-mail
> addresses again after calming their concern, until the next time, etc.
>
> For me personally, I may be arriving at a situation where I'm going to be
> ignoring e-mails clearly coming from corporations and (to avoid those
> people switching to gmail accounts) to people not participating at all
> other than raising issues and demanding immediate assistance and asking for
> help in one way or another.
>
> The choices you have are simple: pay money to a commercial provider or pay
> time to the open source projects you're using. Time does not mean filing an
> issue and it does not mean writing a mail voicing your frustration. It
> means responding to other people when they have questions and at least
> investigating the issue you're reporting since after all you're a developer
> on all of NetBeans is on GitHub for you to investigate.
>
> I'm not writing this on behalf of the PMC but just under my own name and
> title. :-)
>
> Gj
>

RE: Log4J and its consequences for NetBeans and open source in general

[Eirik Bakke <eb...@ultorg.com>]

> When I see out of nowhere e-mails arriving here from addresses that we've never heard of, with domain names that are clearly large multinational enterprises, who we never hear of except now that there is potentially a security hole in the software they've been freeloading without contributing anything to, well, it's unacceptable.

One possible response is: "My company, Foobar LLC, specializes in NetBeans development, and can offer to do a security review of NetBeans wrt. the aforementioned log4j vulnerability. This will cost $1,500 and can be completed by Tuesday."

There are some companies that	will actually pay for these things. (See e.g. https://www.sqlite.org/purchase/license )

-- Eirik

-----Original Message-----
From: Geertjan Wielenga <ge...@apache.org> 
Sent: Friday, January 14, 2022 6:07 AM
To: dev <de...@netbeans.apache.org>
Subject: Log4J and its consequences for NetBeans and open source in general

Hi all,

Some interesting reading:

https://www.theregister.com/2022/01/13/opensource_apacheplc4x_payment/

https://www.theregister.com/2021/12/14/log4j_vulnerability_open_source_funding/

As established thus far, there is no impact on NetBeans for the log4j situation in terms of attack vectors, since NetBeans doesn't use v2 and the
v1 scenario doesn't apply to NetBeans.

However, there are other issues involved here, as described in the links above.

When I see out of nowhere e-mails arriving here from addresses that we've never heard of, with domain names that are clearly large multinational enterprises, who we never hear of except now that there is potentially a security hole in the software they've been freeloading without contributing anything to, well, it's unacceptable. And we never hear from those e-mail addresses again after calming their concern, until the next time, etc.

For me personally, I may be arriving at a situation where I'm going to be ignoring e-mails clearly coming from corporations and (to avoid those people switching to gmail accounts) to people not participating at all other than raising issues and demanding immediate assistance and asking for help in one way or another.

The choices you have are simple: pay money to a commercial provider or pay time to the open source projects you're using. Time does not mean filing an issue and it does not mean writing a mail voicing your frustration. It means responding to other people when they have questions and at least investigating the issue you're reporting since after all you're a developer on all of NetBeans is on GitHub for you to investigate.

I'm not writing this on behalf of the PMC but just under my own name and title. :-)

Gj

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Re: Log4J and its consequences for NetBeans and open source in general

[Jaroslav Tulach <ja...@gmail.com>]

pá 14. 1. 2022 v 12:08 odesílatel Geertjan Wielenga <ge...@apache.org>
napsal:

> Hi all,
>
> Some interesting reading:
>
> https://www.theregister.com/2022/01/13/opensource_apacheplc4x_payment/
>
>
> https://www.theregister.com/2021/12/14/log4j_vulnerability_open_source_funding/
>
> As established thus far, there is no impact on NetBeans for the log4j
> situation in terms of attack vectors, since NetBeans doesn't use v2 and the
> v1 scenario doesn't apply to NetBeans.
>
> However, there are other issues involved here, as described in the links
> above.
>
> When I see out of nowhere e-mails arriving here from addresses that we've
> never heard of, with domain names that are clearly large multinational
> enterprises, who we never hear of except now that there is potentially a
> security hole in the software they've been freeloading without contributing
> anything to, well, it's unacceptable. And we never hear from those e-mail
> addresses again after calming their concern, until the next time, etc.
>

+1


> For me personally, I may be arriving at a situation where I'm going to be
> ignoring e-mails clearly coming from corporations and (to avoid those
> people switching to gmail accounts) to people not participating at all
> other than raising issues and demanding immediate assistance and asking for
> help in one way or another.
>
> The choices you have are simple: pay money to a commercial provider or pay
> time to the open source projects you're using. Time does not mean filing an
> issue and it does not mean writing a mail voicing your frustration. It
> means responding to other people when they have questions and at least
> investigating the issue you're reporting since after all you're a developer
> on all of NetBeans is on GitHub for you to investigate.
>
> I'm not writing this on behalf of the PMC but just under my own name and
> title. :-)
>

Apply lazy consensus and publish an official NetBeans blog post!

Eric:
> link / ...  to provide a way of donations

FYI: https://www.apache.org/foundation/contributing.html
-jt