I suspect such a licence would be rejected by the OSI, and by the FOSS
community.
Criterion 5 of the OSI's Open Source definition: [0]
> No Discrimination Against Persons or Groups
> The license must not discriminate against any person or group of persons.
To my knowledge this hasn't been tried in a licence before. FOSS licences
generally state something about accepting no liability, and this seems to work
pretty well even across jurisdictional differences. Presumably the legal
situation changes if the software is sold, e.g. with enterprise Linux
distributions, but of course FOSS is not typically distributed on that basis.
Well, who made them the gatekeeper? OSI bought a domain, they are not open source.
Regional licensing is pretty standard in general though. Especially for things under copyright.
Or "No use if use implies X constraint". There are surely ways to word it that focus on how using it impacts the software, without having to mention a specific group.
> Well, who made them the gatekeeper? OSI bought a domain, they are not open source.
The broader community puts a lot of stock in the licence-approval work done by the OSI, the FSF, and the Debian project.
One concrete consequence is that the Debian repositories won't accept your package. (Debian's requirements are much like those of the OSI. In practice, the 3 bodies almost always agree on whether a licence is acceptable.)
Less concretely, in terms of adoption and community-building it can be really bad news for a project to be almost truly Free and Open Source.
If you wanted to satisfy the OSI for some reason, you could do something like: "This license is not granted to jurisdictions requiring external security assessments except when such external security assessments have already been performed or for the exclusive purpose of performing such assessments."
Maybe open source licenses need some kind of general "void where prohibited" clause that specifies parts of the license which are non-negotiable and if a jurisdiction won't enforce them then nobody there can use it.
This might also deter governments from passing that category of bad laws because you're going to have a lot of grumpy companies and citizens if a new law tries to void a common version of the BSD license or GPL that makes NO WARRANTIES sina qua non.
No, but you may refuse to provide paid support to EU customers if you don't want to deal with your product's cybersecurity (risk assessment, vulnerability reporting, etc).
> If anything, it will likely toss more resources to open source by those very same big tech companies, to protect their liabilities
I don’t think that's how it will work. The moment the big company ships an open-source library as part of their commercial software, they will be liable for it (but not the original non-commercial open-source authors, if any). As soon as it's used as part of a commercial product, being open source or not won't matter for the liability.
With that said, I'd rather be poor in France than in the US. At least there is a good public health care system and you can go to school& university for free.
good students can switch tiers. and there are tierless schools too (gesamtschule) which allow any student with an average of grade 3 (C in the US system) or better to continue to high-school and qualify for university.
Correlation is pretty clear to me, causation less so. After a bit of searching around, I personally believe that the factors which make a particular neighborhood poor have a causal effect on the education outcomes in that neighborhood, but haven't found a clear causal link between school funding and education outcomes. I do think that increasing funding would help, but there are a ton of confounding variables which must be improved in tandem with funding to produce a significant improvement.
School funding goes toward teaching staff, school supplies (pencils, books, desks, chalkboards, etc.), food and water, and building maintenance (bathrooms, sinks, HVAC, etc.). There are also administrative staff, cleaning staff, and counselors i.e. school psychologists. In the case of K-12 public schools, taxes are the funding. Parents with lower income pay less in taxes (in literal dollars, not percentage-wise). Poorer school districts get less funding [1]. Less funding means fewer teachers or lower salaries. One article I read points out that teacher turnover is higher in schools with less funding and that higher turnover is worse for student learning [2]. While the article suggests that the turnover is at least partially due to whether the teachers are culturally and socially prepared to teach high-poverty student populations, increased funding could go toward providing poverty-aware training, training for resolving behavioral issues, and increased salaries to incentivize retention. ("Training for resolving behavioral issues" would include carefully assessing school policies to prevent a school-to-prison pipeline [3].)
On the other hand, a poor neighborhood has many other confounding factors which can influence student success. Poorer families are less able to buy healthy nourishment, and hunger distracts students in class [4]. Money problems distract parents from developing healthy, present relationships with their children. A poor neighborhood is less able to train police officers to deal with violence in the streets while also avoiding excessive violence in response. A poor city (or an indifferent state government [5]) can't account for or replace lead pipes and lead paint, and lead exposure harms brain development.
