alt Hacker NewsI realize this is drifting off topic, and happy to talk more in email (address in profile), in the interest of sharing a bit more, consider this statement you paraphrase:
"a FOSS author did something wrong and was found to be liable"
In fairness, I not sure the earlier commentator really understood what they were saying, at least not as far as legal liability is concerned.
The FOSS author simply wrote some code and shared it right? That is their 'action' can you think of ways that does direct harm, which is to say they published their code, and with nothing else happening someone got harmed? One way that can cause harm is the FOSS author publishes a trade secret[1] or access credentials of a third party. In both cases they could (and would) be sued by that third party. But absent that, I'm having a hard time coming up where simply the existence of most code causes someone else harm.
So to get to harm we have to add another person, that person somehow applies the code, and in that application harms another person. Our FOSS author might be sued as being contributory because the person who caused harm might not have done so if they didn't have access to the code. To prove that, the plaintiff would have to prove that the FOSS author knew that the code could cause harm if used in this way, and encouraged or otherwise abetted the person who did harm to use it in doing the harm. That can be a hard standard to reach[2].
In your car example, it would be challenging to prove that Daniel Stenberg wrote curl so that you could use it to brick car infotainment systems. But it would be easier to prove that a manufacturer that incorporated FOSS code and didn't check their system for risks like this should be found liable.
Liability accrues first to the party that did the action. Secondary liability can reach out to suppliers[3] of things used in that action. This is also civil law rather than criminal law and so it works a bit differently in terms of evidence standards and penalties.
[1] We can make a joke here about badly formatted code, but hopefully we're in a agreement so far. A real example was the DVD decoding software that included the key for decoding encrypted DVDs.
[2] Not that people might not try, its too easy to sue. There have been cases where someone wrote some code that was later used in a weapon (and example might be Ardupilot software in drones used to kill Russians). But even in that case, the courts in the US at least have consistently found that if it is not the primary purpose of the software to do harm, then the author is not liable.
[3] Unless you're a gun company as Gun companies have managed to keep themselves from being found liable for people using their guns to do harm. But there is also lots of interesting case law there too which might help inform.
That's a really good point. Where I remain at least somewhat concerned is for example suppose that one day curl pushes a terrible bug to production that results in all sorts of nasal demons flying out of client devices. Is this free code that was picked up off the side of the road thus zero liability? Or is this a trusted product written and maintained by a professional that has stood the test of time thus there might be liability because there's an assumption that official updates will be fit for purpose?
Now if I were running a small business I might choose not worry about the tail risk of my product causing a few million dollars in harm or (more likely) I'd have insurance to cover that. But someone tossing code along the side of the road presumably doesn't have (and doesn't want to think about) insurance and meanwhile the tail risk has become nearly unbounded thanks to the effectively arbitrary number of deployed instances.
I think there's also some benefit to having a big fat NO WARRANTY clause at the top of the license file because it might give you a better chance of a summary dismissal (or even deter the other party from trying in the first place) since as we all know the process itself can be ruinous even if you eventually prevail.
Which is all to say that I share your view. Willingly negligent vendors that cut costs by omitting security while viewing the resultant mishaps as an inescapable reality ought to be held accountable. But I think it would also be a good idea to add an official exemption for software that's made available free of charge. It seems like if you pick something up off the side of the road any mishaps that follow from that should necessarily fall to you.