Open source liability is coming

I find this article and the reactions here confusing. This seems to me like unequivocally a good thing for open-source devs.<p>Making commercial vendors who rely on open source software liable for bugs is fantastic news, that&#x27;s how it always should have been. You can&#x27;t have a commercial company throw their hands up and say &quot;well github.com&#x2F;cutefuzzypuppy is at fault for writing an open-source npm package we used so harm to our customers is not our fault!&quot;

This is great. Software is important, software has an impact, and so we need liability.<p>This regulation ensures that whoever sells the software to the consumer is responsible, and that&#x27;s the way it should be. The creator of a library doesn&#x27;t know how his library will be used in the wild, he can&#x27;t anticipate all possible problems, the product maker can. It is the product maker&#x27;s responsibility to integrate external components properly, having validated that they are up to standard.<p>If you&#x27;re a manufacturer, you can&#x27;t just pick components at random and then say it&#x27;s not your fault if your product doesn&#x27;t work. That&#x27;s why manufacturers have whole teams of people working to ensure that what they receive from a supplier is up to spec.

There seems to be some confusion in the comments regarding what this means for people releasing open source software.<p>The article makes it clear that (as the author understands it, at least) someone who uses open source software in their commercial product is liable; the people who wrote the open source code [1] are not.<p>&gt; If a user is harmed by software, the person they paid (targeted ads would count) must compensate them for the harm – unless the software provider can prove their software played no role in the ... harm. If open source resources are [used by] your code, you’re responsible for their performance too. *The open source resource licensed away their liability to you*.<p>(Emphasis mine)<p>[1] Assuming they used a license that limits liability, such as Apache.

I use an open source screen reader, NVDA.<p>It is completely open, and they produce an installer for people or you can build it yourself from Git.<p>Can you help me understand now, if there is a bug in NVDA (which is under the GPL) and it causes me trouble, say, it can&#x27;t read a webpage that I need for some government thing, I could now sue my screen reader, which is actually just a bunch of dudes hacking something together? Is that the new behavior that is enabled by this upcoming law?<p>Next question, if this is the actual state of things, why would anyone ever make anything open source and allow it to be distributed in the EU now? It sounds like, and please please correct me if I am wrong, but it sounds like you could sue the makers of The Gimp, for instance, if a bug caused ... what, your pictures to come out looking wrong?<p>&gt; Someone, or some entity, will need to accept financial and legal responsibility for what the project does in consumer hands.<p>Here&#x27;s a crazy idea, maybe that person should be the consumer?

The article leans a bit towards a pessimistic tone imho, so here&#x27;s another source: <a href="https:&#x2F;&#x2F;www-heise-de.translate.goog&#x2F;news&#x2F;EU-Regulierung-Ausnahmen-fuer-Open-Source-in-Produkthaftungsrichtlinie-9579307.html?_x_tr_sl=auto&amp;_x_tr_tl=en&amp;_x_tr_hl=en&amp;_x_tr_pto=wapp" rel="nofollow">https:&#x2F;&#x2F;www-heise-de.translate.goog&#x2F;news&#x2F;EU-Regulierung-Ausn...</a><p>Apparently the current state of affairs is that open source (non-commercial!) devs and projects are safe. If you pack OSS as part of a commercial offering, you&#x27;re on the hook for that as well (read: you&#x27;re liable for the whole product you sell and can&#x27;t put off some aspects to open source). So nothing to fear for us so far. Still in process though.

Like most, I&#x27;m convinced of the efficacy of the open source model. I&#x27;m convinced that authors should receive reliable financial compensation for their work so the model is sustainable.<p>Counter to some fears about liability with a move like this, I am <i>not</i> convinced this will result in a negative outcome.<p>Businesses will pay big bucks to dump liability on someone else. And an author won&#x27;t accept that liability for free.<p>I see an opportunity for authors or distributors of open source software to demand a fee for maintenance and shouldering some of some the liability for its use.<p>I see an opportunity for software professionals to vet the paid consumers of their libraries and, via consult, approve to take on the liability based on sound usage (charging fees to confirm sound usage).<p>I see an opportunity for a license that requires you, as the consumer, agree to take on all liability via signature if you aren&#x27;t paying.<p>Is this not in the spirit of traditional open source? Maybe yes...<p>Or, maybe it is more like a source available model with as few strings attached as possible to get the story straight.<p>Maybe this is not a bad thing.<p>Personally? If the dynamics change so that I can realistically write software for a living independendent from a single company without begging for donations, I would more strongly consider doing so. Incentives here might allow for that.

