That seems like a false-dichotomy between two extremes when there's all sorts of space in the middle... It's also assuming developer-to-developer tools would have the same rules and exposure as in service-to-consumer.
If I sell a physical motor (let alone plans for one) I'll have some liability for things like it Not Exploding. If someone buys a dozen of those motors to assemble a tragically unsafe "rollercoaster" of their own design and construction, I'm almost certainly not responsible for any terrifying decapitations.
In other words, most of the world already does not rely on the issuance of "Get Out Of Infinite Liability Free" cards.
Exactly this. (and it is a false dichotomy to argue infinite liability).
To Terr_'s point, if you were publishing open source you would also publish exactly the things you intended it to be used for and anything else would violate your warranty (possibly implied) that it does what the documentation says it does.
There is a huge amount of tort law that covers exactly when it becomes a problem for you the creator vs you the user in your own project. And that liability is also based on once you know something bad could happen you make an effort to notify people[1].
Software can be copied infinitely, so even $1 of liability is effectively infinite since an unlimited number of people can potentially use it and sue you when it blows up.
Nobody's going to be distributing software on the internet for free if the cost of insurance alone precludes that.
This is not how liability works, anywhere. So I write a piece of code that "makes your screen do cool things" and it causes the power supply to fail on those screens. Someone reports that bug to me and I check it out and say "Oh, shit it does break power supplies." Then I immediately put a notice on and in the code that says "WARNING: This code will break the power supply of your montitor." And I put that warning in the repo. And if there is a Discord or a mailing list I tell everyone "Hey, this is important, if you run this code it can break your monitor."
Guess what, I'm not liable for the damage. Why? Because I immediately responded once I knew that it could, I made a good effort to warn people who might already have the code of the risk, and I made it clear in the code that this risk is there.
Ever wonder why you get a booklet of warnings when you buy a product with even really stupid things like "Don't clean with gasoline" warnings? That's because once you have discharged your duty to warn you are not longer liable in what happens if someone ignores your warning.
The flip side is also true, you cannot say in your product both "Hey this product does these cool things" and "We don't warrant the product to actually do anything." This is especially true if there is money involved (like your user paid your some $ for the product.) There is always an implied warranty that the thing will do what you says it will do, which exists as long as the user has heeded all your warnings.
I broadly agree with you but TBF to the earlier comment consider what would happen if a FOSS author did something wrong and was found to be liable. How about curl for example? That sees use in car infotainment systems among other things and cars can be pretty expensive and there sure are an awful lot of them. The point is that we should be able to accommodate someone pushing a hobby project to github under a permissive license while also imposing liability against developers in instances where money changes hands or where someone's work involves interacting with the physical world.
The EU CRA handles this by putting liability on someone who integrates FOSS into a product instead of someone who wrote it. Because it doesn't make sense to put liability for unforeseen downstream uses on someone who gave away something they made in their spare time. Now, if it was a virus, you're still liable for distributing a virus.
I realize this is drifting off topic, and happy to talk more in email (address in profile), in the interest of sharing a bit more, consider this statement you paraphrase:
"a FOSS author did something wrong and was found to be liable"
In fairness, I not sure the earlier commentator really understood what they were saying, at least not as far as legal liability is concerned.
The FOSS author simply wrote some code and shared it right? That is their 'action' can you think of ways that does direct harm, which is to say they published their code, and with nothing else happening someone got harmed? One way that can cause harm is the FOSS author publishes a trade secret[1] or access credentials of a third party. In both cases they could (and would) be sued by that third party. But absent that, I'm having a hard time coming up where simply the existence of most code causes someone else harm.
So to get to harm we have to add another person, that person somehow applies the code, and in that application harms another person. Our FOSS author might be sued as being contributory because the person who caused harm might not have done so if they didn't have access to the code. To prove that, the plaintiff would have to prove that the FOSS author knew that the code could cause harm if used in this way, and encouraged or otherwise abetted the person who did harm to use it in doing the harm. That can be a hard standard to reach[2].
