It seems to me that there ought to be a principle of "opacity entails responsibility".
An open-source project and its developers can easily claim to have no liability because it's possible for downstream users to fully inspect the source code. However, it's harder to argue the same thing for a closed-source product or service.
If a company claims to provide a closed-source service according to certain specifications, and then fails to, then they're liable for that failure. In other words, if you want to fence your code off to more effectively generate profit from it, OK -- but now you are liable for any disasters caused by it.
It becomes particularly interesting if and when a closed-source project depends on open-source dependencies upstream, especially if these dependencies are not declared. Can the downstream company then deflect responsibility? It seems that not.
Of course, it's not a black and white thing. A developer that deliberately inserts malicious code into an open-source codebase should still be held liable for this. I'm sure one could craft a similar argument for limitations on liability of even closed-sourced codebases.
An open-source project and its developers can easily claim to have no liability because it's possible for downstream users to fully inspect the source code. However, it's harder to argue the same thing for a closed-source product or service.
If a company claims to provide a closed-source service according to certain specifications, and then fails to, then they're liable for that failure. In other words, if you want to fence your code off to more effectively generate profit from it, OK -- but now you are liable for any disasters caused by it.
It becomes particularly interesting if and when a closed-source project depends on open-source dependencies upstream, especially if these dependencies are not declared. Can the downstream company then deflect responsibility? It seems that not.
Of course, it's not a black and white thing. A developer that deliberately inserts malicious code into an open-source codebase should still be held liable for this. I'm sure one could craft a similar argument for limitations on liability of even closed-sourced codebases.