It's an interesting question, but I doubt it will happen. Companies gain even more (their free code is now more reliable) and FOSS maintainers lose more (now they're liable for the code they give away).
More questions: How can FOSS maintainer be compensated for this? Are they liable in every country? Etc etc.
Alternatives: companies could do public audits of specific software/library versions.
> Should open source software developers that knowingly distribute malicious open source software also be exempt from liability? This isn’t an academic question. The recent XZ backdoor..
What's an example of legal liability for state-sponsored cyberattacks? What's the burden of proof for attribution?
> the claim that placing liability on software companies as “final assemblers” will lead to broad investments across the current open source ecosystem
What happens when the customer is the "final assembler" of open-source components into signed binaries, e.g. hyperscalers?
It's pretty clear that the liability shield doesn't cover malicious acts. The malicious act is committed by the person introducing the backdoor. There shouldn't be any liability on the company since they had no knowledge. If a user wants to be sure of the security, they can inspect the code for flaws (or rely on reviews of others who had inspections).
The XZ backdoor is mentioned a couple times in this. Who would be liable in that situation? The project lead who was also being used, or the actual malicious actor?
Liability isn't going to work as a way of handling malicious attacks. If the culprit is caught, and lives in a place with a reasonable government, prosecution would be a better way to address it, because if it is an individual they aren't going to have assets to cover the damages. If it's a state actor then liability isn't going to do anything as the state involved will deny any association with the attack team and ignore court awards for damages coming from other countries.
> If the culprit is caught, and lives in a place with a reasonable government, prosecution would be a better way to address it
By "lives in a place with a reasonable government" I guess you are talking about somewhere that will act at the behest of the US government and prosecute on their behalf?
Because that's nothing like as simple as you might imagine (for very good reasons).
Source: Kim Dot Com lives down the road here and it is proving to be extremely challenging (and very expensive to us tax payers) to bring him to US justice.
An attack like XZ wouldn't just harm the US. A prosecution wouldn't have to be "at the behest of the US government".
Kim Dotcom could pretend that his business was legit (just a file sharing service) so he could drag out the court battles. Someone trying to sneak attack code into widely used software would have no such defense.
tl;dr: Excepting malice, the only time there should be liability is if money changes hands for that purpose. And liability can only go one level deep so that FOSS authors are not subject to unlimited liability.
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
You can't just disclaim all legal liability like that.
Lots of businesses have you sign waivers that absolve them of all liability in the even of injury or death even if caused by negligence, but they can still be successfully sued or even criminally prosecuted. Which is a good thing! A waiver should not be a pass to be willfully negligent much less actively malicious.
How that applies to open source software is a deep technical and legal question and I don't have a clear answer, but I'm certain that just including a disclaimer is not sufficient on its own.
Isn't accepting the license supposed to be equivalent to signing a waiver?
The reasoning is what huge corps keep using: if you don't accept the license, there is nothing that gives you the right to use the software, or even look at the software. Certainly you do not get to use it for any purpose whatsoever, in which case it wouldn't be possible to do damage.
Isn't the title of the article addressing specifically those types of clauses?
I'm fully behind the as is from volunteers and hope that it's not mucked with, but judges and legislatures change. The EU, for example, was ready to make all software devs liable for security issues, OSS or not, until the community rallied and informed them of how much of a disaster that'd be.
Just because something is written into a waiver doesn't mean that it's enforceable.
Wouldn't I be able to just "accept" the license, if I knew that by law the liability limitations were not enforceable?
There's still plenty of folks clicking through boilerplate labor contracts too that stipulate non-competes, knowing those aren't enforceable in their (US) state anyway.
If the license becomes void if the disclaimer doesn't hold, then you can't accept the license; the author(s) specifically say that you don't have that option. By copyright law, you would then have no right to use the software.
Some people may not consider that FOSS, but I'm okay with that.
Source: I am making such licenses, and though IANAL, I am halfway through working with a lawyer on those licenses.
Doesn't it depend on severability provisions in the license, or for the lack thereof, a severability ruling by a court, whether the license is voided if the liability limitation is ruled to be illegal? Or... to become illegal, in case such laws are enacted after the license is accepted?
In most cases, no, at least according to the lawyer I have.
He did put in a phrase that nullifies the license when a new ruling comes out or a new law is passed. Essentially, you may have accepted the license, but since I included the condition that the disclaimer is legal, I can withdraw the license for that reason.
Having conditions for withdrawing the license is well-established. Without it, the GPL would not work because otherwise, it could not become void for an entity that doesn't share changes.
IOW, you may have accepted the license, but that doesn't remove my power to take it away.
If an entity has the capital to be in the business of using software to manage goods and services in the public space where failure to follow industry practices can result in harm to property, assets, or people then they should be liable.
Breached customer data because the company used an open source library they didn’t vet before hand? That’s too bad. It happens. Maybe take more care to assess dependencies instead of assuming you can throw the cost of such failures on customers.
Don’t want to vet the software? Write it yourself.
I think a good deal of this could be worked out if Software Engineer was a more broadly protected term. Software Engineers, like their trad engineer cousins, should be liable. Companies should be forced to have one on staff or retainer to sign off on their projects. It’s not a perfect system but it works in ways we understand well from experience in other disciplines (and we have some experience with its failure modes).
Not every software developer needs to be an engineer in order to work.
I believe that having this level of professionalism would change the incentives in the marketplace towards better behaviours. Right now it’s all based on class action suits that end up just being the cost of business. If a company doesn’t do well by their engineers they’ll find themselves out of business or having a hard time hiring.
But open source developers? Nope. No warranty is no warranty. You need to vet your sources and get insurance.
>Third, if and when software liability becomes law and covers open source software included in a product, then companies will finally invest substantially in the open source software ecosystem.
This is delusional. Companies will stop releasing open source a software if it cost them money to do it. It is already enough of a fight to just get legal to sign off for ip reasons. If accounting got involved it would simply never happen.
As mentioned in the article: something like 80% of the code shipped is open source, due to developers doing the reasonable thing and including OSS libraries.
Companies can't just walk away from 80%. And if there's liability, rip and replace becomes rip, replace, and still fix issues -- versus just leaving out the rip and replace steps.
More questions: How can FOSS maintainer be compensated for this? Are they liable in every country? Etc etc.
Alternatives: companies could do public audits of specific software/library versions.