Hacker News new | ask | show | jobs
by cm277 803 days ago
I think the 'easy' answer is liability, same as it is for any other complex human engineering achievement. Liability though would mean at the very least allowing commit access to only identified individuals and companies that are willing to pay for insurance coverage (to gain commit access).

This would probably ruffle too many feathers from the GNU old-timers, but I really dont see any other option. We are way past the tinkering-in-the-basement days of Linux/BSD hackers when most of us just wanted a cheap Unix box to play around with or to avoid Windows. A massive percentage of the civilian (and other) infrastructure is built on the shoulders of unpaid hobbyists. There is already massive liability at the social and corporate level. Time to deal with it.

EDIT: Ok, sounds like I have to describe this better: 1) you (governments) force commercial providers to assume liability for security issues and exploits and force disclosure, etc, 2) their insurance premiums go up, 3) to reduce premiums they only use checked/secured software, 4) that means maintainers of at least the critical pieces of software get paid via the (new) channel of risk reduction. Doesnt apply to all OSS, doesnt even apply to all distros. But it creates an audit trail and potentially actual compensation for maintainers.
5 comments
skywhopper 803 days ago
Sounds like a good way to kill off open source entirely. This is luckily unlikely to happen.

As for throwing money at the maintainers, honestly, it’s complicated. A lot of people aren’t doing open source work for the money. Money too often comes with strings, requirements to prioritize what the funder wants to prioritize, pressure to perform consistently, it becomes an actual job.

Not only does this turn off a lot of the types of folks who make the best contributions to these projects, but it bends the priorities toward what would make the most money for the funder. And as this article points out, real security investments often fall by the wayside when profit is involved.

So yes, companies should encourage their workers to contribute to these projects, donate money to the foundations that fund them, hire important maintainers and give them carte blanche to work on open source. But we have to be careful. Making it all completely transactional is directly contradictory to what drives a lot of the contributions.

link
rickydroll 803 days ago
Given the level of age discrimination in software engineering, maybe we should add a stipend to the pension plans of retired developers who work on open-source projects.

Yes, the devil is in the details, but I think the basic concept is worth exploring

link
ChrisMarshallNY 803 days ago
At least two of the maintainers of the framework I originally authored (and is now being maintained by a team, and used worldwide), are retired engineers. They are outstanding engineers, with great pedigrees, and bring real technical leadership to the project.

In that particular project, we're all just Paying It Back (not forward), but other projects could likely benefit from the participation of Grumpy Old Farts.

link
cm277 803 days ago
We are not talking about all of open source here; there are crucial bits of code and less crucial bits of code. LZ/OpenSSH was obviously in the first category. How do you determine which ones are more critical? same as you would for a bridge or a plane: by risk, impact, etc. That's basically liability.

And obviously a non-insured piece of code that assumes no liability whatsoever can still be free and maintained via IRC, same as it ever was. I dont see how this "kills all open source".

link
candiodari 803 days ago
Companies and in fact everyone has the choice to NOT use software that comes without warranty. But, of course, the cost difference will be astronomical. Alternatively companies and everyone have the choice to inspect open source software for security problems BEFORE use. Of course, astronomical cost.

This is an attempt to shift costs onto open source developers. Which, aside from being totally unjust, won't work. There's a legal expression "you can't squeeze blood out of a stone". Shifting costs onto people that can't carry those costs doesn't work for the same reason supporting a skyscraper with a toothpick doesn't work. The toothpick breaks, and when the skyscraper lies collapsed on the floor, nobody blames the toothpick. Hell, they might say the toothpick was heroic: trying to save the situation, sacrificing itself, screaming, and when nobody helped, not the government, not the owners, not ... the building collapsed and all the damage was done.

But it's even more stupid than just that. As soon as this gets introduced, and some company makes a security fix. They of course, for GPL or AGPL software, have to release their fixes. This will then make them liable for any other security problems in that same software. After all, they'll be the last ones releasing that software after the government implemented this law.

So how will you even do this, without making software fixes effectively illegal? Achieving the exact opposite of what such a law tries to achieve ... But of course, you can't have this discussion with people just looking to keep "their" free stuff but trying to shift the rest of the costs.

link
transpute 803 days ago 

  liability
> Sounds like a good way to kill off open source entirely. This is luckily unlikely to happen.

It has already happened in the EU CRA, i.e. the law has passed. Implementation details still being negotiated.

https://hn.algolia.com/?query=cyber%20resilience

link
LtWorf 802 days ago
That only covers for profit software.
link
transpute 802 days ago
Scope fine print details are still being negotiated.