This has been a long way coming and is, in my opinion, a important step in the professionalization of software development. This article seems to refer to the Cyber Resilience Act but doesn&#x27;t really explain the problem many[1] open source communities seem to have with the current draft. The CRA actually attempts to exempt open-source software by exempting non-commercial software contributions from its rules. &quot;Commercial Activity&quot; however includes more activities than some open-source developers would like. Any kind of regular income related to the project might fulfill the requirements to count as commercial activity.<p>I recommend the linuxfoundations article[2] for a more comprehensive understanding of the proposed rules.<p>[1] <a href="https:&#x2F;&#x2F;blog.opensource.org&#x2F;the-ultimate-list-of-reactions-to-the-cyber-resilience-act&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.opensource.org&#x2F;the-ultimate-list-of-reactions-t...</a><p>[2] <a href="https:&#x2F;&#x2F;www.linuxfoundation.org&#x2F;blog&#x2F;understanding-the-cyber-resilience-act" rel="nofollow">https:&#x2F;&#x2F;www.linuxfoundation.org&#x2F;blog&#x2F;understanding-the-cyber...</a>

I personally find it strange that software has acted differently… ever. Typically, if you cause damage, you are liable without any regulatory burden being in place. Failure to maintain a motor vehicle can put an operator at risk in event of an accident, a car exploding at random when well maintained puts the vehicle maker at risk, slippery floor not being disclosed to someone and that someone then slipping and getting hurt makes the property owner (or lease holder) liable. It would make sense that software would be absolutely no different except in cases where ownership were in question such as purely open source and non-commercial software. I am glad that the EU is clarifying this and I hope that other jurisdictions follow.<p>On a not-so-rational footing, I hope this puts an end to megacorps freeloading and using FOSS without contributing in any way despite making tons of money off of it.

Hopefully this will change attitudes in application security. Developers often try to ignore vulnerabilities found in the libraries they used, coming from the POV of &quot;well, that&#x27;s not my code so it&#x27;s not my fault&quot; instead of &quot;we chose that library so we&#x27;re responsible for any vulnerabilities it creates for the company&quot;. If you&#x27;re going to use FOSS and don&#x27;t do anything to correct or mitigate the vulnerabilities in the part you choose to use, then it&#x27;s your vulnerability. But they only see it from a POV of feeling blamed for something they didn&#x27;t do as it&#x27;s not their code and ignore the bigger picture of attackers not caring the slightest who introduced a vulnerability for them to exploit, they&#x27;re just happy that it exists.

It&#x27;s a mixed reaction from me.<p>Liability to the vendor sounds like a good idea - too many cowboys out there. Also with stretched supply chains someone has to pay attention.<p>But full liability..? What if I make a crappy, low effort, cheap spreadsheet app, someone builds their business on top of it and it goes boom. Should I really be liable, on the basis of what I consider a casual product?<p>And then, the main point of the article, what if Vim deletes my files? The suggestion seems to be that Vim &quot;owner&quot; (???) is liable.<p>It feels like there should be some slider as to what liability the creator accepts (OSS - none, casual app - not much etc) but then we&#x27;re back to square one, everyone disclaims liability etc.<p>Maybe it should be somehow linked to the price paid for the software?

GitHubs next feature: litigation tracker.

If I get it right the EU has read the story of boiler manufacturers in the 19C. They exploded - a lot, because commercial pressures pushed a tragedy if the commons. But <i>insurance</i> came along - we will insure you against liability for your boiler killing the train passengers - as long as you follow these best practises and stnadrards and .. boilers blew up less.<p>The question is, are boilers the same as software? Sometimes maybe? Theros-25 is definitely true. Crud HR apps are a maybe.

A likely scenario is that software will become more expensive to consumers because the vendors will have to buy liability insurance in-house.<p>Also, it will raise the barrier to entry for any small vendor or a solo dev trying to make a living with open source.<p>&quot;Trying to start your own small business in the EU? Tough shit. Go get a job, peasant!&quot;

Could somebody predict, when these things could become power? How long to got approved by EU?<p>Must admit, they are two-sided proposals, but anyway, I think we should be ready to react in time.<p>My prediction, if this will happen, many people will remove their software from public repositories, to avoid liability.<p>And&#x2F;or will be changed licenses, probably many OSS will become &quot;only for educational purposes&quot;, something like this.<p>This is from one side, dangerous for OSS, as will lost many third part &quot;unimportant&quot; depends, but from other side, will be powerful opportunity to make paid version to cover costs of development and could significantly increase level of OSS quality.

