That's a poor analogy. Rails has always had "here's a sharp knife; be careful with it, but you're an adult so use it how you will" philosophy. So Rails comes with recommendations for use, but not mandates.
> AFAIK if you take open source software, provided without liability, and use it commercially then you take the liability for that product, since you can't shift it to the creator, since they're volunteering for free.
That is incorrect per my understanding. If that open source org offers eg paid support, they likely have liability, at least in the EU. Now they're probably, practically speaking, judgement proof. But they do have liability. see [1]
Okay, but then they're selling a product, not volunteering. And the law is that people who sell software can be liable for that software. Which makes sense. This is how every other product on the market works.
Note that "can be liable" does not mean "will pay so much money they go bankrupt". It just means that normal liability rules will apply and that person is not shielded from liability. If I sold you a broken car saying it was in perfect order, I may be liable, but if I can prove a mechanic told me it was in perfect order and I didn't break it after that, I may be able to transfer my liability to them. Now, if because the car was faulty, you crashed into a children's picnic, your car exploded into flames and and killed an entire orphanage, I or the mechanic may still go bankrupt paying their medical bills...
"selling" a product for $0 is an insane twisting of english and common sense.
And something now that only idiots do. And the reason no physical world analogies apply in the slightest is even if you give away (not sell) a car or some other physical possession, you don't sell a million copies and incur liability across a million users. For that same $0 cost. While that free download incurs effectively unbounded liability.
If I give away free cookies I baked just to feed people and they develop minor food poisoning, I may be shielded by the fact I was volunteering in good faith. If I give away free cookies with the logo of some big event to advertise that event, now it's commercial and I may be liable for the cookies because I'm backed by the money of that big event and should have been held to a higher standard.
The idea that selling one thing, ever, creates a financial obligation to anyone, ever, who downloads something for free is abject nonsense. And again, would lead anyone rational to wholesale blocking the UK or EU.
> But if you have some kind of agreement with an organization to develop or maintain open source software specific for that organization, that could count as commercial interaction.
I think that's the risk. It's not clear what counts as a commercial interaction. eg I built a lib used for data analysis of bio samples. I have occasionally done some consulting for users, but nothing in over a decade. Does that count as commercial interaction? It's unclear to me. I'm considering deleting the open source and/or updating the license to ban the EU.
Like obviously this is a very low probability risk, but I don't care to take any risks for something that I give away for free :shrug:
Separately, the idea that I have to have a security policy or any other thing; I decline.
I understand your worries as they were one of my reasons to join these government organized briefings.
It seems very unlikely that such a lib in itself has any cyber security risk as long as it itself does not query an external database through a network connection.
The users of the lib have to asses that it has no security risk.
Did you sign any formal agreement with the users of the lib? Is there still any obligsation on your side with respect to the lib?
If you would discover some security issue, like a buffer overrun, would you fix it? Then just mentioning it, would be enough. The users of the lib bear the greatest responsibility. They have to regularly check your lib for security problems.
> It seems very unlikely that such a lib in itself has any cyber security risk as long as it itself does not query an external database through a network connection.
It almost certainly has tons, because it was not designed to read attacker-controlled images or data files. If someone uses it that manner, I would be absolutely shocked if it doesn't. The testing suite focuses exclusively on correctness and speed.
> If you would discover some security issue, like a buffer overrun, would you fix it?
No. I don't use this work; I no longer work in science; etc. It's just a gift to other people of several years of work and a ton of time in vtune making it go fast.
Because that makes Kevin a manufacturer and thus subject to liability for a product that he gives away for free, which is a ludicrous proposition. And would lead anyone rational to ban all UK downloads, because you can't put your personal finances at risk to give someone free software.
Oh right. I had the opposite uncertainty, in that I presumed distributing source code counts as manufacturing with no distinction between the two. So you have to put it through a compiler to make it go, so what, same difference. (And what about bytecode and JIT and other gray areas?)
The only legislative changes we've gotten recently were actively designed to screw startups (thank the Republicans for Section 174 and a bunch of layoffs), so don't hold your breath.
> I also think the lack of options on limiting max billing for flexible services is pretty reasonable actually.
It's really scummy. There's no reason not to allow me to set, eg, a 5-10x normal spend hard limit where they shut things off. For things like lambdas with accidental reflection (stop lambdaing), someone using your bandwidth to serve files (stop serving), a bug in a your Athena scripts that downloads a far broader date range than expected (stop all athena), etc.
fyi, that's because (from experience) the last job req I publicly posted generated almost 450 responses, and (quite generously) over a third were simply not relevant. It was for a full-stack rails eng. Here, I'm not even including people whose experience was django or even React; I mean people with no web experience at all, or were not in the time zone requested. Another 20% or so were nowhere near the experience level (senior) requested either.
The price of people bulk applying with no thought is I have to bulk filter.
So you allow yourself to use AI in order to save time, but we have to put up with the shit[1] companies make up? That's good, it's for the best if I don't work for a company that thinks so lowly of its potential candidates.
[1]: Including but not limited to: having to manually fill a web form because the system couldn't correctly parse a CV; take-home coding challenges; studying for LeetCode interviews; sending a perfectly worded, boot-licking cover letter.
reply