> Currently when new vulnerabilities pop up (i.e. xz-utils compromise, log4j shell), people are quick to blame the maintainers for it. Why shouldn't companies instead be responsible for these vulnerabilities?
They are. I've never seen a single example of a company that was able to dodge legal liability for something bad that happened as a result of an open-source software package that they used.
The problem is that software companies generally aren't liable for anything that happens as a result of their software. If you store the code to a safe with $100k in OneDrive and Microsoft deletes that file by accident, they have zero legal liability - regardless of whether the fault was in Microsoft's proprietary code or some open-source library that they use.
That's the more fundamental problem that needs to be addressed first - that tech companies have extremely few responsibilities to their users, in a way that's unlike most other industries that have come before.
They are. I've never seen a single example of a company that was able to dodge legal liability for something bad that happened as a result of an open-source software package that they used.
The problem is that software companies generally aren't liable for anything that happens as a result of their software. If you store the code to a safe with $100k in OneDrive and Microsoft deletes that file by accident, they have zero legal liability - regardless of whether the fault was in Microsoft's proprietary code or some open-source library that they use.
That's the more fundamental problem that needs to be addressed first - that tech companies have extremely few responsibilities to their users, in a way that's unlike most other industries that have come before.