IANAL, but the license includes both a a disclaimer of warranty and a limitation of liability. Further I think to sue you need to demonstrate actual harm. Absent a security breach, for which you might get a day in court, they haven't harmed you.
Stop using their software. Stop bullying people with lawyers.
There are plenty of jurisdictions where such a disclaimer is void. France, for example, probably. Or anyway somewhere in Europe.
News that Apache had been forbidden to perform downloads to France, and then more places, might help raise awareness that it shouldn't be downloaded at all, nohow.
Maybe it would even push Apache to stop offering it entirely, and to link to the Libreoffice site instead.
> There are plenty of jurisdictions where such a disclaimer is void. France, for example, probably
I would be surprised, as such disclaimers are included in the official French flavor of the GPL family (http://cecill.info/licences.fr.html); section 8.2.
I would assume that the disclaimer protects the copyright holder but not the distributor.
The European approach to consumer protections is generally more about ensuring that things are safe by default than about warnings and disclaimers. A lot depends on the expected competence of the target audience. If you distribute professional tools directly to professionals, they can be expected to read the warnings and understand that misuse could be dangerous. If you market and distribute something to the general public, ensuring safety is your responsibility.
I see downvotes, but there is a difference between "our stuff has a bug" and "we're actively keeping this project alive, including updating binary downloads, even though we know it has endless CVEs, some of them years old."
One is an innocent problem. The other is willful negligence.
And we need to start suing for this sort of thing. We need fines for companies willingly causing harm.
rm will unapologetically delete files instead of using the "trash bin" semantics that many people are used to. Some would define that as "faulty", and it can certainly cause "harm" (a "rm fuckup" is almost a rite of passage).
You can find many such almost banal examples, ranging from well-known tools to some project a student uploaded on GitHub that sees basically 0 traffic. Opening up Open Office to a lawsuit also means opening up countless GitHub projects from 15-year olds riddled with SQL injections and the like, but also things I put on my GitHub five years ago and don't really care about. Ignoring a PR would mean risking a lawsuit.
Plus, do we really want government involved in telling us what software we can and can't put on the internet? Because that's what this would mean.
"They should be sued for distributing outdated insecure software" is a fun one-liner, but the ramifications if it would actually happen are huge and almost entirely negative for the Open Source world.
I think you’d have at the very very least specify an actual harm against you, and even then you’d likely be told immediately that they have no obligation to provide anything given there’s no support contract.
I think the reason you’re getting downvotes is that Apache is a non profit foundation, not a for profit company. So fining them isn’t going to do a lot of good (as well as being very unlikely to succeed)
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
So, someone should put all of the free and open source software at risk (if the "we guarantee nothing" part of their license doesn't hold ground for them it holds ground for no one) because you want to attack the ASF for not doing what you want? What a great plan.
Seriously.
This is a perfect test case.
It should start with a 15 day demand letter, and progress from there.