undefined | Better HN

0 pointsleoedin4mo ago0 comments

> The person who makes the software has the duty to fix the security issues in their own code, nobody else, no matter how big they are.

That’s just clearly untrue for freely available software. So every person that ever published a hobby project on GitHub has a duty to fix security issues in it?

The organisation who ships software to paying customer may have a duty to fix security issues. If they didn’t, it could be seen as negligent, violate regulations or the contract they have with their customers. But there’s no contract with the free software developers. No duty of care from them to end users. Absolutely no duty.

0 comments

x0x04mo ago

Be careful, the Europeans tried (had the python foundation not pushed back hard, would have) and still would love to require anyone who's ever built a piece of software to perform maintenance for them on demand.

bawolff4mo ago

> That’s just clearly untrue for freely available software. So every person that ever published a hobby project on GitHub has a duty to fix security issues in it?

Yes, i think there is a moral duty if you are presenting the software for the general public to use. Or if you dont to at least make it clear how you handle stuff so that users can make their own decisions.

> But there’s no contract with the free software developers. No duty of care from them to end users. Absolutely no duty.

In your view would it be acceptable to backdoor open source software to sell user's data to the highest bidder? That's obviously not what happened here, but seems like the obvious conclusion of your argument.

63stack4mo ago

Software licenses already make the conditions íj which they are offered to you very clear.

It is up to you, the end user of the software to evaluate whether those terms, risks, and options are good enough for you. If not, don't use it. You have it completely backwards, and frankly, sound quite entitled.

bawolff4mo ago

Morality and legality are not the same thing.

Although perhaps my previous comment went a little too far. I think its fine to not fix issues as long as you publish them so that users can make an informed decision. Where i think it would be morally wrong is if a project pretends it fixes security issues but doesn't or if it tries to cover them up - insisting external reporters dont talk about them while also having no intention of fixing them.

Basically i think open source projects (like everyone) have a moral duty to be honest and not try and decieve people, regardless of what the license says.

1 more reply

j / k navigate · click thread line to collapse

0 pointsleoedin4mo ago0 comments

> The person who makes the software has the duty to fix the security issues in their own code, nobody else, no matter how big they are.

That’s just clearly untrue for freely available software. So every person that ever published a hobby project on GitHub has a duty to fix security issues in it?

0 comments

x0x04mo ago

bawolff4mo ago

> That’s just clearly untrue for freely available software. So every person that ever published a hobby project on GitHub has a duty to fix security issues in it?

> But there’s no contract with the free software developers. No duty of care from them to end users. Absolutely no duty.

63stack4mo ago

Software licenses already make the conditions íj which they are offered to you very clear.

bawolff4mo ago

Morality and legality are not the same thing.

Basically i think open source projects (like everyone) have a moral duty to be honest and not try and decieve people, regardless of what the license says.

1 more reply

j / k navigate · click thread line to collapse