[yawaramin]

> just because you don't charge for it, doesn't mean you aren't providing an implied warranty and aren't taking implied liability.

Open source software is almost always distributed with a license that explicitly disavows any such warranty or liability. This is pretty widely understood...

[braythwayt]

Just because you put it in a license, doesn't mean it will hold up in court.

Example: I distribute a flashlight app. It contains an obfuscated bitcoin miner and a MITM that collects your login credentials. My license does not mention ether of these things, but it does say there is no warranty or liability.

What do you think will happen if I am sued in court and/or charged with a crime?

[yawaramin]

You're talking about an app. I'm talking about open source software freely posted online. Let's apply some common sense here. What you said:

> if I am using this library as part of a shipping piece of software-as-a-service, and I am in the middle of shipping a new feature when suddenly things mysteriously crash...

> If I later discover that the crash was put there deliberately, I am going to call that malice, and malice that has directly impacted a functioning business and its customers.

Now what will happen if you take this library author to court? Let's ask some basic questions that the court might touch on:

* What was the harm caused by the software breakage? You were unable to ship new versions of your software to customers, resulting in reduced revenues

* What general arrangement or expectation did you have with the library author? None, the library author distributed the library as open source and explicitly disavowed (in writing) any obligations to the library's users

* What specific arrangement did you have with the library author? None, you don't know the author personally and you never transacted with them, offered them any compensation, or any other kind of business arrangement to provide you with the library

* What evidence do you have that the author acted maliciously? Almost none–they acted erratically but did try to offer a reasonable non-malicious explanation

I don't think any court in its right mind would find any substance in this case. If it did, every Tom, Dick, and Harry would start crawling out of the woodwork claiming some OSS had maliciously broken their code. It would quickly kill OSS. And not just that, the same principle would apply to any general publication, academic or industrial research, talks and lectures, etc. Society can't function that way.

[dcbadacd]

What if the dev just publishes an update that removes the flashlight functionality? It isn't malware, it just doesn't work. I don't think you could sue the dev and win.