[License-discuss] Reconsidering the "unless required by applicable law" clauses on warranties and limitations of liability

Brian Behlendorf brian at behlendorf.com
Sat Feb 18 20:03:59 UTC 2023 

On Sat, 18 Feb 2023, Pamela Chestek wrote:
>> Amendments to the proposed CRA are being sought to limit its damage upon 
>> the OSS community, but I worry that its base premise (that 
>> warranties/liabiliies can not be waived, and thus even non-EU publishers of 
>> source code could be found subject to its fines) and theory of incentives 
>> (put all the burdens on the software publisher; the market will sort out 
>> the resulting effect on supply/demand and prices) to be wholly broken. The 
>> erosion of those disclaimers is a systematic threat to what makes OSS work, 
>> and even if we achieve a negotiated battle to limit those compromises 
>> today, it only shifts the goalposts for next season's compromises.
>> 
>> I'd like to propose that the stewards of licenses approved by the OSI and 
>> in major use consider two adjustments to their licenses:
>> 
>> 1) Removal of the "unless required by law" terms in the Disclaimer of 
>> Warranty and Limitation of Liability clauses
>> 
>> 2) Explicit text added that clarifies that if any part of such sections can 
>> not be honored by the recipient, the recipients' rights granted under this 
>> license are terminated.
>
> (speaking personally)
>
> Brian,
>
> Your premise that all liabilities can be waived is not correct.

That's not my premise. My premise is that if you can not hold me free from 
liability or warranty, I have the right to not allow you access to the 
other rights granted in my software license.

> This is in the interest of the public - imagine, for example, one had in 
> a release at a go-cart track "you are waiving the right to make a claim 
> against us for intentionally causing you bodily harm."

Every example offered to date by the opposing side involves a product 
offered in the context of a commercial relationship between the two 
parties. Great, attach those regs to that commercial relationship.

Also, "intentionally causing you bodily harm" implies a willfulness that 
is not at all a focus of the CRA. The CRA would do nothing to impact a bad 
actor who intentionally creates back doors in a widely used product - that 
bad actor is happy to publish an SBOM and have their dev process certified 
by a third party, or is likely sneaking a back door into a project that 
otherwise is conformant to the recommendations. Furthermore none of our 
concerns are because we believe willful bad actors should be allowed to do 
harm. If the CRA wanted to add terms clarifying that the disclaimers do 
not apply if there is willfulness or intention in the compromise, that'd 
be a start. But discerning intent can be a dangerous game, too. Lots of 
devs have a habit of leaving chainsaws mixed in among the dinner cutlery 
in their toolkits.

> Imagine if an individual included in an open source project code that was 
> designed to take down the entire electric grid as an act of terrorism and it 
> worked. Is it appropriate that the person would not be liable to the electric 
> companies for that intentional act because of a waiver in the license?

Sure, that would be bad. The CRA does nothing to address this concern.

Clearly there is liability on the part of the last-mile systems integrator 
whose security architecture was so weak that an included dependency was 
able to cause such damage. Why let that person/organization off the hook, 
and further the cancerous perception that free-riding is the expected 
norm?

There's also the attribution problem. A hacker smart enough to compromise 
the electrical grid by sneaking in a compromise to a widely trusted OSS 
component is not likely going to self-identify as the culprit; they will 
look very much like a regular contributor who made an "honest" mistake. Do 
we want to start down a path that will lead inevitably to demands for 
"real names" and national IDs to have a github account, or will cause devs 
who do make genuine mistakes to become the subject of interrogations?

Even with those limitations, the community seems pretty good at finding 
and rooting out the bad actors without the government's help - see the 
UMinn team who tried to slip a back door into the Linux kernel as a 
research project:

https://thehackernews.com/2021/04/minnesota-university-apologizes-for.html

As for metaphors: if I'm a chef in a restaurant and I bought produce at a 
farmer's market for a salad that made my customers sick, I might have a 
bit of redress against the farmer I bought it from, but I don't escape 
liability of my own. Also since "foraging" is now a hot trend at Michelin 
starred restaurants in Europe - if the chef harvested some greens for his 
salad from my front yard (without my awareness or permission), and it made 
his customers sick, how liable would I be? Should I be? Would a reasonable 
court find me? Laws shouldn't lead to claims that get laughed out of 
courts in the first place because everyone still loses.

> So removing the clause from the licenses would only make it worse, not 
> better.

I hear your point, but the flaw still seems to be on the side of some 
interpretors of the license rather than on the intent of the licensors. 
I know which I'd prefer to see us work to shift.

> I also don't think the second option would work - I use the code, the 
> electric grid goes down, I sue the developer, the developer moves to dismiss 
> on the basis that there was no license because the user had agreed not to 
> hold the licensor liable. I see two potential outcomes - the user doesn't 
> have a license and is therefore an infringer, but that doesn't negate the 
> malicious developer's liability for the harm (although the liability on the 
> copyright infringement claim might outweigh the defendant's liability on the 
> tort claim, so it's not worth bringing the claim),

Yes. Think about the judgements that were rendered against music pirates 
of $100K *per*mp3*. And that was for consumers acting entirely out of 
personal interest. If a company was found to be wilfully violating a 
copyright term to further their business interests? I bet the BSA would 
have something to say about that. Ironic that in most cases I prefer a far 
more relaxed enforcement of copyright...

> or the court would say there is still a license but that clause is 
> unenforceable as against public policy.

At which point at least the costs become far less theoretical and the 
problem more obvious.

Brian

More information about the License-discuss mailing list