DEV Community

Discussion on: The human toll of log4j maintenance

Collapse
goodevilgenius profile image
Dan Jones

Here's another suggestion:

What if the Alibaba engineers fixed it and sent the patch to the log4j engineers?

I've submitted patches to open source libraries that my company depended on, and did so during working hours, because it was critical to the work.

Why didn't those paid Alibaba engineers fix it themselves?

Collapse
yawaramin profile image
Yawar Amin Author

Yes, very good point. But also, what if the log4j maintainers charged money to merge the Alibaba patch? After all, properly reviewing a patch, ensuring it fixes the issue, and doesn't introduce a worse one, then publishing the fixed version, and all the work that entails–this is still hard work. Nothing in an OSS license prevents charging for it.

Collapse
goodevilgenius profile image
Dan Jones

Absolutely. With something this critical, if Alibaba discovered, they definitely should be putting in whatever resources is necessary to getting it fixed quickly.