James Bottomli ( James Bottomley ) from the IBM research division, responsible for the SCSI and PA-RISC subsystems in the Linux kernel and former head of the Technical Committee Linux Foundation, has suggested a potential solution to address the problem of liability for errors and vulnerabilities in open source code.
The proposed idea is to shift legal responsibility for errors in the source code from open projects to suppliers of final commercial products. Essentially, the responsibility would be transferred from the code developer to the entity that profits from the use of the code. For instance, if a company incorporates third-party open source code into its product and an error or vulnerability in that code leads to harm for the user, then the commercial product manufacturer, not the open source code developer, would be responsible for compensating the user for any damages incurred.
This transfer of liability would be implemented through an addition to the license, which would include a clause stating the consent to compensate for losses and protect the development participants from any legal claims when the source code provided under that license is used as a component or product in jurisdictions that impose additional obligations on software products.
Currently, to alleviate legal risks, having an “AS IS” warning in a license is sufficient, indicating that the developer is not responsible for errors, makes no guarantees about the code’s performance, and does not assume obligations to solve issues. The consumer agrees to use the code at their own risk. The absence of guarantees from developers has incentivized the development of a business model based on paid technical support, which dominated the early stages of the open source ecosystem.
However, as open source code becomes more prominent in the industry and corporations grow, the concept of influence on development through non-profit funds has emerged. These funds are established based on major projects and receive funding from large companies. In return, these companies have the opportunity to participate in the decision-making process and become supervisors in the Technical Council for further development. This shift led to a change in perception towards open projects, which are now viewed as tools for advancing the technological industry rather than simply being volunteer-driven initiatives. The perception of responsibility for issues in open source code has also evolved. Instead of solely protecting individual developers, the absence of obligations is now seen as an opportunity for large companies creating open source products to assume responsibility.