Hacker News new | ask | show | jobs
by matheusmoreira 1605 days ago
> At the scale this company is running the person/team sending out these emails do not have time to dig in and understand each dependency they are sending emails on.

That alone is extremely disrespectful, it means they couldn't care less about the time of open source software maintainers. To say nothing of their "request" for review.
1 comments
0x500x79 1605 days ago
It's not about open source maintainers. This isn't an "open source" problem further than the fact that Daniel's software is used in a product they are using. Daniel could take a couple of seconds to ignore this email and there was very little time wasted.

The real "disrespect" should be whatever engineer put Daniel's name into the spreadsheet that blasted out these emails. Someone didn't do their job and is checking a box. How is the (possibly non-technical) person that is required for managing 100s of vendors and thousands of open source libraries supposed to verify all of that information?

I'm personally happy to hear that this company is trying to do SOMETHING to make sure that Log4j is patched even if it's a bit incompetent in it's implementation. There is not malice here.

link
rootusrootus 1605 days ago
> The real "disrespect" should be whatever engineer put Daniel's name into the spreadsheet that blasted out these emails.

Agree 100%. Any engineer that got far enough to put this email address into a spreadsheet knew damn well it was inappropriate to do so. They should have put their own email address, as they made the choice to use downloaded software in their project and become responsible for that decision.

link
tremon 1605 days ago
Daniel could take a couple of seconds to ignore this email and there was very little time wasted.

So, in your opinion, sending spam or robocalls is not in the least bit disrespectful to whomever is on the receiving end?

link
0x500x79 1605 days ago
Not in this context. This wasn't spam, this was a person with the information they had trying to close the loop on some information an engineer put into a a spreadsheet. This message was not "irrelevant" in the context that the person sending it had. This was not a robocall trying to extort money.

As I noted in another thread: A simple response pointing to the license should be the default response to requests like this which can be automated.

link
scj 1605 days ago
If they were accidentally infringing licenses, this scattershot approach may result in snitching on their own company.

That's how a log4j security audit becomes an Oracle licensing debacle.

link
0x500x79 1605 days ago
Yep, it can/will happen. My assumption is that this is related to Curl, which has a pretty well documented license. Responding to emails like this with an automated email pointing to the license at https://github.com/curl/curl/blob/master/COPYING seems like an obvious thing to have setup.

Namely: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

link