According to [1] the rate of poverty in the US is 15% compared to 6.5% in Denmark ( and 10.9% of Germany, 14.2% of Italy, and 8.4% of France, the three strongest economies of EU).
>If humans could live on laissez-faire capitalism, the US wouldn't have 11% of its population living below the poverty line.
I think it might be a little more complex than that? "Living conditions in Europe - poverty and social exclusion" [0], "Poverty in Europe" [1]:
>"In 2022, 95.3 million people in the EU (22 percent of the population) were at risk of poverty or social exclusion, i.e. living in households facing at least one of the three risks of poverty and exclusion: income poverty, severe material and social deprivation and/or living in a household with very low work intensity (where adults work at less than 20 percent of their potential over one year). According to Eurostat data, this figure has remained relatively stable compared to the previous year (95.4 million in 2021, 22 percent of the population)."
I don't support total "laissez-faire capitalism" at all as I understand and think it's counter to the free market as well as bad for society, but I don't think you can just claim the opposite extreme has clearly better outcomes. It's not unreasonable to argue that both the US and EU go too far towards different ends of the spectrum.
There is this weird relic of the cold war where people claim the US has unregulated markets because that's what the internal propaganda said when the enemy was Communism. The US government is the largest bureaucracy in the world with a government budget that exceeds the entire GDP of every country except for China and the US itself. The US Code is tens of thousands of pages long. And those are just the federal numbers.
That isn't to say that the US and Europe are the same. The US government is more captured by industry. Occasionally this is actually an advantage, because the industry can push back against the more ridiculous of the naive incompetence of people who are good at identifying problems but not solutions. The industries also use it to put up regulatory barriers to entry and promote market consolidation, which is very bad, but that happens in Europe too.
Not to put too fine a point on it, but you could pretty easily have a UBI that essentially eliminates poverty without having an incompetent regulatory apparatus that tries to micromanage every part of the economy. On either continent.
1 seems to be a rehash of 0 and being at risk of “poverty and social exclusion” seems to be a broader definition than living below the poverty line.
This seems like comparing apples to oranges or am I missing something?
On a similar note, is there parity between US definitions of poverty and European definitions of poverty and/or are the statistics normalized to account for any differences?
Not sure why the burden is put on the shoulders of the authors of open source software. Would make more sense to say “Companies that use open source software to sell their own software must comply with the following security practices…”
Original article title is "The European Cyber Resilience Act", but OP has editorialized it to "European Legislation Could Create Liability for Free-Software Developers".
A combination of both would be best, but might be too long. I know of the act, and was assuming that it would be about that act, but it doesn't say so one needs to click. On the other hand, the original title is even worse because it tells you nothing about why it's interesting. Choice of two evils? I think your choice was the better of the two, unless it can be made to fit both
I'm sure all the free software cheerleaders who were lauding the EU for requiring that Apple support side loading will be thrilled. Sauce for the goose and all that.
A lot of straw-grasping. The whole thing "commercial activity" thing, for example. The legal guide says:
> on a case by case basis taking into account the regularity of the supplies, the characteristics of the product, the intentions of the supplier, etc. In principle, occasional supplies by charities or hobbyists should not be considered as taking place in a business related context.
And apparently the author decided to ignore everything but "regularity of the supplies" and decided that a widely used product that makes regular releases is commercial activity. Sorry, but I'm absolutely not convinced. "Characteristics of the product" and "intentions of the supplier" is already very broad and you could easily argue that a non-commercial open-source project is, well, not classified as open-source according to the regulation.
The author also truncated the paragraph about open source from the regulation. Here it is in its entirety:
> In order not to hamper innovation or research, free and open-source software
developed or supplied outside the course of a commercial activity should not be
covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
It is absolutely clear that the EU has thought about open-source software and is intent on not harming the ecosystem with its regulation. But it is stating the obvious: if you write free, open-source software, but you charge for support, then yes, you're engaging in a commercial activity! You cannot have your cake and eat it too. You want to take money from EU consumers? Abide by the EU rules and ensure that the products you distribute comply with the regulations. You don't want to deal with that? Don't take the money. It's as simple as that.
