search

code4it-dev / blog-comments

https://www.code4it.dev/
1 stars 0 forks source link

blog/opinion-open-source #23

Open utterances-bot opened 2 years ago

utterances-bot commented 2 years ago

Code opinion: should we trust Open Source after Log4J's issues? - Code4IT

With Log4J's vulnerability, we've all been reminded that systems are vulnerable, and OSS are not immune too. What should we do now?

https://www.code4it.dev/blog/opinion-open-source

tngraf commented 2 years ago

I am responsible for open source compliance in a large company with thousands of developers and we are using ten thousands of open source components. Most of our products contain at least one open source component. Could we discontinue using open source? Hardly. But we spend some time to train our developers to evaluate all kinds of third party software:

The big advantage of open source software is that we can have a look at all this. Why should a commercial component (that itself uses open source) be better?

My question to all people who argue against open source would be: do you really want to get rid of Linux? Is there any replacement for Linux without any open source software?

bellons91 commented 2 years ago

Totally agree with you! Those are valid points.

How do you keep track of third-party software? Do you have a file/repo/whatever with the list of trusted components?

What do you do when a vulnerability is discovered in an external package?

tngraf commented 2 years ago

Sorry for answering late ... We have a repository for all our third party software. It is an open source software called SW360 (https://www.eclipse.org/sw360, https://github.com/eclipse/sw360). So we always know which of our products uses which version of which third party library. Because we also track the security vulnerabilities of each component, it is easy to tell our developers that there might be a problem. Then they dig deeper so see whether they are really affected ... or they just switch to a version without security vulnerabilities.