Honestly just sounds like a misreading of the law to me. I don&#x27;t believe it. One part says<p>&quot;If open source resources are in&#x2F;called&#x2F;touched your code, you’re responsible for their performance too. The open source resource licensed away their liability to you.&quot;<p>This is the norm. The private company holds responsibility for vetting everything they ship.<p>It&#x27;s a speculation on how the law will be enforced for a law with no history and I don&#x27;t see why you would assume the worst interpretation

This article reminds of Daniel Stenberg (the developer of curl) and the emails I recall seeing him display on occasion that think he is responsible for them being hacked etc. because someone (everyoneish) bakes curl into their tools.<p>I wonder if this new legislation might muddy the waters as to whether people like him might actually get sued for the software they provide to the world?<p>Even if the legalese doesn&#x27;t actually support the notion that this could happen, we won&#x27;t know for sure until someone puts it to the test. Which means someone needs to get sued so the actual law is tested in a courtroom. A chilling effect for any developer who doesn&#x27;t have big money backing them. The risk of getting sued or even the very notion of it might just be too great to risk it and not worth the hassle for majority of people.

So what happens in this situation:<p>I write open-source software, and make it available on GitHub, together with a nice installer. I deny any liability in my license, and the users are free to install it or not. They don&#x27;t pay me in any way (not even in ads).<p>Am I liable according to new EU law?

Would like to see some actual cases where this was an issue. If a plane goes down due to bugs in open source software, could Airbus just say it wasn&#x27;t their fault? Can&#x27;t imagine that. Or if you got hacked and customer&#x27;s data exposed because of the log4j-bug, could you just say it was because of that library, case closed? That would be interesting to find out, but it sounds insane to me if you can just point at something that explicitly has no liability, that you chose to use in commercial software, and not be liable yourself.

&gt; If a user is harmed by software, the person they paid (targeted ads would count) must compensate them for the harm – unless the software provider can prove their software played no role in the breach&#x2F;loss&#x2F;failure&#x2F;psychological&#x2F;physical&#x2F;financial or other harm. If open source resources are in&#x2F;called&#x2F;touched your code, you’re responsible for their performance too. The open source resource licensed away their liability to you.<p>This, especially the last sentence, sounds like a good thing.

The idea that vendors should be responsible under the law for all of what they release is good.<p>I concur that the long term likely outcome for the late adopter crowd is &quot;certified lts editions, supported by BlahCorp&quot; and the long tail of decay. I don&#x27;t envy anyone in that system.<p>The early adopter crowd probably won&#x27;t notice, they will steam ahead and keep their own patchset on upstream with regular contribute-back and CI. Sure, they are liable, but they will staff to certify their own systems.

I think there are multiple wins but one I see is that the liability falls on open source commercial entities, support services, and any services that handles PII but also if I am reading the law right there is mandatory disclosure so open source projects will essentially get free code audits, patches included thanks to the liability risk.<p>Unless I&#x27;ve terribly misinterpreted the text which is entirely plausible given a lack of sleep and a enough coffee to jump start a small star.<p>Edit: typo

The article got me a bit worried about the idea of developing software out in the open, and the comments in this thread give me conflicting ideas.<p>If I make a public repository `ComputerCleaner` with a single file:<p><pre><code> #!&#x2F;usr&#x2F;bin&#x2F;env bash # &lt;imagine an MIT license here&gt; rm -rf &#x2F; </code></pre> Should I soon expect to be defending legal threats from random strangers who ran this code only to <i>gasp</i> find that it deleted their files?

Who is responsible for damages when the commercial software in question ships with its source code? What about a small business that sells a closed-source license for its copyleft software? In these cases, there is commercial activity, however, the licensee has full access to the source code. What about open core projects where the code isn&#x27;t available until the time of purchase?

This is outrageous and ridiculous.<p>Cool, don&#x27;t use my code if you&#x27;re in Europe or within Europe.<p>We will need amended licensing for denying use within Europe.