Every single link to a reaction from a foundation or developer in this newsletter is in that vein: complaining that they want to continue taking money for support or a platform but avoid falling under the "commercial" category. That just doesn't work.
Sorry for the rant but I'm genuinely upset. The EU wants to protect me, an EU customer, from vendors who sell software or software support contract but don't take cybersecurity seriously. They've recognized that OSS is special and even went as far as making special exceptions for it - but without allowing loopholes where vendors hide behind open-source to avoid liability. And yet, what do we get? EU bashing. Because apparently the only good regulation is no regulation. I don't want to live in a libertarian hellhole. If you do, don't force it upon me, and abide by the local law if you want to do business with me.
> But it is stating the obvious: if you write free, open-source software, but you charge for support, then yes, you're engaging in a commercial activity! You cannot have your cake and eat it too.
It's the regulation which is trying to have its cake and eat it too.
There is a common model for open source development where you have a full-time project maintainer who is barely scraping by on donations and support contracts but these pay their salary, and then a large community that makes contributions. This works well because there is a lot of low-enjoyment and administrative work that needs to be done by someone but nobody wants to volunteer to do, but you can put this on a salaried employee and it makes the community possible.
Now if anyone does this they're put on the same footing as Samsung or Microsoft, which they don't have the resources for so they can't anymore. But they were the glue holding the rest of the community together, so the whole thing crumbles.
i think this is not relevant. if the maintainer is making money from support contracts he should be liable for those just as i am selling custom non-free software to my customers as a freelancer. do you think i have more resources than this maintainer?
if anything we need a carve-out for freelancers or even small companies. i mean, how is this supposed to work? if sell support for a software i didn't write, should i be liable for the whole of it?
on the other hand i see a potential positive effect too: commercial support is going to be more expensive. but i am not sure if it is possible make that work without some kind of price limit below which, the developer should not be liable.
This isn't even a problem of carve outs, it's just a bad design.
What you want here is something simple: Either the producer of the product provides security updates for as long as the product is in widespread use or they provide sufficient documentation and source code and such device access as is necessary for anyone to provide security updates.
That works for everyone. If you're still actively supporting a product you're fine. You can stop supporting it whenever you want, but then you have to let anyone else do it.
Producers of non-free software can stop supporting the product whenever they want by publishing the source code, or avoid publishing the source code for as long as they want by continuing to support the product. Open source developers will have satisfied the first option from the outset.
> The EU wants to protect me, an EU customer, from vendors who sell software or software support contract but don't take cybersecurity seriously
No, the EU wants to make it illegal for you to buy what you want and instead force you to buy what they want you to have, or buy nothing.
Never mind the clear adverse affects of this law on small developers, who will find it difficult and expensive to navigate the new rules. This law will be a boon to big, expensive software providers who can dedicate whole departments to bureaucratic compliance.
I suppose one choice would be to separate any current open-source development company with support services into two independent parts. One part will continue developing the software, funded exclusively by donations. The other part will offer commercial support for the software and at the same time make generous donations to the developer part.
It could conceivably work in the consumer's favour assuming the commercial entity is at liberty to choose alternative software stacks for whatever problem the software solves; overlapping boards-of-management and vendor lock-in are the things to watch for.
I love Free Software (all my personal projects are released under GPL) but I'm appalled by the terrible quality of software in general (under Free, Open, or other licenses.) Not a day goes by when some bug or breach or crash makes the news, eh?
Speaking broadly (and setting aside art) software is either toys or industrial machinery.
If you're writing toys (or art) this legislation won't bother you. If you are writing industrial machinery then it behooves you to do it well, and this legislation seems like a very good step in that direction.
I mourn for my hobby, but it's worth it to be sidelined in favor of software produced by responsible parties.
I mourn for my hobby, but it's worth it to be sidelined in favor of software produced by responsible parties.
In other words, this will create even more barriers to entry that will further entrench giant companies who have the necessary armies of lawyers and security engineers.
