> If you are a multi billion dollar company and are concerned about log4j, why not just email OSS authors you never paid anything and demand a response for free within 24 hours with lots of info? (company name redacted for my peace of mind)
Maybe "Stamping their feet" is a bit hyperbolic for this case, but it demonstrates the cultural mismatch very well: The email assumes the Log4J package comes from the "Log4J Company" such that a business requesting the results of an internal audit would be met with something other than an annoyed FOSS developer Tweeting about this clueless moo sending a form email to a random programmer they have no prior relationship with.
As Daniel himself says in the follow-up Tweet:
> I replied saying I'd be happy to answer all the questions as soon as we have a support contract.
There was, deep inside the company, an internal process which blindly assumed a contract would be present, and acted accordingly.
> If you are a multi billion dollar company and are concerned about log4j, why not just email OSS authors you never paid anything and demand a response for free within 24 hours with lots of info? (company name redacted for my peace of mind)
https://twitter.com/bagder/status/1484672924036616195
https://daniel.haxx.se/blog/2022/01/24/logj4-security-inquir...
Maybe "Stamping their feet" is a bit hyperbolic for this case, but it demonstrates the cultural mismatch very well: The email assumes the Log4J package comes from the "Log4J Company" such that a business requesting the results of an internal audit would be met with something other than an annoyed FOSS developer Tweeting about this clueless moo sending a form email to a random programmer they have no prior relationship with.
As Daniel himself says in the follow-up Tweet:
> I replied saying I'd be happy to answer all the questions as soon as we have a support contract.
There was, deep inside the company, an internal process which blindly assumed a contract would be present, and acted accordingly.