In your car example, it would be challenging to prove that Daniel Stenberg wrote curl so that you could use it to brick car infotainment systems. But it would be easier to prove that a manufacturer that incorporated FOSS code and didn't check their system for risks like this should be found liable.
Liability accrues first to the party that did the action. Secondary liability can reach out to suppliers[3] of things used in that action. This is also civil law rather than criminal law and so it works a bit differently in terms of evidence standards and penalties.
[1] We can make a joke here about badly formatted code, but hopefully we're in a agreement so far. A real example was the DVD decoding software that included the key for decoding encrypted DVDs.
[2] Not that people might not try, its too easy to sue. There have been cases where someone wrote some code that was later used in a weapon (and example might be Ardupilot software in drones used to kill Russians). But even in that case, the courts in the US at least have consistently found that if it is not the primary purpose of the software to do harm, then the author is not liable.
[3] Unless you're a gun company as Gun companies have managed to keep themselves from being found liable for people using their guns to do harm. But there is also lots of interesting case law there too which might help inform.
There's a pattern I noticed, especially on this site, where people claim various VC/ad/tech dark patterns, enshitification, privacy violations, dishonest marketing, etc MUST be allowed, otherwise open source or 'the internet' will face some sort of existential risk.
No bro - open source and the internet existed long before SV tech parasitism did and will exist long after.
I don't disagree, that pattern exists, but it is essentially true. Just not in the way the folks saying it is true understand it. If the "VC/ad/tech dark patterns, enshitification, privacy violations, dishonest marketing, Etc." wasn't allowed then their job might not exist. That can be true. What is missed is that if there is value in the thing, then it will exist.
When I reflect back to someone making this argument by saying, "So your argument is that you make your living as a pick pocket, but if pick pocketing is made to be illegal, you won't be able to make a living." Which of course would only be true if they only thing they could do was 'be a pick pocket'. Its a very common rhetorical technique to argue that the status quo cannot be changed. All the arguments that "you'll put all coal miners out of business if you require only green energy" And yet the people, the miners themselves, will likely be fine. The firms might not, but there are other firms that could exist.
This isn't a new problem, or one specific to this web site, although it does get disproportionately hit because so many technology companies saw what Google started in the 2000's and said, "Man there is soooo many ways to get money for this." rather than, "Is this a reasonable way to make money? Sure it is 'perfectly legal' but is it right? Is it moral?" The type of person who thinks that something is "Only illegal if you get caught" is neither moral nor particularly concerned about what is right. And we got a lot of that type.
The United States/Canada don't have a "loser pays" rule, so this exposes me to legal fees.
Right now, any lawsuit against me can be dismissed on summary judgement because even if my software causes harm, that's not a legal wrong to the extent I've disclaimed liability.
If you adopt any fact-specific standard for liability, that needs to be adjudicated in a trial. The legal fees alone would surpass the actual liability.
That creates huge leverage for the party with more resources. That kills hobbyist open-source development, since if your project takes off but a large enterprise finds it defective, they can threaten to sue you to enforce the "warranty" you were required to give.
> That kills hobbyist open-source development, since if your project takes off but a large enterprise finds it defective, they can threaten to sue you to enforce the "warranty" you were required to give.
I think you're assuming some kind of worst-possible outcome that hasn't been proposed and is unlikely to be enacted. To quote from earlier in the thread: "Disallow disclaiming liability on software used in a product."
I don't think that changes your hobby work on a rational-math library or an MVC framework or whatever, since you aren't making a business out of it. It will affect that large enterprise if they roll out their new product "Yearning 4 Mines: Gatcha Gig-work For Kids."
If I sell a physical motor (let alone plans for one) I'll have some liability for things like it Not Exploding. If someone buys a dozen of those motors to assemble a tragically unsafe "rollercoaster" of their own design and construction, I'm almost certainly not responsible for any terrifying decapitations.
In other words, most of the world already does not rely on the issuance of "Get Out Of Infinite Liability Free" cards.