[License-discuss] Reconsidering the "unless required by applicable law" clauses on warranties and limitations of liability

Brian Behlendorf brian at behlendorf.com
Fri Feb 17 17:42:01 UTC 2023 

(speaking personally)

The Apache license 2.0, sections 7 and 8 say:

   7. Disclaimer of Warranty. Unless required by applicable law or agreed
   to in writing, Licensor provides the Work (and each Contributor provides
   its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
   OF ANY KIND, either express or implied, including, without limitation,
   any warranties or conditions of TITLE, NON-INFRINGEMENT,
   MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely
   responsible for determining the appropriateness of using or
   redistributing the Work and assume any risks associated with Your
   exercise of permissions under this License.

   8. Limitation of Liability. In no event and under no legal theory,
   whether in tort (including negligence), contract, or otherwise, unless
   required by applicable law (such as deliberate and grossly negligent
   acts) or agreed to in writing, shall any Contributor be liable to You
   for damages, including any direct, indirect, special, incidental, or
   consequential damages of any character arising as a result of this
   License or out of the use or inability to use the Work (including but
   not limited to damages for loss of goodwill, work stoppage, computer
   failure or malfunction, or any and all other commercial damages or
   losses), even if such Contributor has been advised of the possibility
   of such damages.

This are the "use at your own risk" clauses that allow everyone, from volunteer 
individuals to large corporations, to be reassured that this gift of open 
source software sitting in front of the recipient is properly understood to be 
a gift, and not a promise. It puts the onus on the recipient to be sure that 
the software is fit for purpose to whatever their own standards are, and if 
they can't, they should not use the software.

At the time of drafting the AL2 license, I believe the justification for having 
"unless required by applicable law" phrases on each were that it was typical 
legal boilerplate; more optimistically it could be seen as a polite nod to the 
wide array of viewpoints in different jurisdictions as to what can actually be 
dislaimed in a software copyright license, and that perspectives were likely to 
shift over time and the hope was that open source usage could be universal 
enough to shift it in its favor. However, it has resulted in organizations 
confusingly believing that in those jurisdictions where warranties and 
liability can not be entirely waived, that the rights in the license are still 
conferred regardless, and that whatever baseline warranties, liabilities, and 
resulting support would be inferred are allowed and even expected.

This results not just in "free riding" - where naive organizations simply use 
open source code straight from the source without paying for a support 
agreement, yet expect support. We saw this when companies with no prior 
engagement with the Log4J developers flooded that team with demands for 
attestations on their part that they'd fixed all the bugs and it was defect 
free. The nerve.

This has also put individuals and organizations publishing open source code at 
the risk of fines and other sanctions in jurisdictions where such limitations 
are not only weak, they are under direct attack by perhaps well intentioned 
regulations like the EU's Cyber Resiliance Act. I'm sure you've all followed 
the drama but two excellent blog posts on this matter are:

https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/
https://eclipse-foundation.blog/2023/01/15/european-cyber-resiliency-act-potential-impact-on-the-eclipse-foundation/

Amendments to the proposed CRA are being sought to limit its damage upon the 
OSS community, but I worry that its base premise (that warranties/liabiliies 
can not be waived, and thus even non-EU publishers of source code could be 
found subject to its fines) and theory of incentives (put all the burdens on 
the software publisher; the market will sort out the resulting effect on 
supply/demand and prices) to be wholly broken. The erosion of those disclaimers 
is a systematic threat to what makes OSS work, and even if we achieve a 
negotiated battle to limit those compromises today, it only shifts the 
goalposts for next season's compromises.

I'd like to propose that the stewards of licenses approved by the OSI and in 
major use consider two adjustments to their licenses:

1) Removal of the "unless required by law" terms in the Disclaimer of Warranty 
and Limitation of Liability clauses

2) Explicit text added that clarifies that if any part of such sections can not 
be honored by the recipient, the recipients' rights granted under this license 
are terminated.

If I give a child some candy, and they come to expect candy every time they see 
me, I'm going to stop giving them candy, on principle.

IANAL so I won't try to draft the above, but I'd wager $1 that such text could 
even be made GPL compatible.

This community is extraordinarily generous with its gifts and many corporations 
and governments have been able to free ride off the back of that generosity 
with very few actually returning value in any form. Clarity on this point would 
not only help reaffirm the implicit social contract underlying the incredible 
engine of creativity and economic power that OSS has become, it would remind 
recipients of the value of working with vendors or other service providers who 
are able to assume that kind of warranty and liability service for a fee.

Thoughts?

Brian

More information about the License-discuss mailing list