Questioning the conventional wisdom on liability and open source software

It&#x27;s an interesting question, but I doubt it will happen. Companies gain even more (their free code is now more reliable) and FOSS maintainers lose more (now they&#x27;re liable for the code they give away).<p>More questions: How can FOSS maintainer be compensated for this? Are they liable in every country? Etc etc.<p>Alternatives: companies could do public audits of specific software&#x2F;library versions.

<i>&gt; Should open source software developers that knowingly distribute malicious open source software also be exempt from liability? This isn’t an academic question. The recent XZ backdoor..</i><p>What&#x27;s an example of legal liability for state-sponsored cyberattacks? What&#x27;s the burden of proof for attribution?<p><i>&gt; the claim that placing liability on software companies as “final assemblers” will lead to broad investments across the current open source ecosystem</i><p>What happens when the customer is the &quot;final assembler&quot; of open-source components into signed binaries, e.g. hyperscalers?

The XZ backdoor is mentioned a couple times in this. Who would be liable in that situation? The project lead who was also being used, or the actual malicious actor?

I already wrote up my thoughts: <a href="https:&#x2F;&#x2F;gavinhoward.com&#x2F;2023&#x2F;11&#x2F;how-to-fund-foss-save-it-from-the-cra-and-improve-cybersecurity&#x2F;" rel="nofollow">https:&#x2F;&#x2F;gavinhoward.com&#x2F;2023&#x2F;11&#x2F;how-to-fund-foss-save-it-fro...</a> .<p>tl;dr: Excepting malice, the only time there should be liability is if money changes hands <i>for that purpose</i>. And liability can only go one level deep so that FOSS authors are not subject to unlimited liability.

On one hand, someone like a Jia Tan should be held to account in some way, if it was a nation state, there could be sanctions.<p>On the other hand, finding the actual malicious actor seems like a harder problem than fixing code and ensuring resilient trust chains.

There&#x27;s a reason this is in ALL CAPS:<p>THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.<p>Even with the yelling, some people don&#x27;t hear it.

Provided without warranty. Period.<p>If an entity has the capital to be in the business of using software to manage goods and services in the public space where failure to follow industry practices can result in harm to property, assets, or people then they should be liable.<p>Breached customer data because the company used an open source library they didn’t vet before hand? That’s too bad. It happens. Maybe take more care to assess dependencies instead of assuming you can throw the cost of such failures on customers.<p>Don’t want to vet the software? Write it yourself.<p>I think a good deal of this could be worked out if Software Engineer was a more broadly protected term. Software Engineers, like their trad engineer cousins, should be liable. Companies should be forced to have one on staff or retainer to sign off on their projects. It’s not a perfect system but it works in ways we understand well from experience in other disciplines (and we have some experience with its failure modes).<p>Not every software developer needs to be an engineer in order to work.<p>I believe that having this level of professionalism would change the incentives in the marketplace towards better behaviours. Right now it’s all based on class action suits that end up just being the cost of business. If a company doesn’t do well by their engineers they’ll find themselves out of business or having a hard time hiring.<p>But open source developers? Nope. No warranty is no warranty. You need to vet your sources and get insurance.

&gt;Third, if and when software liability becomes law and covers open source software included in a product, then companies will finally invest substantially in the open source software ecosystem.<p>This is delusional. Companies will stop releasing open source a software if it cost them money to do it. It is already enough of a fight to just get legal to sign off for ip reasons. If accounting got involved it would simply never happen.

I&#x27;ve grown fond of Lawfare Media, with their generally well thought through and tempered commentary.<p>This playlist will give you an overview of the breadth of topics they cover<p><a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;playlist?list=PL9f-8IUHQF3muxWzFL6sJbmFmck45_OLW" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;playlist?list=PL9f-8IUHQF3muxWzFL6sJ...</a>

Who would still write OSS if they could be sued for a bug?