Second HN story from the link above, Dec 2023, https://news.ycombinator.com/item?id=38787005

  The Debian project has completed a general-resolution vote, adopting a statement expressing concern about the Cyber Resilience Act (CRA) pending in the European Union.

  Even if only "commercial activities" are in the scope of CRA, the Free Software community - and as a consequence, everybody - will lose a lot of small projects. CRA will force many small enterprises and most probably all self employed developers out of business because they simply cannot fulfill the requirements imposed by CRA. Debian and other Linux distributions depend on their work. If accepted as it is, CRA will undermine not only an established community but also a thriving market. CRA needs an exemption for small businesses and, at the very least, solo-entrepreneur.
link
LtWorf 802 days ago
Yes, other stuff happened since then.
link
mcherm 803 days ago
I wouldn't mind receiving insurance coverage (and the background check required to support it) IF YOU PAID ME TO DO SO!

But we (mostly) don't even pay open source developers to write the code ... who is offering to pay them for this insurance?

Besides, this was a highly sophisticated actor. Someone willing to create several layers of loaders and invest long amounts of time into getting xz excluded from certain checks. Anyone with such sophisticated spy craft could have fooled the insurance companies also.

link
geggo98 801 days ago
Expecting liability coverage for source code people publish for free on their own time has very strong implications on free speech, freedom of arts, and freedom of science. I don’t think this is possible in a liberal society.

On the other hand, you can already buy software, where the vendor takes some kind of liability: just buy Windows, AIX, or one of the commercial Linux offerings. Same for software libraries: there are commercial offerings that come with (limited) liability from the vendor. It’s even possible to create software to stronger standards. But outside of some very specific industries (aerospace, automotive, nuclear, defense, …) there doesn’t seem to be a market for that.

link
api 803 days ago
If you apply this system to software all progress will halt.

We’d still be using MS-DOS.

link
LtWorf 803 days ago
This is an easy way that will achieve the goal of completely killing free software, destroying the entire software industry in the process.

I contribute stuff for fun, for free. Now I also have to PAY to do that??? Plus anyone can just steal my identity… I have to show my ID every time I sleep at a hotel. Hundreds of people have a copy of my id and could use it to open an account in my name online…

Do you guys ever read what you write? Did you stop to think about it for more than 0.3 seconds?

link
cm277 803 days ago
I actually meant quite the opposite: that contribution should be paid. Yes, it would have to be ring-fenced so that society and the ecosystem would know who contributes what. That would also mean though that someone assumes liability for a piece of code; when you do that, you add value (economic not just source-code) and thus you should / have to be paid --by whom? the hundreds of commercial companies that use your code and whose liability you are reducing.
link
lifeisstillgood 803 days ago
But every piece of software is legally held warrentless - no warranty is the heart of Microsoft, Oracle and the GPL licenses.

Yes I know the stories of “insurance made steam boilers safer”. And it’s true. But it also stopped innovation in the space before Charles Parsons came along and ignored the whole thing (military industrial aristocracy)

I think the answer sits somewhere in “have less stuff”.

We have millions of lines of code in all walks of life and Inswear we are orders of magnitude over engineered in almost all cases.

If you work for a large company try counting how many different ETL solutions exist, CSV uploaders, data lakes, warehouses and so on

Then imagine having one library to do it.

Somehow we need to get there for … everything

link
cm277 803 days ago
Agreed and I dont believe "no warranty" can last that much longer, or in fact should. It was encouraged back in the day when all this computer stuff was new and either walled-off in unis or enterprises or in hobbyist's basements. But the real risk now is in the interconnections; the potential impact is order of magnitudes larger.

The closest metaphor is cars I think. And yes you can argue that innovation in cars has slowed down but also a 'minimum floor' of safety and efficiency forced by governments and insurers has made new entrants more likely. I.e. you shouldn't need to only trust Oracle, SAP with your business because then, erm, you'd have exactly the current situation in enterprise software...

link
delfinom 803 days ago
>Agreed and I dont believe "no warranty" can last that much longer, or in fact should. It was encouraged back in the day when all this computer stuff was new and either walled-off in unis or enterprises or in hobbyist's basements. But the real risk now is in the interconnections; the potential impact is order of magnitudes larger.

Ok, I can blow your mind.

You can start your own software projects and offer them with warranty. And people can join you, if they want.

link
LtWorf 802 days ago
And they will not want :D Not unless significant income is balancing the significant risk.

Certainly not for a few € of donations.

link
xyzzy123 803 days ago
Why wouldn't people keep making open source, say "hey, no warranty!", but companies that use it in "load bearing contexts" have to assume liability for their choices, assuming someone enforces that.

Isn't that pretty much the way the world works now? What needs to be fixed?

link