'The Register: About 40 percent of industry professionals say their organizations have reduced their usage of open source software due to concerns about security, according to a survey conducted by data science firm Anaconda. The company's 2022 State of Data Science report solicited opinions in April and May from 3,493 individuals from 133 countries and regions, targeting academics, industry professionals, and students. About 16 percent of respondents identified as data scientists. About 33 percent of surveyed industry professionals said they had not scaled back on open source, 7 percent said they had increased usage, and 20 percent said they weren't sure. The remaining 40 percent said they had. By industry professionals, or commercial respondents as Anaconda puts it, the biz means a data-science-leaning mix of business analysts, product managers, data and machine-learning scientists and engineers, standard IT folks such as systems administrators, and others in technology, finance, consulting, healthcare, and so on. And by scale back, that doesn't mean stop: 87 percent of commercial respondents said their organization still allowed the use of open source. It appears a good number of them, though, are seeking to reducing the risk from relying on too many open source dependencies. Anaconda's report found that incidents like Log4j and reports of "protestware" prompted users of open source software to take security concerns more seriously. Of the 40 percent who scaled back usage of open source, more than half did so after the Log4j fiasco. Some 31 percent of respondents said security vulnerabilities represent the biggest challenge in the open source community today. Most organizations use open source software, according to Anaconda. But among the 8 percent of respondents indicating that they don't, more than half (54 percent, up 13 percent since last year) cited security risks as the reason. Other reasons for not using open source software include: lack of understanding (38 percent); lack of confidence in organizational IT governance (29 percent); "open-source software is deemed insecure, so it's not allowed" (28 percent); and not wanting to disrupt current projects (26 percent).' -- source: https://news.slashdot.org/story/22/09/15/003243 Any library/tool, whether proprietary or not, on which many other systems rely has that same potential "security" problem (plenty of exploits in Windows/Mac, supply-chain corruptions, etc). Just because your code is proprietary doesn't make it any safer. You could simply spend some of your internal budget (that you didn't spend on developing these libraries), to do some code review on them and contribute back. Otherwise you're just a whinging freeloader... Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 (office) +64 (7) 577-5304 (home office) https://www.cs.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/