Log4j haters: just STFU

I think the behaviour of many people towards log4j developers and towards the project is simply ridiculous. I understand the memes; it's the internet, after all. But I can read posts and tweets by many IT professionals - developers, managers, security engineers - that treat the log4j project and the people that work on it as absolute shit.

Such library is being used by (probably) thousands of projects since ~20 years, and it's available for free. The impact of this vulnerability is a testimony of Log4j success.

So, my dear haters, I need to inform you that Log4j comes with a license that says "You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License". You shouldn't blame Log4j developers; you should blame all the users and developers who chose it and used it, for free. Because they accepted that license. And you should blame all those people that didn't realize the first fix was incomplete. Log4j developers had absolutely no obligation.

If I ever release some open source project that achieves the same success as Log4j, and, at any time, gets a similarly dangerous vulnerability, I'll make sure not to release the hotfix for free. You'll be able to get it with a special, one-time, paid-for commercial license. The community won't love me anymore, but I'll probably be able to retire in some nice place with all the money that I'll get for sure (because you won't rely on a patch from a random stranger on the internet, right? You want the fix from me, and you don't want to check what's in it).


I've read very few articles about how bad the disclosure process for Log4shell was. Apache Software Foundation had less than three weeks to patch before the disclosure went completely public (Google Project Zero usually has a 90 days deadline), and there're articles indicating that some vendors detected active exploitation just a few days after the first private report. I'd speculate somebody tried to get rich here by selling a very interesting 0-day.