TFA is just a bunch of FUD. Non-commercial open source developers will be liable for nothing, and commercial software developers will be liable, and that liability will include their use of external open source, so what? Pretty much every bit of commercial software uses some external open source, and so what, using external open source does mean that one has to be able to deal with issues arising from that use. For example, even w&#x2F;o liability if there&#x27;s some bug in some external open source library that you use, you may have to spend time chasing it down and upgrading or contributing a fix, or locally patching the issue, etc. -- you used that external open source because it saved you time and money (but I repeat myself) and you took on <i>some</i> liability even before any jurisdictions might force you to take on even more liability. That&#x27;s just normal. The calculus will almost certainly still be that using external open source is better and cheaper than writing your own bloat in-house, but you might need to do a bit more due diligence in picking better, safer external open source.<p><a href="https:&#x2F;&#x2F;www.europarl.europa.eu&#x2F;news&#x2F;de&#x2F;press-room&#x2F;20231205IPR15690&#x2F;deal-to-better-protect-consumers-from-damages-caused-by-defective-products" rel="nofollow">https:&#x2F;&#x2F;www.europarl.europa.eu&#x2F;news&#x2F;de&#x2F;press-room&#x2F;20231205IP...</a>

This article is FUD by the CEO of a big tech lobbying firm[0], which lobbied against opening up the walled app store gardens in the US.<p>The long and short of it is that this talks about expanding product liability laws in the EU. Currently, software doesn&#x27;t fall within the PLD, and software developers can shrug and say their software was provided as is if damages occur (e.g., loss of data, data leak, etc.), whereas manufacturers of merchandise are on the hook if their product causes damage (e.g., fire)<p>The EU says this isn&#x27;t good enough and wants to include software in the PLD. This would <i>only</i> pertain to commercially exploited software (e.g., sold, provided with maintenance contracts, etc.), excluding tiny software developers.<p>The only relation this has to FOSS is that software developers that use FOSS in their product would need to, you know, make sure they know what they are including in their software (something they should do anyway).<p>This has zero effect on Joe Schmoe and their GitHub repo, but this lobbyist likes you to think otherwise to help him stop this change in EU regulation.<p>That&#x27;s it.<p>0: <a href="https:&#x2F;&#x2F;www.bigtechwiki.com&#x2F;index.php&#x2F;Developers_Alliance" rel="nofollow">https:&#x2F;&#x2F;www.bigtechwiki.com&#x2F;index.php&#x2F;Developers_Alliance</a>

There is nothing preventing scammers from modifying the software once they receive it then saying it is faulty. Especially with web technologies but even with desktop applications too.

we need liability in politics rather

what&#x27;s new here? A commercial entity selling a product that also embeds open source components is liable is that entity&#x27;s product causes harm, even if the fault lies in bugs in the OSS code itself. is that new ? assuming their own license does not also indemnify them. The OSS code, at least if it&#x27;s mine, has &quot;THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND&quot; right there in the license. What&#x27;s the change?

My 2024 prediction is that open source software will be hosted anonymously on the dark web or offshore to avoid legal liability.

&gt; the EU is finalizing rules that will make open-source creators and licensees liable for any user harm their software might cause<p>Citation?

I know this legislation is in the EU, but in the US such a regulation seems to run up against the concept of free speech. What is the difference between these hypotheticals:<p>Case 1: I have a blog that takes a conspiracy-level, anti-tax position. In it, I say crazy things like, “The IRS is illegitimate and financial records are unnecessary.” From reading this, someone shreds all their financial documents. As far as I can tell, the blog is perfectly legal under the First Amendment.<p>Case 2: I am an open source maintainer of a home assistant program. It includes personal file management. Due to a bug in the software, an end-user’s financial documents are deleted.<p>The easiest distinction is that the conspiracy reader is taking an affirmative act of destroying their own documents. But, I think that’s less different than at first glance. The software user is setting up a computer system based on an open source program that may have bugs in it, and that causes a loss of data. The conspiracy reader is setting up a worldview based on information that may have bugs in it, and that causes a loss of data.<p>Why would the software bug be regulated, but the conspiracy falsehood not?

Seems a fun monetization formula. Something to buy from the dev

So what constitutes “harm”?