Well, I think that soon most software will be written by machine, in something like Idris or Lean, and merely guided by humans via a linguistic interface.
With any luck, within a decade or two, the idea of buggy insecure software will be as anachronistic as baking one's own bread.
It will not. In fact, it might even create jobs and a better ecosystem for developers to work in. Good OSS will become commercial software, which will be upheld to a significantly higher standard.
No, jobs created will be with the entrenched companies, who will grow their monopoly over the software labor market and make the software ecosystem _worse_. Tackling legislation and compliance requires scale or money (to outsource the compliance work).
This WILL add barriers to entry for new companies.
Do you think that perhaps an increased need for compliance officers would create more compliance jobs, thereby creating jobs and reducing the scale and money required to tackle legislation and compliance?
Existing business will have to pay for those compliance officers, salaried or through outsourced work. It WILL require more scale. There is no reduction here.
In absolute terms, less time will be spent writing software and more time will be spent on compliance (which maybe a good thing for traditional, corporate software!). But, it's not something your average open source developer is falling all over themselves to have anything to do with.
That's interesting. Every startup I've ever worked at, the chief compliance officer & mlro was one of the first 2-3 employees to get hired (as far as I can recall).
Wouldn't it be better if they could instead hire someone that adds actual value as one of their early employees rather than someone they need to fulfill some bureaucratic requirement?
"Resources spent on scamming them instead" would be something like locking the customer out of doing their own firmware updates or refusing to publish documentation or source code in their possession for out-of-support products because it enables planned obsolescence. But regulations prohibiting such practices wouldn't see many objections from open source developers because they would be trivially satisfied by publishing the source code under widely used existing licenses.
Whereas providing you with every ability to do something yourself, or to pay any third party to do it for you, is not a scam just because they're not offering to do it for you without pay.
> "Resources spent on scamming them instead" would be something like locking the customer out of doing their own firmware updates or refusing to publish documentation or source code in their possession for out-of-support products because it enables planned obsolescence. But regulations prohibiting such practices wouldn't see many objections from open source developers because they would be trivially satisfied by publishing the source code under widely used existing licenses.
That's definitely a problem which should be fixed and is indeed currently being fixed by the EU via regulation.
Don't fall into the trap where "regulation" is treated as a monolithic thing which is either good or bad as a whole. It's the most motte and bailey thing in the world. Anyone can justify the government in prohibiting leaded gasoline, that doesn't tell you whether any unrelated proposal is any good.
Both for society and the company. You want more small companies to succeed in your society, they are the engine of growth after all. One way to help out is by reducing their bureaucratic burden. This is all well researched and well documented.
> That's interesting. Every startup I've ever worked at, the chief compliance officer & mlro was one of the first 2-3 employees to get hired (as far as I can recall).
One of the employees is assigned the role in a jurisdiction where someone has to be assigned the role, because obviously. That doesn't mean it's their full time job -- how could it be, unless the compliance overhead has fully doubled the company's labor costs? All it is for them is more work, which only allows them to specialize less in each of the other things they have to do.
Customers who don't want to pay high prices to abusive oligopolists, workers who could have gotten paid more or been able to work fewer hours for the same salary, taxpayers who would have received the tax on business profits instead spent on compliance costs.
I’m guessing you don’t really write anything meaningful if you are able to just call it a hobby and dismiss it. There are among us people like myself who dedicate large percentages of their lives to working on FOSS. I want nothing to do with government regulations and I suspect neither do my millions of users. How would the governments, who have shown they not only know nothing about cybersecurity, but actively work to undermine it all the time, help me with the security of my projects? Nobody can say, because like all else the government does. It is simply theatre to make well meaning busy bodies think the government cares. Meanwhile corrupt politicians in the government will surely further poison the law by figuring out how to enrich themselves by giving preferable treatment to the worst offenders (as usual). I don’t know why people don’t put in their heuristics hat more often when analyzing these things.
Anyone else who makes any kind of product available for public use is held to some standards of responsibility and liability for any harm that it causes. Why should software be any different?
