Even with the MIT disclaimer and the author not being the distributor or have any relationship with the distributor. Publishing vulnerable open source software to GitHub with a disclaimer that says it isn’t fit for any purpose seems like a bit of an oversight of using MIT license in distros to me.
A software license has never been a protection against malicious criminal activity. They'd have to prove that the "feature" had a legitimate non-nefarious purpose, or was accidental, neither of which apply here.
Apologies for having to be obnoxious about it, but it deserves repeating.
If you take a approach of presumed guilty where the accused have to prove their innocence: you have a problem. You'd have a very difficult time proving your innocence after being accused of a crime. Anyone can accuse you of a murder that happened at 2am, and your alibi of being asleep won't cut it. Remember, in this bizarro world, it's presumed you are already guilty. You need to convince the prosector and jury you didn't commit the crime. Even if you had 4K night vision video of you sleeping in your bed, it probably won't persuade anyone because the prosecutor will say you pre-recorded the video to deceive a jury, and since you're presumed guilty, it makes sense for you to manufacture evidence in your defense.
This is why guilty until proven innocent is genuinely stupid.
Proven here is not in the same sense of a mathematical proof. "But your honor, technically you can't prove my client was going to use this exploit carefully hidden behind layers of obfuscation for malicious intent" is not a legal defense.
I did setup the question in a way that the developer doesn’t harm someone themselves but sells it to a state actor. I.e extremely similar outcome to finding a zero day and selling it to a state actor except it is “more” secure - need private key.
The point about MIT is that they are saying to the world when publishing “as is” folks. Not claiming I haven’t backdoored it for Uncle Sam.in fact I’m not claiming anything, use at your own risk.
It used to be the law to implicitly do this by weak encryption for exports.
> that the developer doesn’t harm someone themselves
The harm in question is causing the backdoor to be inserted in the first place. Its irrelavent what else you do, like selling it, although that could be a separate crime.
> The point about MIT is that they are saying to the world when publishing “as is” folks. Not claiming I haven’t backdoored it for Uncle Sam.in fact I’m not claiming anything, use at your own risk.
Just because you think that is what those words mean, doesn't mean that is what those words actually mean.
> It used to be the law to implicitly do this by weak encryption for exports.
Not comparable. Even now, the MIT license would probably protect you from any consequenes of using super weak encryption. It would not protect you from the hypothetical you setup. They are very different sutuations.
That's exactly right. Imagine a license that said "...and I can come to your house and kill you if I want to." Even if someone signed it in ink and mailed a copy back, the licensor still can't go to their house and kill them even though the agreement says they can.
I can imagine the case of maybe a "King of the Hill"-type game played on bare hardware, where you're actively trying to hack into and destroy other players' systems. Such a thing might have a license saying "you agree we may wipe your drive after downloading all your data", and that might be acceptable in that specific situation. You knew you were signing up for a risking endeavor that might harm your system. If/when it happens, you'd have a hard time complaining about it doing the thing it advertised that it would do.
Maybe. Get a jury involved and who knows?
But somewhere between those 2 examples is the xz case. There's no way a user of xz could think that it was designed to hack their system, and no amount of licensing can just wave that away.
For a real world analogy, if you go skydiving, and you sign an injury against waiver, and you get hurt out of pure dumb luck and not negligence, good luck suing anyone for that. You jumped out of a plane. What did you think might happen? But if you walk into a McDonald's and fall through the floor into a basement and break your leg, no number of "not responsible for accidents" signs on the walls would keep them from being liable.
> For a real world analogy, if you go skydiving, and you sign an injury against waiver, and you get hurt out of pure dumb luck and not negligence, good luck suing anyone for that. You jumped out of a plane. What did you think might happen? But if you walk into a McDonald's and fall through the floor into a basement and break your leg, no number of "not responsible for accidents" signs on the walls would keep them from being liable.
Even this is a bad example, since it is just gross negligence and not intentional. A better analogy would be if mcdonalds shoots you.
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
BY READING THIS COMMENT YOU AGREE THAT THE AUTHOR CAN TAKE ALL YOUR WORDLY POSSESSIONS. YOU ALSO INDEMNYFY THE AUTHOR FOR ANY HARM THEY MIGHT CAUSE YOU AT ANY TIME.
I own you now. Sucks to be you I guess. Or maybe that's not how things work a) limits to what licenses can allow you to do and b) limits to who is bound by the license at all.
