zlacker

FINALLY. This industry needs some regulation...

I'm mostly curious what that means for something like the MIT license... For those who need a refresher, this is the part I mean.

> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

replies(3): >>paulgb+M >>inetkn+E1 >>rstuar+PK3

>>within+(OP)
> This industry needs some regulation

Are there cases of open source projects being careless or negligent that have caused harm that this would address? Aside from some unintentional vulnerabilities that have been found, it’s hard for me to think of an example that would necessitate more regulation.

replies(1): >>within+j1

>>paulgb+M
I can think of exactly one rather popular one: left-pad.

The author should have been liable for the damage they caused. The industry self-regulated itself but that is a case that I can think of, specifically caused by negligence.

replies(4): >>sevagh+S1 >>rwj+K2 >>d_tr+J6 >>hcrean+oG

>>within+(OP)
> This industry needs some regulation

I concur, but I don't agree this is in the right direction.

> I'm mostly curious what that means for something like the MIT license

I think the article addressed that. Let me quote it for you:

> Today you can license-away that liability by putting the onus on the user to accept the risk, since bugs happen and hackers hack. Not your fault, you did your best, and you told the user that upfront. My read of the emerging regime changes that. It forces you to prove your code wasn’t the cause of the harm – “strict liability” in legal circles. Products like cars often get regulated this way. Essentially, the carmaker is at fault when something goes wrong unless they can prove they’re not.

> A license like the one Apache provides won’t help, since state-imposed strict liability isn’t a harm that can be licensed away by private actors.

If strict liability isn't a harm that can be licensed away by private actors then the last sentence you quoted couldn't be enforced:

> IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

replies(1): >>within+g2

>>within+j1
Npm Inc. is the only party liable for left-pad.

replies(1): >>within+G2

>>inetkn+E1
Ah thanks, it wasn't explicit that this was what it was referring to and was ambiguous (at least to me).

>>sevagh+S1
NPM wasn't the one who pushed the "delete project" button, knowing full well what would happen.

replies(1): >>d_tr+K7

>>within+j1
Except that all the people using left-pad weren't paying for left-pad, and didn't have a contractual relationship with the author. IANAL, but I'm doubtful the courts would find there is enough of a relationship for the author to be liable.

replies(1): >>within+F3

>>rwj+K2
That is what new laws are for.

replies(1): >>mjr00+u5

>>within+F3
No, they aren't. Even in the most liberal interpretation of the new laws, there's nothing specifying that you need to continue making your open-source package continually and indefinitely available.

replies(1): >>within+l7

>>within+j1
This is a very dangerous line of thought, and frankly, appalling.

replies(1): >>within+l9

>>mjr00+u5
I don't mean THESE new laws, just new laws in general.

> nothing specifying that you need to continue making your open-source package continually and indefinitely available.

There's a difference between making it available, and deliberately causing harm and untold productivity loss in a single day. This was a case of the latter.

replies(1): >>mjr00+Zm

>>within+G2
You knew all this before you decided to use it. Next time make better calls instead of blindly pulling shit like an idiot.

replies(1): >>within+Q8

>>d_tr+K7
I never used it; I just knew about the situation and used it as an example.

>>d_tr+J6
How is holding people responsible for their actions "dangerous" or "appalling?"

>>within+l7
Someone deleted a publicly accessible file off the internet, and it broke workflows of people with whom they have no existing contract. Good luck proving that was done to deliberately cause harm.

replies(1): >>within+vx

>>mjr00+Zm
In this case, they freely admitted to doing it with the intent to harm. A person slapping me in the face doesn’t have a contract with me, but they are still liable for that harm. This isn’t rocket science.

>>within+j1
Left-pad is a very good case study.

For most of my early career (Security focused), companies would download copies of packages for use, they would go through a rigorous security scanning and vulnerability management processes before being included into a whitelist of internally approved tooling for product dev. Licensing, regulatory compliance and international involvement in dependencies was reviewed at this stage.

In this type of environment, which is very good from a security perspective, it would be virtually impossible for the Left-pad removal to have the impact that it did. So the problem as I see it is not that the author of Left-pad did a naughty thing (he was well within his rights given the 'why' of it all), the problem is that generations of developers have been successfully trained to believe that all their assurance work has just magically been done for them: In many cases the modern ecosystems make it virtually impossible for them to verify and control packages themselves.

>>within+(OP)
As far as I can tell whether you are libel has nothing to do with the licence, or whether the software is open source. Instead you must have gained revenue from someone (somehow, directly or indirectly) by providing the buggy software to them, and it must have harmed them. It's the same as getting a car with a defect. If you didn't buy it from them (eg, it was a gift) then the giver isn't libel. Even if you did pay for it, if it's not too serious they may get away with it. But if you paid for a new car, and you died because of a defect in it, then the manufacturer has a problem.

So if someone downloaded the software from some public repository without consulting you (let alone paying you), it doesn't apply to you. I imagine that would be true if they downloaded a binary and there was no source available (so it's not open source), and it had some horrible proprietary licence that nonetheless let you use it for free.

But on the other hand, if you made them pay for some GPL'ed software and them made the source available on request as the GPL insists you must, then it does effect you despite it being open source. So really, open source and open source licences have nothing to with it.

In fact from what I can tell, part of the reason this law exists it to forbid shrink wrap licences on paid software exempting the supplier from liability. The licence having no effect on the applicability of the law is a desired feature. If the consumer paid for it, it applies no matter what your licence says.

Why this wasn't always the case is what's odd here, not this attempt to fix it.