On Sat, 18 Feb 2023, Pamela Chestek wrote:
Amendments to the proposed CRA are being sought to limit its damage upon
the OSS community, but I worry that its base premise (that
warranties/liabiliies can not be waived, and thus even non-EU publishers of
source code could be found subject to its fines) and theory of incentives
(put all the burdens on the software publisher; the market will sort out
the resulting effect on supply/demand and prices) to be wholly broken. The
erosion of those disclaimers is a systematic threat to what makes OSS work,
and even if we achieve a negotiated battle to limit those compromises
today, it only shifts the goalposts for next season's compromises.
I'd like to propose that the stewards of licenses approved by the OSI and
in major use consider two adjustments to their licenses:
1) Removal of the "unless required by law" terms in the Disclaimer of
Warranty and Limitation of Liability clauses
2) Explicit text added that clarifies that if any part of such sections can
not be honored by the recipient, the recipients' rights granted under this
license are terminated.
(speaking personally)
Brian,
Your premise that all liabilities can be waived is not correct.
That's not my premise. My premise is that if you can not hold me free from
liability or warranty, I have the right to not allow you access to the
other rights granted in my software license.
This is in the interest of the public - imagine, for example, one had in
a release at a go-cart track "you are waiving the right to make a claim
against us for intentionally causing you bodily harm."
Every example offered to date by the opposing side involves a product
offered in the context of a commercial relationship between the two
parties. Great, attach those regs to that commercial relationship.
Also, "intentionally causing you bodily harm" implies a willfulness that
is not at all a focus of the CRA. The CRA would do nothing to impact a bad
actor who intentionally creates back doors in a widely used product - that
bad actor is happy to publish an SBOM and have their dev process certified
by a third party, or is likely sneaking a back door into a project that
otherwise is conformant to the recommendations. Furthermore none of our
concerns are because we believe willful bad actors should be allowed to do
harm. If the CRA wanted to add terms clarifying that the disclaimers do
not apply if there is willfulness or intention in the compromise, that'd
be a start. But discerning intent can be a dangerous game, too. Lots of
devs have a habit of leaving chainsaws mixed in among the dinner cutlery
in their toolkits.
Imagine if an individual included in an open source project code that was
designed to take down the entire electric grid as an act of terrorism and it
worked. Is it appropriate that the person would not be liable to the electric
companies for that intentional act because of a waiver in the license?
Sure, that would be bad. The CRA does nothing to address this concern.
Clearly there is liability on the part of the last-mile systems integrator
whose security architecture was so weak that an included dependency was
able to cause such damage. Why let that person/organization off the hook,
and further the cancerous perception that free-riding is the expected
norm?
There's also the attribution problem. A hacker smart enough to compromise
the electrical grid by sneaking in a compromise to a widely trusted OSS
component is not likely going to self-identify as the culprit; they will
look very much like a regular contributor who made an "honest" mistake. Do
we want to start down a path that will lead inevitably to demands for
"real names" and national IDs to have a github account, or will cause devs
who do make genuine mistakes to become the subject of interrogations?
Even with those limitations, the community seems pretty good at finding
and rooting out the bad actors without the government's help - see the
UMinn team who tried to slip a back door into the Linux kernel as a
research project:
https://thehackernews.com/2021/04/minnesota-university-apologizes-for.html
As for metaphors: if I'm a chef in a restaurant and I bought produce at a
farmer's market for a salad that made my customers sick, I might have a
bit of redress against the farmer I bought it from, but I don't escape
liability of my own. Also since "foraging" is now a hot trend at Michelin
starred restaurants in Europe - if the chef harvested some greens for his
salad from my front yard (without my awareness or permission), and it made
his customers sick, how liable would I be? Should I be? Would a reasonable
court find me? Laws shouldn't lead to claims that get laughed out of
courts in the first place because everyone still loses.
So removing the clause from the licenses would only make it worse, not
better.
I hear your point, but the flaw still seems to be on the side of some
interpretors of the license rather than on the intent of the licensors.
I know which I'd prefer to see us work to shift.
I also don't think the second option would work - I use the code, the
electric grid goes down, I sue the developer, the developer moves to dismiss
on the basis that there was no license because the user had agreed not to
hold the licensor liable. I see two potential outcomes - the user doesn't
have a license and is therefore an infringer, but that doesn't negate the
malicious developer's liability for the harm (although the liability on the
copyright infringement claim might outweigh the defendant's liability on the
tort claim, so it's not worth bringing the claim),
Yes. Think about the judgements that were rendered against music pirates
of $100K *per*mp3*. And that was for consumers acting entirely out of
personal interest. If a company was found to be wilfully violating a
copyright term to further their business interests? I bet the BSA would
have something to say about that. Ironic that in most cases I prefer a far
more relaxed enforcement of copyright...
or the court would say there is still a license but that clause is
unenforceable as against public policy.
At which point at least the costs become far less theoretical and the
problem more obvious.
Brian
_______________________________________________
The opinions expressed in this email are those of the sender and not
necessarily those of the Open Source Initiative. Official statements by the
Open Source Initiative will be sent from an opensource.org email address.
License-discuss mailing list
License-discuss@lists.opensource.org
http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org
