[FatalLogic]

I haven't read much about this, so perhaps I'm not understanding clearly, but if the downloaded binary from Transmission's "website server" was replaced, then how is that not a compromise?

I genuinely feel for the developers, and I personally would not blame them if I was affected, but unless the data was intercepted enroute from their server, then I think they have to accept some degree of responsibility for the whole delivery chain to the end user.

[fredoralive]

It was compromised, but wouldn't affect updates as the internal updater checks signatures.

(IIRC the first compromised version (not sure about the second) also had broken / no Mac OS codesigning, though I'm not sure how many people turn off / bypass gatekeeper).

[dragandj]

Well, they do accept some kind of responsibility: it is spelled out clearly in the license what they accept, and you can choose whether you prefer the terms defined in GPL, or MIT (Transmission is dual-licensed).

[FatalLogic]

Do you mind linking to that? Please quote the relevant part of license if you have time.

I ask that because I think they'd be insane to accept responsibility.

I searched on their site, briefly, but I couldn't find this.

I haven't checked MIT license but the GPL 3.0 has got this clause about liability limitation.

16. Limitation of Liability.

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

To me it sounds like it means whatever happens after you use our software, it's not our fault! Which sounds like a reasonable license for open source free software, to me.

[dragandj]

Exactly that. They give you their work for free (as in freedom and also as in beer), so why would they accept anthing more than a responsibility to provide you with the source and wish you a good luck? If you want protection, you can buy commercial support for a GPL-licensed software, if it exists for the software in question, or look for an insurance company to buy insurance against any calamity. Why would Transmission developers provide such thing, and what's more, for free?