First, I have no idea what you are talking about. Bad open source software has never hurt me, best I can tell. Your claims seem farcical & ladden with over importance.
Second, the level of entitlement in display here is revolting. Why do you think you are owed perfection?
Why do you imagine that software developers possibly could foresee every possible issue that might arise? How could they project & comprehend every way their library might be misused by another?
There's nothing less hackery than those so polarly demanding hard fast answers to alleviate & end the hackerly search for meaning. We must thrive with uncertainty, must learn progress & advance, with eagerness & inquiry; to demand that we have only certain assured things is a sad folly of weak spirits. The ask is impossible; no creatures nor artifice on this earth are so perfect. Thise who are close to the machine know that the fathomless depths of computing rapidly go beyond what any mind might imagine, and it is absurd & pompous, an insistence of those who don't get it at all, to demand everything be perfectly concieved & known.
We are still learning so many mysteries of the universe. Demanding that no more mysteries ever be created, demanding only certainty from here on our; that is so far askance from the bravery of what has risen up thise species & what continues to improve it. We flourish by struggle, by going forwards, and letting progress be forever snubbed by fear is the enemy.
> Bad open source software has never hurt me, best I can tell.
You may not think so but here is a likely scenario: Some startup uses an open source library in their app. You install the app. It gathers some information about you. Due to weaknesses in the library, a data breach occurs. Your information is part of that.
> There is a reason why the open-source world has concerns: the legislation indirectly defines who is responsible for the security of open source and who should pay to improve the current state. In addition, it puts the responsibility on individual developers and foundations hosting open-source projects instead of the manufacturers of goods embedding the software.
Why is this a concern? If you are unable to produce high quality, safe software, then don't make it publicly available for use. If you make something publicly available for use, you should be liable for maintaining it and any damages that software causes due to bugs. No different than if I were to make some crappy fire extinguishers and hand them out to people for free. No different than if I were to build a little bridge over a river.
>Why is this a concern? If you are unable to produce high quality, safe software, then don't make it publicly available. If you make something publicly available, you should be liable for maintaining it and any damages that software causes due to bugs.
Don't blame me for not building the house to code, blame the guy who made my nails, fasteners, and lumber.
^this is what you're endorsing, because any failures generally occur at the stage wherein the End User is adapting the component to integrate into their own systems.
Responsibility falls on the composer of a system to deal with the composition's quirks. Anything that tries to put it up a layer is just trying to pass the buck. The Software Author has a particular case in mind. Yours is probably not it, but might become so. If it fits, go ahead and ship, if not, smooth it out. Nothing is stopping you but your unwillingness to wrangle the code.
That does not mean the consumer (the builder) is absolved of any responsibility, nor does it mean that the product of the builder using the poor quality materials is of good quality itself.
No modification whatsoever is intended to have to happen to integrate that particular package with the rest of a person's house. This is completely different to how most software works, whereby dynamically linked libraries actual implementations of particular symbols can be changed out from under the user at any time. Therefore, legally speaking the demarcation of liability is far simpler to demonstrate/self-evident.
>Or electric one that have live connected to case...
Governed by electrical code.
>Surely the user is responsible not the manufacturer?
Technically yes, the user is ultimately responsible for final detection of, and escalation of the defect. If you don't engage the legal process around a defective, non compliant appliance, nothing happens/changes to fix it. The rest is implementation detail.
Libre software is more like plans to build a gas stove, and security bugs are more like it not having a safety control such that malicious visitors can leave on an unlit stove to fill your house with gas.
Also lets be very clear here - software bugs aren't capable of causing much damage by themselves. If I set up a lone machine running a decades old full-of-holes Linux distribution on a publicly accessible IP, the absolute worst that can happen is its bandwidth being used to create denials of service. It's those who create real-world reliances on inadequate software systems that deserve most of the blame for damages.
What a horrible statement. Who is ever certain? How certain are you? How willing to endure false claims are you, even if miraculously you have convinced yourself the work is flawless?
This is insulting beyond words. We think together with open source. Ideas are shared. The world iterates forward & we learn & improve, together. Saying we cannot open our mouths unless we have only the voices of the angels is a demonic silencing. Hard disagree.
