Practically speaking, I'm going to assert that there is no team of developers, let alone single developers, who are capable of taking on both the burden of their own software and the software that they import. I simply can not imagine even a whole fortune 500 company supporting their own business logic written on top of Spring, which includes log4j and a whole host of other open source dependencies.
And what's the commercial alternative? I'm personally not aware of one.
Also, the liability thing is a grey area - it works for the US (mostly, Tornado cash is currently testing these waters) - since there are open issues with developers of "questionable" software traveling to some countries. Heck, even the US has pulled some OSS developers aside at customs because of their work on OSS projects.
> I simply can not imagine even a whole fortune 500 company supporting their own business logic written on top of Spring, which includes log4j and a whole host of other open source dependencies.
> And what's the commercial alternative? I'm personally not aware of one.
Not necessarily. If you _purchase_ software that includes the guarantees that you desire.
(e.g. of correctness, fitness for purpose, and support), then you don’t have to maintain the entire stack yourself.
Even if you purchase the software from a commercial vendor that doesn't mean that the vendor will indemnify you for damages caused by their failures, or that they have sufficient financial resources to pay for such damages (counterparty risk).
Rowhammer when it first came out, or rowhammer today? I'd say any memory made in the last five years that doesn't properly implement Target Row Refresh should put liability on the manufacturer.
And what's the commercial alternative? I'm personally not aware of one.
Also, the liability thing is a grey area - it works for the US (mostly, Tornado cash is currently testing these waters) - since there are open issues with developers of "questionable" software traveling to some countries. Heck, even the US has pulled some OSS developers aside at customs because of their work on OSS projects.