Maintainers have no responsibility at all, unless they're paid or bound by contracts in some other way.

Some feel responsible regardless, but they certainly don't have to. They can even introduce vulnerabilities intentionally, and it's your responsibility if you trusted them not to.

> They can even introduce vulnerabilities intentionally, and it's your responsibility if you trusted them not to.

Is that true? I can add code in my open source library to steal credit card numbers, and if you use it that'd be your fault?

There is a reason why some companies have internal repos only policy, and libraries only get added to them after legal and IT review.

It's not true. There's a legal system and they cannot do intentionally illegal things and fraud.

But it's good to not trust random strangers at GitHub -- maybe a user profile is just a facade for a criminal gang, maybe untraceable so they can get away with it

Not every intentional vulnerability is meant for illegal things or fraud.

No, you can't escape legal responsibility from intentional sabotage that easily.

Intentional sabotage of my own project?

It doesn't take much imagination to come up with situations where one may intentionally introduce vulnerabilities in use-cases they don't care about in order to make handling of use-cases they do care about easier. Are you sure I can't "escape legal responsibility" for doing that in my own software that I share to others "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT? (emphasis not mine ;))

Irresponsibility != malice.

If your FOSS software uses plaintext passwords because you don't care about data-at-rest security for whatever reason, sure, you're not required to make all your public code super secure.

Otherwise all student projects uploaded to GitHub would be crimes.

If your FOSS software adds a bit of code that POSTs all inputted credit card numbers to https://seba_dos1.com, well, that's gonna look very different in court.

It's like holding a garage sale where you give stuff away for free. Nobody can complain if your old stereo that you gave away for free doesn't work, but if you have an old propane burner that's likely to sear somebody's face off, best to just throw it away.

Sounds as if you believe you could edit & change open source code to try to intentionally crash a car or an airplane, or just not care about that happening, and get away with it, just because "AS IS".

If the usage terms say "do not use in any critical applications", I would've thought that the responsibility for using the code in that fashion woudl be squarely with the entity that did the integration?

It'd probably be better if the usage terms would by necessity spell out that you were happy for the code to be used in life-critical situations, instead of having to opt out of it.

The default usage terms are "all rights reserved, nobody can use this but me". You change this by applying licenses which regulate the terms under which you're happy for the code to be used by others. The vast majority of popular Free Software licenses allow you to use the code under no guarantees whatsoever, so if you want to use some software in critical applications and hold its authors responsible if it doesn't work as advertised, you should probably pay them and include this responsibility in their contract.

Tell that to the people that removed their 'leftpad' repository.

Or the ones that are taking over FOSS project to inject 'telemetry' spyware

If you publish something, you have responsibility over it.

What kind of responsibility? In what sense? Could you give me an example?

By the way, this is a part of my license (a pretty common one):

  THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

No, I don't. You may want to read the licenses of the code you're using, by the way.

Imagine the liability of publishing any code if you are "responsible" for it. Meaning that you would be responsible for its improper use, or even use for illegal purpose.

You are though. Forget the legalese for a second.

You wrote the code and put it out there.

If you didn't, none of the uses of it would ever have come to fruition.

A court of law may let you duck out for the time being, but when you trace the chain of effective physical causality backwards, at the end of the day, you write it, you're responsible for making possible it's applications.

There is value to the code unwritten. That value is a clean conscience and true abscence of guilt or remorse for having enabled someone to do something monstrous.

I laugh at people who think a legal disclaimer absolves one of moral culpability. If only it were that easy.

I wonder how do the makers of kitchen knives sleep at night.

Exactly what part of:

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Suggests that maintainers have any responsibility over their code?

There's a legal system too; that license text isn't the whole world.

However in this case, to me it seems they obviously have nothing to worry about. (Since this bug was unintentional)

It's not obvious that putting in this legalese covers you if you otherwise promote it as working software and invite people to use it, and details would depend on jurisdiction.

Has Apache 2.0 ever been pierced in court anywhere?