[HN Gopher] Questioning the Conventional Wisdom on Liability and...
___________________________________________________________________
Questioning the Conventional Wisdom on Liability and Open Source
Software
Author : curmudgeon22
Score : 16 points
Date : 2024-04-29 20:22 UTC (2 hours ago)
(HTM) web link (www.lawfaremedia.org)
(TXT) w3m dump (www.lawfaremedia.org)
| transpute wrote:
| _> Should open source software developers that knowingly
| distribute malicious open source software also be exempt from
| liability? This isn't an academic question. The recent XZ
| backdoor.._
|
| What's an example of legal liability for state-sponsored
| cyberattacks? What's the burden of proof for attribution?
|
| _> the claim that placing liability on software companies as
| "final assemblers" will lead to broad investments across the
| current open source ecosystem_
|
| What happens when the customer is the "final assembler" of open-
| source components into signed binaries, e.g. hyperscalers?
| giantg2 wrote:
| It's pretty clear that the liability shield doesn't cover
| malicious acts. The malicious act is committed by the person
| introducing the backdoor. There shouldn't be any liability on
| the company since they had no knowledge. If a user wants to be
| sure of the security, they can inspect the code for flaws (or
| rely on reviews of others who had inspections).
| gavinhoward wrote:
| I already wrote up my thoughts:
| https://gavinhoward.com/2023/11/how-to-fund-foss-save-it-fro... .
|
| tl;dr: Excepting malice, the only time there should be liability
| is if money changes hands _for that purpose_. And liability can
| only go one level deep so that FOSS authors are not subject to
| unlimited liability.
| pnt12 wrote:
| It's an interesting question, but I doubt it will happen.
| Companies gain even more (their free code is now more reliable)
| and FOSS maintainers lose more (now they're liable for the code
| they give away).
|
| More questions: How can FOSS maintainer be compensated for this?
| Are they liable in every country? Etc etc.
|
| Alternatives: companies could do public audits of specific
| software/library versions.
| giantg2 wrote:
| "companies could do public audits of specific software/library
| versions."
|
| But then the consultant companies can't charge each corp
| individually.
| verdverm wrote:
| I've grown fond of Lawfare Media, with their generally well
| thought through and tempered commentary.
|
| This playlist will give you an overview of the breadth of topics
| they cover
|
| https://www.youtube.com/playlist?list=PL9f-8IUHQF3muxWzFL6sJ...
| ctrw wrote:
| >Third, if and when software liability becomes law and covers
| open source software included in a product, then companies will
| finally invest substantially in the open source software
| ecosystem.
|
| This is delusional. Companies will stop releasing open source a
| software if it cost them money to do it. It is already enough of
| a fight to just get legal to sign off for ip reasons. If
| accounting got involved it would simply never happen.
| verdverm wrote:
| The majority of the article is about providing counterpoints to
| the statements in the first paragraphs
|
| > Counterclaim #3: Software liability laws will not necessarily
| lead to broad corporate investment in the open source software
| ecosystem.
| samatman wrote:
| There's a reason this is in ALL CAPS:
|
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
| EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
| OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
| NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
| HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
| WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
| FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
| OTHER DEALINGS IN THE SOFTWARE.
|
| Even with the yelling, some people don't hear it.
___________________________________________________________________
(page generated 2024-04-29 23:00 UTC)