
Ask HN: Was any OSS contributer ever sued? - democracy
I was thinking about Equifax&#x27;s hack and the Struts 2 library that was apparently blamed for the incident.<p>I am wondering, are there any cases where on open-source contributor was ever sued by some corporation for damages, and if so, anything in particular we could do (apart from a LICENSE file) that can be used to mitigate such a scenario?
======
cjbprime
Pretty sure that's never happened. But the LICENSE file is why. For example,
from the Struts 2 license:

> 7\. Disclaimer of Warranty. Unless required by applicable law or agreed to
> in writing, Licensor provides the Work (and each Contributor provides its
> Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
> KIND, either express or implied, including, without limitation, any
> warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or
> FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining
> the appropriateness of using or redistributing the Work and assume any risks
> associated with Your exercise of permissions under this License.

> 8\. Limitation of Liability. In no event and under no legal theory, whether
> in tort (including negligence), contract, or otherwise, unless required by
> applicable law (such as deliberate and grossly negligent acts) or agreed to
> in writing, shall any Contributor be liable to You for damages, including
> any direct, indirect, special, incidental, or consequential damages of any
> character arising as a result of this License or out of the use or inability
> to use the Work (including but not limited to damages for loss of goodwill,
> work stoppage, computer failure or malfunction, or any and all other
> commercial damages or losses), even if such Contributor has been advised of
> the possibility of such damages.

> 9\. Accepting Warranty or Additional Liability. While redistributing the
> Work or Derivative Works thereof, You may choose to offer, and charge a fee
> for, acceptance of support, warranty, indemnity, or other liability
> obligations and/or rights consistent with this License. However, in
> accepting such obligations, You may act only on Your own behalf and on Your
> sole responsibility, not on behalf of any other Contributor, and only if You
> agree to indemnify, defend, and hold each Contributor harmless for any
> liability incurred by, or claims asserted against, such Contributor by
> reason of your accepting any such warranty or additional liability.

The license prevents such a lawsuit.

~~~
jolmg
And if a license is not provided, then people generally can't even use the
code as it would violate copyright, right? (with the exception of whatever you
agreed to in your distributor's (e.g. Github) Terms of Use) So, it's not so
much that a license prevents it. It's more like open source licenses are
careful not to imply warranty from their mere existence.

------
JMTQp8lwXL
A single developer's assets are unlikely to be enough to cover the level of
damages sustained by the Equifax breach. In that sense, it's kind of a
judgment-proof situation.

~~~
kjs3
My understanding is that isn't true. You can sue someone with no expectation
that they will be able to pay in order to deflect blame. That's why people sue
for $1 or some other symbolic amount. So, in theory, Equifax could sue the
Struts developers so that they can say "it wasn't our fault; they didn't keep
up their library". I think the license indemnifies the developers (if they can
afford to contest the suit) and the circumstance (we used a library long after
EoL) would mean they wouldn't win, but they can still spin the whole thing as
"our supplier was actually the bad guy".

