[dcbadacd]

The refund for the amount you paid for the library is on its way.

Once again I'm reminded about that sentence someone once said. With random open-source libraries you're dealing with something someone else put out there just because they wanted to, having any kinds of expectations that someone will or won't do something is seriously short-sighted and even pretentious. Do you go around running random .exe-s you find from the internet? Why do you do so with the dependencies for your projects and expect a better end result? You may not like to hear this but it's true.

There's two solutions here, either you start reviewing the libraries you use, every release, or sign a support contract that obliges the maintainer to do something you want.

[braythwayt]

You are not a lawyer, because if you were, you would be aware that there is case law establishing that just because you don't charge for it, doesn't mean you aren't providing an implied warranty and aren't taking implied liability.

There is absolutely zero chance that you can put malware into an open source project, give it away, and then when sued, stand up and say, "It was free, what do people expect?"

You can call me pretentious until night turns back into day, and maybe I am, but the thing we're discussing is a matter of law, and it there are nuänces above and beyond what random people on the Internet would like to believe about how giving software away works.

(edited to add a pretentious diæresis)

[yawaramin]

> just because you don't charge for it, doesn't mean you aren't providing an implied warranty and aren't taking implied liability.

Open source software is almost always distributed with a license that explicitly disavows any such warranty or liability. This is pretty widely understood...

[braythwayt]

Just because you put it in a license, doesn't mean it will hold up in court.

Example: I distribute a flashlight app. It contains an obfuscated bitcoin miner and a MITM that collects your login credentials. My license does not mention ether of these things, but it does say there is no warranty or liability.

What do you think will happen if I am sued in court and/or charged with a crime?

[yawaramin]

You're talking about an app. I'm talking about open source software freely posted online. Let's apply some common sense here. What you said:

> if I am using this library as part of a shipping piece of software-as-a-service, and I am in the middle of shipping a new feature when suddenly things mysteriously crash...

> If I later discover that the crash was put there deliberately, I am going to call that malice, and malice that has directly impacted a functioning business and its customers.

Now what will happen if you take this library author to court? Let's ask some basic questions that the court might touch on:

* What was the harm caused by the software breakage? You were unable to ship new versions of your software to customers, resulting in reduced revenues

* What general arrangement or expectation did you have with the library author? None, the library author distributed the library as open source and explicitly disavowed (in writing) any obligations to the library's users

* What specific arrangement did you have with the library author? None, you don't know the author personally and you never transacted with them, offered them any compensation, or any other kind of business arrangement to provide you with the library

* What evidence do you have that the author acted maliciously? Almost none–they acted erratically but did try to offer a reasonable non-malicious explanation

I don't think any court in its right mind would find any substance in this case. If it did, every Tom, Dick, and Harry would start crawling out of the woodwork claiming some OSS had maliciously broken their code. It would quickly kill OSS. And not just that, the same principle would apply to any general publication, academic or industrial research, talks and lectures, etc. Society can't function that way.

[dcbadacd]

What if the dev just publishes an update that removes the flashlight functionality? It isn't malware, it just doesn't work. I don't think you could sue the dev and win.

[dcbadacd]

I don't know how you believe laws work or what you hope to discuss but the reality is that in the case of software, laws offer deterrence and recourse to any malicious actions. It's absolutely stupid to take a repository by an anonymous person, execute it and hope it's not malicious or doesn't have any bugs. Not to mention there's nothing obliging that a piece of software has to be bug free, maintained - go and now determine if a bug that deleted your production data is malicious and if you have any recourse. I'd love to see any actual cases about software distribution causing damage that don't have anything to do with malware distribution.

[braythwayt]

You are arguinng a strawman. We are not discussing bugs or maintenance, we are discussing a person acting maliciously. Furthermore, you are talking about people being "stupid," which has no place in a discussion of whether a person giving away code has an obligation to not act maliciously.

Never in the history of the courts has a defendant's lawyer gotten up on his hind legs and intoned, "But your honour, the plaintiff was stupid," and had the case summarily dismissed.

Naturally, one can make arguments about what precautions the user of some software ought to reasonably be expected to perform to avoid harm.

I agree it may be prudent to assume that every maintainer is malicious and sits up all night trying to think of ways to put malware in your compiler, but I do not agree that this is going to be an effective defence in a court of law if you actually put malware in a piece of software that you give away.

Now please excuse me, I am about to audit every last line of code in Unix. I have no more time for exchanging pleasantries with you.

[dcbadacd]

You started the thread by saying that if you used a library that is broken by the maintainer you would call that malice. Things being broken is directly related to bugs and maintenance - detecting if and how a breakage is malice is the first problem in your arguments.

I'm also trying to tell you that your whole base premise is wrong, that even expecting some library to work or to keep working is too much (unless you apply one of the solutions I offered). Calling certain behaviors stupid absolutely has a place in a discussion about when people play with fire and then are surprised they get burnt, I think you deliberately missed my point that if you put yourself in danger you only have yourself to blame and most laws do care about that nuance. In the end the job and obligation of keeping the software you write secure is just as much on the person writing some libraries.

We can argue if x or y are effective defense in courts or not but as I said, that hasn't been tried out in the case of open-source software being broken. I also have to repeat that when you look at malicious software and changes in practice then the law applies retroactively and you have to deal with preemptive defense yourself - going back to my first point(s), you have to change the way you develop software instead of hoping what you randomly execute is good.

Hopefully you now understand what I'm trying to say to you better, English isn't my first language, sorry.

[braythwayt]

Perhaps there has been a language issue.

In this specific case, the code was written such that it deliberately broke installation for users. I consider that malicious. The “deliberately” is the important word here.

People make mistakes. Nobody wants this to happen, but my colleagues and I have sometimes pushed a bad deploy that broke our product, and we rushed to revert to a known good state.

That’s not malice, that’s (temporary) incompetence.

But if we deliberately broke something for our users, I would consider that malice.