[woodrow]

The author seems particularly hung up on the legal implications and consequences of being an open source contributor or project maintainer: "not all legal consequences can be waived", "distance to the legal system", "the real world legal consequences are then stuck with me", etc. It would benefit us all for the author to be specific about these if they are indeed real, as to my knowledge these are mostly FUD.

There are certainly negative aspects to being an open source project maintainer [1] but being legally liable for code offered as-is that you did not author, or being droned by a foreign military intelligence service for accepting a backdoor contribution are not it.

[1] https://daniel.haxx.se/blog/2021/02/19/i-will-slaughter-you/

[the_mitsuhiko]

There are definitely real world consequences of security or licensing issues in Open Source libraries. They are not always that someone will sue you but they are not necessarily any more pleasant.

[nindalf]

Perhaps you should speak more about those consequences you’re afraid of?

Take the xz incident from this weekend. No one is crucifying the maintainer who gave Jia Tan commiter rights. No one is prosecuting or persecuting them. Everyone understands that they were under stress. I’m yet to see a single negative thing even been written about them.

The legal consequences you fear feel more imagined than real. As long as you do the best you can with the knowledge you have, no one is taking you to court or putting you in jail over it. I know people online don’t take the No Warranty clause statement seriously when they demand support, but a court definitely will.

At worst someone may come and ask you “is Jia Tan your alter ego?” And leave when they realise its obviously not.

But if you’re arguing that you’re risking reputational harm, where you might get a rep as “the guy who lgtm-d the backdoor PR without reviewing closely”, yeah that’s possible. And it’s a reasonable fear. That’s a risk you’re taking when most of the reward is to society benefiting from your work.

[the_mitsuhiko]

> Perhaps you should speak more about those consequences you’re afraid of?

I'm not particular fearful of anything. It's an observation of a cultural change that I perceive. I'm facing many more interactions with throwaway accounts, individuals that have no desire to establish a reputation etc. It changes the way you communicate in subtle ways, there is less of a believe that you will run into some of those folks at conferences or they would not disclose themselves.

The legal elements of that are largely hypothetical since most folks will statistically not be involved with a lawsuit. However the legal underpinnings are largely what enables Open Source, so we cannot completely be blind to this. At the same time it's also clear that we care less about this as a whole. While it was once much more commonplace to verify authors, to vet licenses and contributors, that's clearly something that even established projects do less of. I have no idea what this means, but it seems like it's a shift nonetheless.

The practical implications are much more obvious. The creator of xz also suffered inconveniences despite not being the perpetrator when GitHub restricted their account.

> I know people online don’t take the No Warranty clause statement seriously when they demand support, but a court definitely will.

That's not entirely clear. At some point even writing code can become a legal matter and plenty of software engineers who were charged and convicted under wire-fraud charges are there to tell a story. Mind you, many of those things were outright obvious malice, but we don't know for sure where such lines are drawn for sure.

[nindalf]

> many of those things were outright obvious malice

Yeah, exactly what I'm saying. As long as you put software out there in good faith, you won't be convicted of wire fraud. So just ... don't be malicious I guess? That seems like a low bar that all of us can clear.

> While it was once much more commonplace ... to vet licenses

I don't know why we need to vet licenses? We've mostly come to a consensus. Most software is either MIT/Apache (anything goes), GPL (release your modified source as GPL) or some weird license masquerading as open source (hi Mongo and redis). We don't need more innovation in this space, we need less. And there's not much to discuss when almost all software is one of the first three licenses.

> legal underpinnings are largely what enables Open Source

I'd argue that if Open Source is continuing to be developed despite us not verifying identities, maybe it isn't necessary anymore? Maybe it was just something we did back in the day, but we don't need to anymore because the landscape has changed. It's possible what we actually needed was authentication - that this PR is actually coming from Armin and not someone masquerading as him. And Github provides that with its username, password and 2FA.

As long as there's no account level hacking involved and I know the person who submitted this change is the same the one I think they are, that gives me a lot of confidence. At that point it doesn't matter if the change came from Armin (who I've never had the pleasure of meeting), or Asahi Lina (who I never will meet).