OpenSSL's license (Apache v2), also has the "AS IS" clause. I guess we should just wholesale dump any concept of security since the very basic technique of protecting oneself from litigation on the possibility of something going wrong should instead now be interpreted to mean "this is a toy project with zero guarantees".
There is a difference between "Hey, this is a silly side project so definitely use at your own risk, as far as I'm concerned its a place for me to learn and should be treated as a toy" and "Hey, I think this is worth your time, you should use this in your production stack, and obviously I've set up legal protections so you can't sue me if something goes wrong, but I am trying to push this as something lots of people should use and trust".
If someone walks into my house and tries cookies I'm clearly learning how to make and then throws up, that's very different than me putting up a big "FREE AMAZING BETTER COOKIES" sign on the sidewalk and handing them out and having people throw up. In both scenarios, the cookies are free! What are you blaming me for! How entitled! In the first, I think that position is more defendable. In the second, ehhh.....
For the record -- I'm not super familiar with this project, but I think that a lot of people don't consider the ramifications of being successful sometimes: your project could be used by a big company and lead to people's information getting hacked (and those people had nothing to do with any of these decisions). The only thing asked is to be upfront that this is not intended for that, as opposed to the temptation of calling your thing the best and telling everyone to use it. In the run up of a project, I think it's easy to forget that and get really hyped on showing how your thing is better than some incumbent for example. Just something to keep in mind.
> OpenSSL's license (Apache v2), also has the "AS IS" clause. I guess we should just wholesale dump any concept of security since the very basic technique of protecting oneself from litigation on the possibility of something going wrong should instead now be interpreted to mean "this is a toy project with zero guarantees".
Essentially: yes. If you want any guarantees beyond that, you have to pay for them, or trust that others have paid for them.
Absent that, you have to make your own judgment as to whether or not the maintainers will run the project in a way you feel comfortable with. If they do; great. If not, move on (or contribute, or fork it), because you have no right to tell them how to maintain their project.
But I can't fork it, not where it matters, that's the point. Me forking it doesn't get it distributed to all the services I use, some provided by the government for example. This is my point, as a customer, my forking doesn't affect my usage, usage that may be completely out of my control.
There have been times when society has decided that some utility was important enough to "transfer ownership" (imminent domain for example). Obviously that is an extreme case, and I am not advocating for that (in fact I am against that), but I am demonstrating that precedent exists for the feeling that some things ingrain themselves enough such that if you want to abdicate responsibility you should perhaps consider abdicating ownership. More than anything, I am trying to help explain how the other side feels.
But, as a trivial example, it's certainly not the case that they owe you nothing in the strictest sense. Under that model, they could technically put in code to forward all data to their servers and fall back to "well, as is, that's how we wanted it". I think that wouldn't hold up in court. There appears to be at least the basic expectation of good faith (and lack of criminality). Given that, perhaps it can be extended to negligence too. Perhaps not.
My position is actually a rather soft one, it's "If you heavily pitched your project and it ended up in the control systems of nuclear reactors, you should maybe expect people to be pissed at you if you willingly block critical fixes because you deem them boring". See, I'm not even saying what you should do, just more of a like "well, what do you expect".
There is a difference between "Hey, this is a silly side project so definitely use at your own risk, as far as I'm concerned its a place for me to learn and should be treated as a toy" and "Hey, I think this is worth your time, you should use this in your production stack, and obviously I've set up legal protections so you can't sue me if something goes wrong, but I am trying to push this as something lots of people should use and trust".
If someone walks into my house and tries cookies I'm clearly learning how to make and then throws up, that's very different than me putting up a big "FREE AMAZING BETTER COOKIES" sign on the sidewalk and handing them out and having people throw up. In both scenarios, the cookies are free! What are you blaming me for! How entitled! In the first, I think that position is more defendable. In the second, ehhh.....
For the record -- I'm not super familiar with this project, but I think that a lot of people don't consider the ramifications of being successful sometimes: your project could be used by a big company and lead to people's information getting hacked (and those people had nothing to do with any of these decisions). The only thing asked is to be upfront that this is not intended for that, as opposed to the temptation of calling your thing the best and telling everyone to use it. In the run up of a project, I think it's easy to forget that and get really hyped on showing how your thing is better than some incumbent for example. Just something to keep in mind.