[0x500x79]

It's not about open source maintainers. This isn't an "open source" problem further than the fact that Daniel's software is used in a product they are using. Daniel could take a couple of seconds to ignore this email and there was very little time wasted.

The real "disrespect" should be whatever engineer put Daniel's name into the spreadsheet that blasted out these emails. Someone didn't do their job and is checking a box. How is the (possibly non-technical) person that is required for managing 100s of vendors and thousands of open source libraries supposed to verify all of that information?

I'm personally happy to hear that this company is trying to do SOMETHING to make sure that Log4j is patched even if it's a bit incompetent in it's implementation. There is not malice here.

[rootusrootus]

> The real "disrespect" should be whatever engineer put Daniel's name into the spreadsheet that blasted out these emails.

Agree 100%. Any engineer that got far enough to put this email address into a spreadsheet knew damn well it was inappropriate to do so. They should have put their own email address, as they made the choice to use downloaded software in their project and become responsible for that decision.

[tremon]

Daniel could take a couple of seconds to ignore this email and there was very little time wasted.

So, in your opinion, sending spam or robocalls is not in the least bit disrespectful to whomever is on the receiving end?

[0x500x79]

Not in this context. This wasn't spam, this was a person with the information they had trying to close the loop on some information an engineer put into a a spreadsheet. This message was not "irrelevant" in the context that the person sending it had. This was not a robocall trying to extort money.

As I noted in another thread: A simple response pointing to the license should be the default response to requests like this which can be automated.

[scj]

If they were accidentally infringing licenses, this scattershot approach may result in snitching on their own company.

That's how a log4j security audit becomes an Oracle licensing debacle.

[0x500x79]

Yep, it can/will happen. My assumption is that this is related to Curl, which has a pretty well documented license. Responding to emails like this with an automated email pointing to the license at https://github.com/curl/curl/blob/master/COPYING seems like an obvious thing to have setup.

Namely: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.