> Who is ever certain? How certain are you? How willing to endure false claims are you, even if miraculously you have convinced yourself the work is flawless?
If you're not certain and unwilling to fight false claims, just don't publish it for public use. It's kind of that simple.
> We think together with open source. Ideas are shared. The world iterates forward & we learn & improve, together
Indeed. And we have, and continue to produce plenty of resources for that.
> This is insulting beyond words
My sincere apologies that I insulted you by stating you shouldn't be allowed to hand out home-made fire extinguishers to the public and expect no repercussions
I have the hardest time imaging what it would take to develop software we are certain of.
Developers of greatest talent are experts at finding doubts and potential weaknesses. They see accrued depth of complexity far beyond what the minds of simpler beings floating only on the surface of interface see. They can imagine all kinds of complex interactions. And they are never certain. That doubt is a doubt they work against, guard against ad best they can, but live with.
It feels like such a ridiculous silly alien voice, such absurd naivety, to say, oh, just be certain. Just make it flawless. Whatever happens, it must be perfect. It's a juvenile fantasy, that only one ignorant to the complex nature of reality, unthinking of the combinatorial explosions of possibilities that happen as layers of systems & libraries intersect, unseeing of the absurd misuse by users of technology, that any and all difficulties could be conquered by just demanding someone making something make it perfect or never ever share it with the world, never allow users.
You're thinking in absolute terms. I think that might be the source of the disagreement.
I am not advocating that it should be illegal to publish OSS unless you can mathematically prove it is faultless. I am advocating that if you are going to publish software for public consumption you better be damn sure it wont cause harm, because you will be (should be) accountable for any harm caused.
This would eliminate the vast majority of non-monetized open source, because authors would be exposing themselves to unbounded liability with no upside. I'd have to take down all my apps and repos even though as far as I know they have never caused any harm. Maybe you consider that an acceptable tradeoff; I don't.
I'd be happy to pay for their ibuprofen if they can prove the adverse effect my comment had, and if it continues having adverse effects, I'll make sure to take my comment down or improve its quality so as to stop causing the adverse effect.
Are you sure you're willing to do that? This website is read by hundreds of thousands of people. If even 1% of them have been adversely affected by your comment, you could be on the hook for thousands of dollars. And you've posted many other comments in this thread alone.
Yeah, it would be pretty bad for my wallet. Would make me reconsider posting low quality comments going forward, potentially increasing the quality of the forum long term.
What if you still want the medium quality comments?
Publishing information has both externalized benefits and externalized costs, and we don't have a good way of internalizing the benefits or the costs, but if you only internalize the costs you're surely going to deter things that were net positive.
It's also assuming that the unrecoverable positive externalities correlate with the deterrent. But because they're unrecoverable, they wouldn't -- something with an enormous net benefit can be deterred by a small cost because the benefit was going to someone other than who pays the cost.
> What if you still want the medium quality comments?
That's a good question that I don't have a good answer to. I would encourage people to strive less towards publishing what they want to be "production ready" OSS, and direct the efforts more towards building smaller building blocks with clear indication it's not to be used in production and extensive documentation on what work needs to be done to productionize the software for given applications. These are just my immediate half-baked thoughts on that question. I had not considered that there might be a demand for medium quality software.
> Publishing information has both externalized benefits and externalized costs, and we don't have a good way of internalizing the benefits or the costs
That is an incredibly well formulated point. This raises some interesting thoughts that I'll need to mull over.
> if you only internalize the costs you're surely going to deter things that were net positive
I think that's fine, right? Unless you are demonstrably deterring a ridiculously outsized net positive, that's just the unfortunate cost of risk management.
> I would encourage people to strive less towards publishing what they want to be "production ready" OSS, and direct the efforts more towards building smaller building blocks with clear indication it's not to be used in production and extensive documentation on what work needs to be done to productionize the software for given applications.
This is the opposite of how it usually works, and there is a reason for that.
Having something that actually runs is when you start building a community. The crashy pile of garbage that only works 80% of the time will get people interested, because it does work 80% of the time, as opposed to 0% of the time for the most well-tested and documented component that can't be used for anything because the rest of the system hasn't been built yet.
