Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
skydhash a day ago

Poisoning is intent. If I leaves a cup of some liquid with a clear warning that it has not be tested for being drinkable, I don’t think that I’m liable for you being poisoned when you go and drink it. Especially if I do not sell drinks. Of course, there are regulations about safety, but they are mostly about when you’re at risk of being harmed while I use my tools for myself. They’re not about you ignoring warnings labels and getting harmed.

IANAL.

general1465 a day ago | parent [-]

You can get poisoned unintentionally, as it happens in supply chain attacks.

doubled112 a day ago | parent [-]

A supply chain attack would be intentional, just not intentional by the creator.

If I mix some ecoli into your drink mix, I did this on purpose. You just don’t know it until it is too late.

Are you liable for allowing this to happen?

general1465 16 hours ago | parent [-]

You screw up by poisoning me. However if I will sell that drink to somebody else then I will be on the hook for poisoning them.

skydhash 15 hours ago | parent [-]

No one is selling anything. A lot of OSS projects don't even distribute binaries, only code tarballs. If the risks are substantial enough for you to worry about, you take the source code and review them. Then you run it if it's satisfactory.

Let's take npm. The postinstall scripts and auto fetching of dependencies have always been seen as problematic. So plenty of warnings beforehand, but people chose convenience over security.

Debian's package management has the same feature (postinstall scripts and dependencies management). But the risks are lower, mostly because your main targets would be a core group of committers, which I'd like to believe is more conscious about security risks. And there's a lot of reviews before binaries are built and made available in a stable version. And I'd also like believe popular packages like nginx, curl, coreutils, postgresql,... have a lot more eyeballs on them.

general1465 15 hours ago | parent [-]

You don't need to sell it, you can give it on the corner of the street, same problem.