> The moment a group says “use our stuff for critical projects” they take on some baseline level of responsibility for making things secure

Every popular open-source license explicitly states that exactly the opposite is true:

Apache license: "Licensor provides the Work (and each Contributor provides its Contributions) on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND"

GPL v2: "THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND"

Mozilla license: "Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Contributor, or anyone who distributes Covered Software as permitted above, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character"

BSD license (both 2 and 3 clause versions): "THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES"

MIT license: "THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND"

You are and have always been on your own when using open-source software. Nobody owes you anything.

▲

anon7000 a day ago | parent | next [-]

For one, there is a limit to how much licenses absolve you from responsibility — like, you can’t say “eat my food, by doing so you accept responsibility” and turns out it’s poisoned. It’s still possible to go after the food producer.

I know that doesn’t apply 1:1 to software, but the point is less about individual OSS projects and more about the hosted service of package registries, which do have people & money behind them.

Npm, for example, is owned by Microsoft (through GitHub). MS has huge amounts of money. They could be scanning for malware on upload and adding so many more security mechanisms. But they don’t.

	▲	fxtentacle a day ago \| parent [-]
		Didn’t Disney famously use an EULA contract for dodging responsibility after a deadly food poisoning?

▲

hnlmorg a day ago | parent | prev [-]

That’s a slightly different thing in my opinion but I’m glad that you’ve raised it.

Developers have an ethical responsibility but that doesn’t mean they should be legally accountable for genuine mistakes.

▲

eadwu 20 hours ago | parent | next [-]

This is rather insulting.

If I open source something, I am not your parent, if you decide to wing it just because it is open source that is your problem not mine.

You are not obligated to use anything anyone open sources. If you can't take responsibility for your own actions that's on you, not the person who open sourced it - that is what generally all the licenses state to begin with.

	▲	hnlmorg 17 hours ago \| parent [-]
		As an open source maintainer myself, I don’t think it’s an insulting position at all. I think you’re being overly simplistic with your position because there is a sane middle ground where maintainers are honest about their projects (eg so often pet projects have readme’s that describe POC code as if it’s production ready, and that’s not ok) I’m not suggesting that users of open source packages don’t also have responsibility to vet the packages they import. But so often I’ve wasted time vetting a package that has made bold claims in the README only to discover it’s basically beta software. And that can be hours of my free time wasted just because the author wanted their CV to sound more impressive. On my open source projects, I very clearly list when things are going to be beta quality, where experimental code lives, and where stuff is tested and considered safe for production use. I do that because I value people’s time. Just like I value my own time. And it only takes me 2 minutes to add that detail to the readme.

▲

ForHackernews a day ago | parent | prev [-]

No one has an ethical responsibility to provide free security auditing to trillion dollar companies.

▲

hnlmorg a day ago | parent [-]

That’s a strawman argument because we aren’t talking about security auditing for trillion dollar companies.

We are talking about developers having ethical ownership for communicating their project responsibly.

That means being honest about when a pet project is just a pet project rather than talking about every POC as if it’s production ready.

And it’s disingenuous to spin this as “only trillion dollar companies use open source” because we all know that isn’t even remotely true.

▲

jjav 13 hours ago | parent | next [-]

> That means being honest about when a pet project is just a pet project rather than talking about every POC as if it’s production ready.

And who isn't honest about it? Read the contract you have with the provider.

There is a way to legitimately expect production-ready libraries: You sign a purchase order for the right to use that code for a year (typically, or multi-year) and pay a quite substantial amount of money for that. Then you have purchased the right to expect a certain level of quality (details can be in the contract and reflected in the price).

If you're using something for free without having agreed to such a contract and paid the vendor accordingly, then you can expect exactly as much as you paid for it.

▲

hnlmorg 8 hours ago | parent [-]

You’re twisting my argument. I’m not saying maintainers are obligated to make their code production ready. I said their READMEs should accurately represent the state of the project.

If you, or anyone else, thinks that is an unfair assessment or that I should have to pay for a README not to claim to be production ready when it’s a POC, then you had a very weird view on how much effort it takes to write the line “this is an untested beta”

▲

jjav 7 hours ago | parent [-]

> I said their READMEs should accurately represent the state of the project.

The state of expectations is usually in the LICENSE file, not in the README. But it's there in the repository, in most cases.

I do agree that some maintainers forget to include the LICENSE file (or equivalent), which is a mistake. The terms of use are quite important.

	▲	hnlmorg 5 hours ago \| parent [-]
		> The state of expectations is usually in the LICENSE file, not in the README. No it’s not. LICENSE tells you what you can do with the code. It doesn’t tell you the state of code. Again, I need to reiterate my point that I’m talking about whether the code is beta, tested, etc. It costs nothing for a maintainer to specify how complete a code base is. It’s then up to the consumers of that package to decide if they want to use it, contribute back or just fork it. All I’m saying is too many GitHub repos are written for CVs; as if they’re meant to be consumed by Google. If something is a weekend project then just be honest and say “this is a weekend project written to solve my specific use case but PRs are welcome”. Thats better than having long blurbs that refer to the solo developer as “we” and all the other BS people stick into their READMEs to try and make their project sound better than it actually is. All I’m asking for is a little more pragmatism and honesty in READMEs. It’s no extra effort. It’s no extra cost. And I shouldn’t have to donate to projects just to ensure they don’t lie to me.

▲

ForHackernews 19 hours ago | parent | prev [-]

Anyone who is making money off my open source work can PAY ME if they want signed, reproducible builds.

Anyone who is not paying me can use what I generously give away for free without THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Concerned about security? Good for you, build it yourself.

	▲	hnlmorg 17 hours ago \| parent [-]
		You’re missing the point again, but let’s just agree to disagree because it sounds like your more concerned about money than the topic being discussed. Which is fine. It’s an opinion. I just don’t agree that it’s relevant