> If the code you randomly pulled down from GitHub puts your computer on fire, you're the only one responsible for that happening.
That's what's the license says, but your local laws and regulations might disagree, and your license does not overrule the law.
Distributing malware is illegal and malware is defined differently in different countries. If you intend to upload sketchy code, make sure you've read up on what constitutes as cybercrime where you live because one of your victims may go to the police.
To make a flawed comparison: setting up a stand with cookies that happen to be poisoned next to a sign that reads "cookies free to be eaten at your own risk" don't necessarily let you go free when someone ends up in a hospital.
Now, as a counter argument, your average commercial OS is packed full of what would've constituted spyware twenty years ago, so you're probably free to package some types of malware. I don't know if what the colors.js guy did was illegal (at least he reminded people oftthe dangers of npm, which everyone then proceeded to forget) but I think he got away without a lawsuit. I doubt he'd gotten away would he have lived where I live, though.
I wonder if anyone has actually been charged based on malicious open source contributions. Off the cuff, it seems unlikely -- the person whose computer was damaged would have to navigate multiply jurisdictions and explain something technical to a court, likely as an individual.
The precursors to such a situation don't have to be exceptionaly unusual. It could be someone working in a language that is not normally compiled ahead of time and shipped in binary form (e.g. malicious Javascript). Even if not accompanied by a license, the code just has to use pieces of some open source work so that it is a derived work. That malware author is then effectively a contributing author, whether aware of it or not.
> the person whose computer was damaged would have to navigate multiply jurisdictions and explain something technical to a court, likely as an individual.
Easily done if the person is actually a mega corporation.
Though [re-reading parent] if we are specifically concerned with contributions that were accepted by a non-malicious upstream under good faith and then turned out to be malicious, then that is something else.
That's what's the license says, but your local laws and regulations might disagree, and your license does not overrule the law.
Distributing malware is illegal and malware is defined differently in different countries. If you intend to upload sketchy code, make sure you've read up on what constitutes as cybercrime where you live because one of your victims may go to the police.
To make a flawed comparison: setting up a stand with cookies that happen to be poisoned next to a sign that reads "cookies free to be eaten at your own risk" don't necessarily let you go free when someone ends up in a hospital.
Now, as a counter argument, your average commercial OS is packed full of what would've constituted spyware twenty years ago, so you're probably free to package some types of malware. I don't know if what the colors.js guy did was illegal (at least he reminded people oftthe dangers of npm, which everyone then proceeded to forget) but I think he got away without a lawsuit. I doubt he'd gotten away would he have lived where I live, though.