Raise the prices to extremes for oil and gas producing allies through regional uncertainty, bomb infrastructure to keep them high, encourage Israel to keep doing what Israel, flooding the EU with asylum seekers.
He's padding his own pockets, crippling the EU's and continuing to centralise influence around himself. Pretty typical megalomania. Y'all voted for this. Twice.
Giving people food for free (without written contract) but poising them in the process will leave you in hot water with authorities. Why software should be different?
Trying to answer what I think is the most reasonable point you’re trying to make: supply chain extends beyond you and your actions.
What if you were distributing food, and a farmer who supplied rice to one of the manufacturers of the components of your food grew that rice on a field that was contaminated with arsenic?
If you will get bad food, who are you going to blame? Very likely the person who you get the food from, not going up the supply chain like a detective.
Well actually you ate poisoned food made by someone else, which had a similar looking name (typo squatting).
Who is responsible here? One who wrote code?
Poisoning is intent. If I leaves a cup of some liquid with a clear warning that it has not be tested for being drinkable, I don’t think that I’m liable for you being poisoned when you go and drink it. Especially if I do not sell drinks. Of course, there are regulations about safety, but they are mostly about when you’re at risk of being harmed while I use my tools for myself. They’re not about you ignoring warnings labels and getting harmed.
No one is selling anything. A lot of OSS projects don't even distribute binaries, only code tarballs. If the risks are substantial enough for you to worry about, you take the source code and review them. Then you run it if it's satisfactory.
Let's take npm. The postinstall scripts and auto fetching of dependencies have always been seen as problematic. So plenty of warnings beforehand, but people chose convenience over security.
Debian's package management has the same feature (postinstall scripts and dependencies management). But the risks are lower, mostly because your main targets would be a core group of committers, which I'd like to believe is more conscious about security risks. And there's a lot of reviews before binaries are built and made available in a stable version. And I'd also like believe popular packages like nginx, curl, coreutils, postgresql,... have a lot more eyeballs on them.
Your analogy breaks down outside of an industrial food safety QA'd supply chain. What you're calling "poisoning" is what in industrial Food Safety is known as "introduction of an adulteration", where an "adulteration" is defined as an undesired addition of an ingredient to a food producer's standard recipe.
In the context of commercial food safety, we can have your discussion. Outside of commercial activity, you are accepting all risk with consumption of home baked goods. There are no guarantees around cooking area cleanliness, hygiene, status of ingredients, cooking methods, or any of those guarantees. No legal system with give you a standing to levy an action against someone in that case. Especially if ultimately, you elected to use that code/eat the treat. Now, if you can prove, mal-intent; they made a batch of brownies, other people ate brownies, but you specifically got sick after being served a sample by the individual; then you might get some extra attention, but that has a much higher bar of proof.
So yes. If you get the one bad brownie out of a batch I cook in my kitchen for the potluck you ate at knowing the risks, that's on you. I'd be mortified personally if it happened, but in all likelihood it was accidental. You aren't paying me, and I'm doing it because I want to, but everyone does ultimately accept some risk.
Same goes for physical manufacturing supply chains too! QA is WAY more strictly enforced through contracts and vendor agreements with pre-defined, agreed upon, and often voluntarily entered into audit processes defined in mutually entered into contracts. It's the QA groups task at a step of the process to audit inputs for conformity to agreed upon Quality Standards, and to assure, and guarantee through Quality Control the specs are met for the next link in the chain, and to be audited for such compliance by the QA group at the next link in the supply chain. The key here is a shared, compelling, and formalized commercial interest, solidified through shared investment by all parties in the chain. That does not exist in FLOSS. The vast majority will never pay you, or enter into any supportive relationship with you. In fact, most code is written to the standard of "I know how I'm going to use it". If I'm not dealing with OWASP top 10 or what have you in my context, I'm not making my code handle it. Not my problem. I also don't have guilt sharing it either. You use it in a way that it's dangerous to you, that is on you.
If this angers you, fine. But while I personally understand where you are coming from, I've been around long enough to know that it is absolutely the case that if you want baseline duty of care to everyone who comes across this product regardless of my purposes I designed it for... There will be no more shared code. Nor will we share specs either.
Furthermore Iran is mountainous country. Bombing Iran is as pointless as bombing Germany in 1944 - Everything important has been under ground and did nothing to limit industrial output of the enemy.
Beyond the recognized "Formulas" such as Formula No. 40-B, there are a number of other "flavors" of denaturants, pages of them starting at section 21.91:
reply