> Wait; I'm not even entitled to software not doing anything blatantly illegal on purpose, or perpetrating a privacy violation without my knowledge and consent?

Exactly! Try to reading through the licenses of the code you pull in, and it'll be evident. Here is a excerpt from the MIT license

> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED

If the code you randomly pulled down from GitHub puts your computer on fire, you're the only one responsible for that happening.

> Also, "open source" has an even greater focus on getting paid than "free software".

Does it? Which Open Source license has any focus on getting paid at all? You seem to mix up "development/funding model" with "distribution license", where Open Source is the latter, not the former.

> Surely, if people are paid, certain entitlements exist between certain people

Depends on the funding model. Open Collective, Patreon and GitHub Sponsors are all donations, where you donate without any expectations of getting anything at all back.

> E.g. if you use a phone that runs on a Linux kernel, you may be entitled to kernel security updates, at least for a certain support period.

Sure, you probably are, but not from the Linux kernel, but from whoever you bought the phone from/your carrier. This article is about the kind of people write software like the Kernel, not the people who sell your products using FOSS.

> If the code you randomly pulled down from GitHub puts your computer on fire, you're the only one responsible for that happening.

That's what's the license says, but your local laws and regulations might disagree, and your license does not overrule the law.

Distributing malware is illegal and malware is defined differently in different countries. If you intend to upload sketchy code, make sure you've read up on what constitutes as cybercrime where you live because one of your victims may go to the police.

To make a flawed comparison: setting up a stand with cookies that happen to be poisoned next to a sign that reads "cookies free to be eaten at your own risk" don't necessarily let you go free when someone ends up in a hospital.

Now, as a counter argument, your average commercial OS is packed full of what would've constituted spyware twenty years ago, so you're probably free to package some types of malware. I don't know if what the colors.js guy did was illegal (at least he reminded people oftthe dangers of npm, which everyone then proceeded to forget) but I think he got away without a lawsuit. I doubt he'd gotten away would he have lived where I live, though.

I wonder if anyone has actually been charged based on malicious open source contributions. Off the cuff, it seems unlikely -- the person whose computer was damaged would have to navigate multiply jurisdictions and explain something technical to a court, likely as an individual.

The precursors to such a situation don't have to be exceptionaly unusual. It could be someone working in a language that is not normally compiled ahead of time and shipped in binary form (e.g. malicious Javascript). Even if not accompanied by a license, the code just has to use pieces of some open source work so that it is a derived work. That malware author is then effectively a contributing author, whether aware of it or not.

> the person whose computer was damaged would have to navigate multiply jurisdictions and explain something technical to a court, likely as an individual.

Easily done if the person is actually a mega corporation.

Though [re-reading parent] if we are specifically concerned with contributions that were accepted by a non-malicious upstream under good faith and then turned out to be malicious, then that is something else.

1. Not all the content of a warranty disclaimer holds in all legal jurisdictions. Giving people free stuff doesn't absolve you of liability for harm. Not everyone who uses some open source thing is aware of it; it may have been installed by someone else.

2. By open source having "more of a focus on getting paid", what I mean is that the term taken over and capitalized as Open Source by some people in the 1990' who wanted to distance themselves from the GNU project's rhetoric about freedom in order to emphasize the commercial viability of free software development. They formed something called the Open Source Definition. It's fair to call having more of a "focus on getting paid" than free software in the GNU sense.

3. Not all money for work on open source is donation. People working on it sometimes get regular salaries. Customers sometimes pay for it in the form of commercial products.

4. Chances are high that whoever you buy your phone from does kernel development. Just about the only way they could avoid it would be to license the SoC/board from someone else who does (and then they are almost certainly entitled to support).

> Wait; I'm not even entitled to software not doing anything blatantly illegal on purpose, or perpetrating a privacy violation without my knowledge and consent?

Tor is an open source project and I very well expect that, in some jurisdictions, what Tor is explicitly trying to do... on purpose... would be considered illegal. I expect that the people running the Tor Project know that. I could even speculate that some Tor Project team members are hopeful that their effort facilitates private communication in the very places where such communication is likely to run most afoul of the law. Worse than that, laws are often ambiguous, fuzzy, and contradictory within a jurisdiction, let alone between different jurisdictions.

So what does that mean to the entitlement that open source software does nothing blatantly illegal? I guess you can claim it, but I wouldn't expect much to come of it even assuming the project is being run with good intentions, nor would I count on it matching my expectations for same. I think it's better to not only discount legality as an entitlement, but not even hold it as an expectation. Legality is a decision point for the potential user, not a user entitlement the developers are duty bound to deliver to any one user.

> Tor is an open source project and I very well expect that, in some jurisdictions, what Tor is explicitly trying to do... on purpose... would be considered illegal.

But that's something the user wants, as a feature. It may be the user who is deemed to be doing something illegal.

The only thing to which you are entitled–by definition–is access to the source. It is your responsibility to verify what the source does.

The "getting paid" notion is off-topic and has nothing to do with the source being open. If I provide commercial support for someone and implement a solution using open source software, I am the one providing the support and I have no expectation that the original authors will hold my hand.

You're not even entitled to have access to the source.

If repository is down or if you don't know how to use git and demand updates being sent to you as zip files on your email - your demands mean nothing, you are not entitled to be given access to the source code.

You have _permission_ to use it in some license limited way and that's all.

If you _use_ open source code (ie. as part of your product), you may be _required_ to also provide source code, attribution etc.

That depends on the licence, though. GPL3 requires that obtaining a license should not be harder than obtaining the binary distribution. If you use some kind of obscure version control system for your source code but link the binaries in your website, you're entitled to the source code in a similarly easy way.

The developer could exercise their rights and insist on sending you a DVD with the source code on it (and make you pay for materials+shipping) but throwing up difficult burdens is clearly forbidden by the GPL.

Some more extreme licenses grant you, as a user and as a developer, a lot of rights, but also a lot of burdens. I don't think the stricter ideological licenses such as GPL are used much by people who distribute their own code and then decide to make life difficult for their users, though. It's likely that the only cases where this rings true are people relying on GPL code that then want to avoid fulfilling their obligations to their customers.

Yes, but please don't conflate licensee with licensor - we're discussing authors' right to ignore users' demands.

Most free software licenses don't concern themselves with use, except that they may make it clear that use is not restricted in any way. A license that restricts use in any way is probably not free.

> you are not entitled to be given access to the source code.

If you're the user of a binary image someone spun from a GNU licensed program, actually you are entitled to that, if it is the Affero license (AGPL), you may be entitled to source code access even if you just use the thing as an online service. Specifically, you're entitled to access to the source code of the modified version that you're actually using.

> If you _use_ open source code (ie. as part of your product), you may be _required_ to also provide source code, attribution etc.

That's redistribution. If you redistribute some kinds of open source code in a product, you may have to provide source code, and that's even if that code is never called. The presence of that code in the image is the key thing, not whether it is used. Use occurs on the target system, by the end user.

We're talking about copyright holder/author's right to ignore user's demands to accept amendments/contributions.

If you're an author of a library you have the right to not accept contributions, stop working on it or delete it from github.

That "we" which refers to "you" may be talking about that; I'm talking about nothing other than the claim that users have no entitlements of any kind whatsoever.