I'm mostly curious what that means for something like the MIT license... For those who need a refresher, this is the part I mean.
> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Are there cases of open source projects being careless or negligent that have caused harm that this would address? Aside from some unintentional vulnerabilities that have been found, it’s hard for me to think of an example that would necessitate more regulation.
The author should have been liable for the damage they caused. The industry self-regulated itself but that is a case that I can think of, specifically caused by negligence.
For most of my early career (Security focused), companies would download copies of packages for use, they would go through a rigorous security scanning and vulnerability management processes before being included into a whitelist of internally approved tooling for product dev. Licensing, regulatory compliance and international involvement in dependencies was reviewed at this stage.
In this type of environment, which is very good from a security perspective, it would be virtually impossible for the Left-pad removal to have the impact that it did. So the problem as I see it is not that the author of Left-pad did a naughty thing (he was well within his rights given the 'why' of it all), the problem is that generations of developers have been successfully trained to believe that all their assurance work has just magically been done for them: In many cases the modern ecosystems make it virtually impossible for them to verify and control packages themselves.