In May, New York magazine reported that Apache had “lost the trust of its developers,” after the company’s “security teams” were accused of selling out their customers and of being “further emboldened by a cavalier attitude toward security risks” and “a belief that they can simply write code and deploy it to production without much risk.”
This “trust gap” was caused by the “toxic” relationship between Apache’s developers and the company itself.
The New York Times followed up with a story about how the Apache developers’ trust was “tainted by years of work by a team of disgruntled former employees, including the founder.”
It is worth noting that many of the allegations against the Apache team were already widely known, but it took the Times several weeks to publish its initial story, which sparked the release of an Apache 6.0 update that addressed the trust issue.
But the release itself was delayed because of the “trust deficit.”
In a follow-up story on May 22, New Yorker editor Jill Abramson claimed that the company had “taken to a new kind of secrecy, and the people at Apache aren’t the only ones.”
She added: The Apache team is now deeply involved in developing software and building out its security posture.
That’s not a recipe for good software.
That is bad code.
But this story has been picked up by other media outlets.
It’s no surprise that news outlets have been picking up the story.
But what is surprising is the way in which it has been packaged and presented.
First, Abramson’s article makes the point that the problems with the Apache community stem from the fact that the Apache Foundation itself “hasn’t been as proactive as the rest of the community about addressing vulnerabilities,” according to Abramson.
She goes on to note that the foundation’s “chief security officer” was also responsible for “negotiating with outside contractors for fixes for bugs in Apache.”
Abramson then presents a list of companies that she believes are “part of the problem,” including Facebook, LinkedIn, Google, Oracle, and Yahoo.
In addition, the article notes that the “security team” at Apache is “largely insulated from the rest, with few external voices and few outside audits.”
Abramss’ description of the Apache security team is consistent with the way most news outlets describe them: The security team at Apache has a large and disparate team, whose top leadership includes executives who have been at the company for decades.
Their responsibilities include advising and coordinating with the project management team and other management.
And their authority extends beyond that to the entire Apache community.
The security people who run Apache aren- t trusted by the project and by its users, so it’s important that the project don’t rely on them to build out its software.
This is the “distrust gap” described by Abramson, which is a real problem.
If the problems Abramson described are indeed real, then this means that the trust gap at Apache needs to be addressed.
However, the problem is not in the security team, but in the people that they work with.
The “trust gaps” mentioned in Abramsons article do not exist in the software being used to develop Apache.
The article presents a clear picture of the trust issues at Apache.
But it ignores some important facts.
First of all, many of those problems stem from “systems engineers” who have access to Apache, who are supposed to have “close supervision” over its security decisions.
This “authority” was not vested in the “administrators” at the Apache core.
The author of the article cites this as proof that the vulnerabilities Abramson mentions have “a deep root in the systems engineering community,” without actually providing any proof.
But if that is the case, it is unlikely that “authorities” in the organization that oversees Apache have a “deep root” in that organization, or that the people who work there have “supervision.”
It should be noted that, in fact, the authorship of this article comes from a former Apache employee who is not a former employee of the company, but is the former head of a company that is responsible for managing the Apache Project, a fact that is acknowledged in the article.
The problem is that this article assumes that there is a “root” of trust at the root of Apache, and that a “system engineering” group has authority over the Apache “core.”
But this is clearly not the case.
If it were true, then the “system engineers” would have to be “authoritative” about their own security decisions, or else the “authoritarian” “author” would be responsible for their decisions.
And this would only be true if “authoritarians” in management had a “Deep Root” in “Systems Engineering.”
But the article itself makes clear that there are “Deep Roots” in other fields, and “authoritaries” in various other fields.
But that does not mean that the author