[plange]

Nothing in life is free.

Quality software doesn't create itself out of thin air (yet, if ever). That means someone has to make an investment.

You don't have to invest in the upkeep of the foundation of your house, but if some bugs, say termites, were to sneak in you can't blame the original builders for the donated foundation.

Please downvote for the bad analogy.

[lolsal]

I think of it like the Heartbleed vulnerability - was everyone affected to blame for the vulnerability? Was everyone simultaneously morally obligated to be contributing patches back to openssl? I don't think so.

[geofft]

Everyone affected was to blame for their own vulnerability, to the extent they relied on OpenSSL.

I worked for a company that needed to push out an out-of-cycle patch for Heartbleed. We were building a virtualization product that included a OpenSSL and other free-software libraries in the core product, plus an entire Linux distro to support our install-this-on-dedicated-hardware product. We made the business decision that we could reuse Ubuntu and not develop our own operating system and control plane. Others, like Microsoft, made the decision to implement it all themselves. Others, like VMware, took a decision sort of in the middle.

We got a significant amount of functionality for free - and a significant amount of risk for free. Whatever code worked for our needs, we could profit from. Whatever code introduced security vulnerabilities in our application (and it was not all upstream security vulnerabilities, since we intentionally designed our system to anticipate that local root exploits would be easy), we took responsibility for. That was part of saying that this was our product, and not just a shell script for building a similar product on your own.