struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Macalister <jimmacalis...@gmail.com>
Subject Re: Apple sec breach.. Struts?
Date Fri, 02 Aug 2013 05:01:59 GMT
Hi to all,

there is no flawless software. Big companies spend millions if not billions
for their software and still get issues. How many cases of proven hacks or
worst sensitive info leaks have you read ? I think quite a lot. Big
companies do use various platforms and especially open source. It is surely
cost-effective and stable that reinventing the wheel. If i remember
correctly microsoft ran and probably runs even now many of their servers
under BSD.

To get to my point. Struts2 is a great framework and we do use it for
production systems. I think we should all contribute at least by donating
directly to the struts2 developers. This will ensure the life of the
project as well. I suggest that the core developers should be compensated
for their efforts and i am willing to donate with no contract. I am sure
this will free the developers from other tasks.

Please set up a mechanism for us to donate.

Regards


On Wed, Jul 31, 2013 at 5:30 PM, Paul Benedict <pbenedict@apache.org> wrote:

> I'll voice my personal opinion.
>
> No matter what framework you choose (Struts, MyFaces, Tapestry, etc.), it
> is the responsibility of all IT shops to do a security vulnerability
> assessment before first releasing to production and after each update. That
> is "Security 101" because there are multitude of attack vectors that can be
> exploited through any inadvertent mistake here and there. Sometimes the
> mistake will be in your code, sometimes it will be in third party
> dependencies, but you own the final product so you must take responsibility
> for the entire product.
>
> Did a company like Apple, who sits on billions of cash, do that? I don't
> know. I hope they did because that would be performing due diligence. They
> are not poor by any means. I'll hope for the best here.
>
> Lastly, it cannot be ignored that Struts is a free product built by
> volunteers. The work done here is long, arduous, and passionate -- and on a
> budget of $0. There is no money coming in to fund anything expensive.
> Unlike some other Apache projects where corporations (like IBM) are funding
> development, no one is funding Struts. You get the best that volunteers can
> do without them receiving a dime. The obvious implication is that you, who
> consume volunteer work for free, must take the product "as is" and do your
> part of making sure your application is secure.
>
> PS: If you find a security vulnerability in Struts, please privately report
> it to security@apache.org so it can be fixed.
>
> Cheers,
> Paul
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message