This is BS. I&#x27;ve talked employers into releasing all sorts of useful things under FOSS licenses over the years. The conversation has always been like &quot;we have this handy thing, and it&#x27;s not related to our core business at all, and there&#x27;s no way it&#x27;d be a marketable product, but other people could probably use it, too.&quot; And the release process has always been like &quot;here&#x27;s a thing we made to solve a problem we had, and it works for us, and maybe other people could also use it.&quot;<p>In every case, we used those projects in production in our own shop. The tools worked for us. If they didn&#x27;t, we kept tweaking until they did. They may not have been perfect in all possible scenarios, but they were useful for us.<p>And if my employers faced any liability problems whatsoever, they&#x27;d never have given me permission to release them.<p>Imagine suing Linus because Linux turns out to be vulnerable to an attack that hasn&#x27;t been invented yet. The OpenBSD gang for finding and fixing a bug, even though it wasn&#x27;t known to be exploitable, because it <i>could</i> have been. My boss because a little tool I wrote turned out to have a problem in an environment and use case we&#x27;d never imagined anyone using it in.<p>This is bullshit.<p>Update: A lot of readers have been quick to point out that the BS laws don&#x27;t apply to all situations. That doesn&#x27;t help the situation. &quot;Hey, boss, can I give this tool I made away? If an ambulance chaser sues us for idiotic reasons, we&#x27;ll probably be fine because the law doesn&#x27;t cover how we&#x27;re releasing it. Hey, come back here! Stop running!&quot; I present as evidence jackasses like this: <a href="https:&#x2F;&#x2F;www.abc15.com&#x2F;news&#x2F;local-news&#x2F;investigations&#x2F;disbarred-attorney-continues-to-file-ada-lawsuits" rel="nofollow">https:&#x2F;&#x2F;www.abc15.com&#x2F;news&#x2F;local-news&#x2F;investigations&#x2F;disbarr...</a><p>Yeah, I&#x27;m sure my employer would eventually win a frivolous lawsuit, but the mere possibility of that being an issue would be catastrophic to FOSS as we know it.

Here&#x27;s the problem as I see it:<p>* Person A makes OSS project P<p>* Organisation&#x2F;Person B uses P<p>* A vulnerability in P causes financial harm to B<p>Is person A now liable under this law? What happens if person A has a Patreon or GitHub sponsor page? The latter seems to imply you&#x27;re being paid for development and so this is now a commercial project?<p>Or is the requirement that the end user directly pays for the product? In that case this directive would not cover a variety of large objectively commercial products: Chrome, Slack, Java, arguably macOS and iOS (because you get new versions for &quot;free&quot; so the software is &quot;free&quot;, right? Apple makes a point of stating its products are the hardware), etc - hence you can&#x27;t say the &quot;commercial&quot; restriction requires money being exchanged directly for the software, but that gets you back to &quot;does a Patreon, GitHub sponsor, etc mean you&#x27;re now a commercial developer?&quot;<p>Again the problem here is the ambiguity, and the massive disparity between revenue and liability. If you make a few hundred (or even a few thousand) a year from sponsorship should you be subject to massive liability because a huge organisation, or a large number of different organizations pick up your project, you could now be liable due to damages the organizations are subject to.<p>There&#x27;s a lot of focus in these threads on &quot;company uses your OSS project in products they sell and a a bug impacts <i>their</i> customers&quot; rather than &quot;company uses your OSS project, and a bug causes the company itself harm&quot;, e.g. the company is now the end user. To make it even more direct, what would happen if (as some companies do) the companies provide &quot;sponsorships&quot;(or whatever) for the OSS project development, now the company is the end user and they&#x27;re paying for development and that sounds pretty &quot;commercial&quot;.<p>But also this legislation completely undermines all OSS licenses as they all say the software is distributed without liability or warrantee. The liability restriction is completely neutered, so now contributing to any OSS project requires you to be able to afford a lawyer to determine whether you can do so without acquiring boundless liability, which seems like a sure fire way to immediately price-out the overwhelming majority of OSS contributors from ever contributing to any OSS projects.<p>[addendum] One other follow on from this would be that if you do have any sponsorship mechanism it would seem you&#x27;re now liable for bugs in code submitted from other people unless you&#x27;re paying every contributor for their contributions, specifically to transfer liability. If you don&#x27;t do that you&#x27;re acquiring liability for code written by others.

tl;dr Noooo I can’t be held liable for the (open source or not) code I commercially ship, how dare you.

This is already true in the UK. The &quot;open source&quot; developers of Bitcoin Core were personally bankrupt with a multi-billion pound judgement because they refused to alter the protocol to allow Satoshi to recover coins a hacker took from him.<p>Developers have a duty of care to their users which no license can remove. You either make good software and comply with your duty or you will be ruined. That is the law.<p>Next year those Bitcoin developers will go to prison because the have not paid the billions they owe. Open source communism doesn&#x27;t protect you from the law.

This is ridiculous, all blame&#x2F;liability should lie with either the provider of commercial software who chooses to rely on open source software or the end user for relying on free&#x2F;open source software.<p>I personally will not allow people in the EU to use any software I write going forward, I imagine other open source developers will take these steps as well.

EU is really bent on destroying itself by any means. First AI regulation, now open source destruction, killing off any avenues for growth for the next century. It&#x27;s already uncompetitive at both.

FINALLY. This industry needs some regulation...<p>I&#x27;m mostly curious what that means for something like the MIT license... For those who need a refresher, this is the part I mean.<p>&gt; THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.