""Don't trust user input" hass been a fundamental rule of security for a long time, and it was reasonable to assume the log4j authors were aware of it. So the current situation is not that requirements have suddenly became stricter, it's simply that log4j broke a fundamental assumption about its API."
Once you see it this way, the whole "open source is broken" debate goes out the window. It was just a bug. A bad one, but not anything that hasn't happened before and won't happen again, open source or not.
"Yes, free software devs can smugly repeat their stance of "it's a gift so don't complain, no guarantees about anything" - but if everyone took this serious, no one could use free software for anything critical, so the free software movement would be mostly dead."
Free software devs have to smugly repeat "no guarantees about anything" in the same way that non-free software development has to do it: Otherwise all software development would be mostly dead.
Once you see it this way, the whole "open source is broken" debate goes out the window. It was just a bug. A bad one, but not anything that hasn't happened before and won't happen again, open source or not.
"Yes, free software devs can smugly repeat their stance of "it's a gift so don't complain, no guarantees about anything" - but if everyone took this serious, no one could use free software for anything critical, so the free software movement would be mostly dead."
Free software devs have to smugly repeat "no guarantees about anything" in the same way that non-free software development has to do it: Otherwise all software development would be mostly dead.