Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
An employee from IBM Research came up with an interesting solution for the open source community.
James Bottomley of IBM Research, who is responsible for the development of the SCSI and PA-RISC subsystems in the Linux kernel, and also previously led the Linux Foundation technical committee, offered an interesting solution to the problem of possible legal liability of open source software developers for code errors or improper vulnerability management.
The idea is to transfer legal responsibility for errors in the source code from the developers of open projects themselves to companies that use this code in commercial products. In other words, the person who makes a profit from this code is responsible for problems that arise due to the use of the code. For example, if a company includes third-party open source code in its product, and an error / vulnerability in this code leads to damage to users, then the manufacturer of the commercial software product transferred to the user should be responsible and compensate for the damage, and not the developer of the open library.
The transfer of responsibility is proposed to be implemented by attaching a clause to the license indicating that it agrees to compensate for losses and protect development participants from any legal claims in the event of full or partial use of the source code provided under this license as a component or product in jurisdictions that impose additional obligations for software product maintenance.
At the moment, most licenses only have an "AS IS" warning, which states that developers are not responsible for errors, do not give any guarantees for the performance of the code, and do not accept obligations to solve problems, and the consumer agrees to use the code at their own risk. The lack of guarantees from developers contributed to the development of business models based on paid technical support.
With the increasingly active use of open source in the corporate sector and the growing interest of businesses in using open source, the model of financing development through non-profit foundations has become more popular. Companies sponsor the creation of a fund based on a large open-source project, and in return get the opportunity to participate in the managing technical committee of this project and influence decisions on further development. The emergence of such funds has changed the attitude of businesses to open source software - if earlier it was perceived as a chaotic development of enthusiasts, now it has become considered as a tool for the development of the technology industry. The perception of responsibility for problems in open source has also changed : instead of protecting individual developers, the no-commitment clause has become perceived as an opportunity to avoid the responsibility of large companies creating open source products.
The situation with the disclaimer of legal liability may change with the adoption of the draft Cyber Resilience Act in the European Union, which provides for certain obligations for software manufacturers who do not properly take care of security and do not promptly eliminate vulnerabilities throughout the product lifecycle. The bill concerns manufacturers of commercial software and, apparently, will provide a special exception for software under open licenses, but despite this, there is no guarantee that in the future there will not be laws without such exceptions.
As an example of the possible risks associated with legal liability, a court case in the UK is mentioned, in which the company Tulip Trading requires changes to the code of the Bitcoin blockchain after it lost a large amount of bitcoins due to hacking. The lawsuit was filed against the developers of the code, not against the operators of the Bitcoin network. The first instance dismissed the claim, citing the disclaimer clause in the license, but the proceedings continue in the Court of Appeal, which is likely to also dismiss the claim for other reasons.
James Bottomley of IBM Research, who is responsible for the development of the SCSI and PA-RISC subsystems in the Linux kernel, and also previously led the Linux Foundation technical committee, offered an interesting solution to the problem of possible legal liability of open source software developers for code errors or improper vulnerability management.
The idea is to transfer legal responsibility for errors in the source code from the developers of open projects themselves to companies that use this code in commercial products. In other words, the person who makes a profit from this code is responsible for problems that arise due to the use of the code. For example, if a company includes third-party open source code in its product, and an error / vulnerability in this code leads to damage to users, then the manufacturer of the commercial software product transferred to the user should be responsible and compensate for the damage, and not the developer of the open library.
The transfer of responsibility is proposed to be implemented by attaching a clause to the license indicating that it agrees to compensate for losses and protect development participants from any legal claims in the event of full or partial use of the source code provided under this license as a component or product in jurisdictions that impose additional obligations for software product maintenance.
At the moment, most licenses only have an "AS IS" warning, which states that developers are not responsible for errors, do not give any guarantees for the performance of the code, and do not accept obligations to solve problems, and the consumer agrees to use the code at their own risk. The lack of guarantees from developers contributed to the development of business models based on paid technical support.
With the increasingly active use of open source in the corporate sector and the growing interest of businesses in using open source, the model of financing development through non-profit foundations has become more popular. Companies sponsor the creation of a fund based on a large open-source project, and in return get the opportunity to participate in the managing technical committee of this project and influence decisions on further development. The emergence of such funds has changed the attitude of businesses to open source software - if earlier it was perceived as a chaotic development of enthusiasts, now it has become considered as a tool for the development of the technology industry. The perception of responsibility for problems in open source has also changed : instead of protecting individual developers, the no-commitment clause has become perceived as an opportunity to avoid the responsibility of large companies creating open source products.
The situation with the disclaimer of legal liability may change with the adoption of the draft Cyber Resilience Act in the European Union, which provides for certain obligations for software manufacturers who do not properly take care of security and do not promptly eliminate vulnerabilities throughout the product lifecycle. The bill concerns manufacturers of commercial software and, apparently, will provide a special exception for software under open licenses, but despite this, there is no guarantee that in the future there will not be laws without such exceptions.
As an example of the possible risks associated with legal liability, a court case in the UK is mentioned, in which the company Tulip Trading requires changes to the code of the Bitcoin blockchain after it lost a large amount of bitcoins due to hacking. The lawsuit was filed against the developers of the code, not against the operators of the Bitcoin network. The first instance dismissed the claim, citing the disclaimer clause in the license, but the proceedings continue in the Court of Appeal, which is likely to also dismiss the claim for other reasons.
