Questioning the Conventional Wisdom on Liability and Open Source Software
Published by The Lawfare Institute in Cooperation With
A key and occasionally fiery thread of the debate around software liability has been the role of open source software. Most modern software applications are, under the hood, more than 80 percent open source software: software whose source code is free to inspect, modify, and distribute and that is often maintained by volunteers. What are the potential liability-related obligations of companies and open source software developers with respect to the open source software in a software product? This question has become even more salient because of the recent XZ Utils backdoor, in which a popular open source software project was compromised by a malicious project maintainer.
There are at least three beliefs embedded in this debate that have become the majority opinion, none without merit but all worthy of scrutiny. First, open source software developers should bear no legal responsibility for the software they create, modify, and distribute. Second, some analysts, when discussing a liability regime and open source software, have advanced the idea that liability should focus primarily on preventing companies from shipping products with open source components that are known to have vulnerabilities or obvious code flaws, especially vulnerabilities that are known to have been exploited. Third, if and when software liability becomes law and covers open source software included in a product, then companies will finally invest substantially in the open source software ecosystem.