The early adopters knowingly put up with the flaws because the alternative is to wait until it's finished, and they choose not to. And then they make contributions and make it better, which is the only way it ever gets finished.
For the same reason there is no clean demarcation between "in development" and "production ready" -- people will be using the "in development" version in production as soon as it suits them regardless of what you tell them. And the people who do that knowingly do everyone else a favor by polishing the rough edges. The better the code gets, the more people use it, the more contributors you have making it better. It's not a line, it's a spectrum.
> I think that's fine, right? Unless you are demonstrably deterring a ridiculously outsized net positive, that's just the unfortunate cost of risk management.
That's exactly what happens with software, because the externalized benefits have unlimited scale. It's a serious problem even before this -- there are many open source projects with only one full-time maintainer, or only a part-time maintainer, that are used on a billion devices by everybody in the world.
I'd be happy to pay for their ibuprofen if they can prove the adverse effect
But that is not what this regulation would have you do. It would require you to actively monitor your HN comments for adverse effects and proactively publish up-to-date fixes and disclaimers on how to avoid those negative outcomes. The affected parties don't need to prove harm, they only need to prove that you failed in your support/maintenance duty.
If the bar is that high it would have a pretty chilling effect on education and the sort of grass roots experimentation that fuels innovation. I should be able to say 'don't use this for anything serious, its a toy', and not be liable if you choose to link it into your avionics software anyways.
Well there's already a statement in almost every open source license saying there is no warranty or expectation that it works at all, but sure let's tack on 'for education purposes only'.
It'd be the same result as California's law leading to 'this may cause cancer' printed on so many items no one even cares any more.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
No - I mean something like a banner at the top of the README or at the homepage of the documentation that states, as boldly as feasible, something along the lines of "THIS IS A PROOF OF CONCEPT/DEMO/FOR EDUCATION PURPOSES ONLY SOFTWARE THAT SHOULD NOT BE USED IN PRODUCTION"
I'll amend mine to seriously endorse the idea that there should be a software supply chain that is verified to the degree that's possible and should hold liability. and ramps from world A to world B. this idea that you can hoover up a bunch of slop from the internet, sell it, and not be responsible in any way is really the problem here.
Whether or not my software is of quality is none of your business. I’m allowed to say “no guarantees”. It’s not your right to force me to provide you a guarantee. Force is only justified in response to force, and nobody forces you to use open source software.
Are you suggesting it or saying it should be illegal? Again, by defending these laws you want it to be forced.
I never said anything about software I didn’t produce, should I interpret this as you agreeing that you will force me to provide guarantees for open source software I do make?
> should I interpret this as you agreeing that you will force me to provide guarantees for open source software I do make?
Yes. However, the way you use the term "force me", at least to me, implies an unjust enforcement of a law, post-publishing that was not made clear pre-publishing.
You seem very intent on labelling legal obligations as being forced to do something. That, at least to me, is a clear mischaracterization of the issue at hand.
This is entirely divorced from reality, then. You'd have to make the code resilient to failure modes specific to operating environments you're entirely unaware of while authoring the code. E.g. someone takes your code and cross-compiles it for use as part of one of several daemons running in an embedded system on an architecture you never tested on, and it leaks memory in that environment due to how to OS allocates memory there. I'm not thrilled with this example I just made up, but I hope it captures the distinction between writing an algorithm and deploying a full solution into a known environment.
The idea that software engineers can 'guarantee' against this is fantasy and precisely what integration testing is for. It has to be the case that those who deploy the code take responsibility for its behavior, not the original authors, since only those deploying have the full picture of the system.
https://news.ycombinator.com/item?id=36783445 (34 comments, 2 months ago)
https://news.ycombinator.com/item?id=35914013 (122 comments, 4 months ago)
https://news.ycombinator.com/item?id=35637556 (97 comments, 5 months ago)
https://news.ycombinator.com/item?id=35011108 (200 comments, 7 months ago)
https://news.ycombinator.com/item?id=33594440 (203 comments, 10 months ago)