"We live in a society"

And yet you dared to write an incredibly shitty response where you yourself were completely devoid of embracing this to the full extent, because it would have clashed with the conclusion you so desperately wanted to arrive at.

No, these people do not owe anyone anything, not even a warning. And especially not after their work has been exploited for massive financial gain by actors who do not give a shit about them in the first place.

Maybe, as a bank, you should not be using a random library taken from the internet, with a single maintainer and some 100 stars, and make it a critical dependency of your banking operations.

Maybe, as a bank, your IT should write and maintain such a library and open source it.

Maybe, as a bank, you should not continue to use the first library, and do the second thing after the first library was able to take down critical parts of your infra the first time.

Because we live in a society, and as a bank, you should be contributing to it, too.

But then, what do I know.

@julijane

@julijane If you’d share tomorrow, unpaid, voluntarily, an open source library, with the world, and some time after, a big corp decides to integrate it into some mission critical system. Do you now by default inherit the weight of responsibility for the whole system? In the end, all single/small team, unpaid maintainers would need to protect against such grabs. Or otherwise they’d be doomed once some big corp picks their project.

I’d agree that the maintainer has some abstract responsibility (“don’t put out tools that they know are unfit for the purpose or dangerous“), but it can’t be a lot more than this kind of responsibility.

no. None of that. Instead, banks should stop relying on random code they find online. It is exactly that black and white.

Vetting dependencies is an important part of software development and if you didn’t do your due diligence there, that’s your fault. Maybe hire an engineering manager, this is exactly what that role is for.

I think a lot of people are bristling at that “we live in a society” remark. Because we see these obscenely wealthy companies as badly behaved members of that society. They take as much as they can and push right up to the limit of the law.

So the idea that this maintainer has some obligation -to society- that should compel them to do things they aren’t required to do is offensive. Because there are SO MANY things we think these companies should feel compelled to do because of the role they play in our society. And banks and other companies routinely refuse to do anything beyond what the law forces them to do. And some break the law, too, with penalties far weaker than individuals experience for similar transgressions.

These companies demand we write laws that compel their behaviour because they refuse to recognise any less authoritative expectations. And then they spend money hampering our legislative processes to make sure those laws don’t get passed.

We live in a society. From those to whom much has been given, much is expected.
@julijane

@julijane It’s a really bad take to put the blame of a bank’s failure to do the due diligence to protect their systems on the back of an open source developer who has no responsibility to the bank.

The Apache 2.0 License is clear:

“Licensor provides the Work … on an ‘AS IS’ BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND”

There are many ways the bank could have prevented this. Blaming volunteers who explicitly disclaim warranty is not one of the ways.

@julijane

Why is the banking system of a country using software they not only didn't write, but haven't even audited?

@julijane

Nah, no warranty is no warranty.

You can *choose* to take on responsibility. But it should not be expected of you.