After the devastating vulnerability in Log4j last month we’ve seen some changes in how companies view open source. The ones whom previously had no policies at all have now began looking into this. For now the main thing we see is asking the question about where Log4j has been used, but that will likely change to.
It is important for all the users of open source to understand the nature. You cannot just expect or pressure the maintainers to update their software. Especially not if you use something with a small group of maintainers or being maintained in the spare time. Instead you have to get into the open source mindset and take advantage of the fact that everything is open. This means that anyone can read the code, and if needed create a fix. If a company decides to use free open source software they cannot expect the same level of service as if they bought a commercial product, but instead be ready to either wait or do the work themselves.
In the aftermath of Log4j there have been several of examples of harsh communication with maintainers. I hope that things will get better, and that companies get a better understanding of the implications of using open source. This does not only include the implications of bugs (security or other), but also the importance of being aware of the license agreements of open source. Sadly not everyone understand what can be expected of the software, and what can and cannot be used under what circumstances.
These are just a couple of considerations when using open source software, there are many more. Each company needs to their own assessment and decide how they will work with open source software. Let’s all do our part in asking the correct questions and spreading awareness, so that everyone can use the many benefits of open source.