> There is social context to licenses.

What is the social context in terms of open source software and licences?

> so my boss could technically fire me because they didn't like my haircut. If they were to _actually_ do this, I would certainly be slighted by this

If we translate this to the log4j scenario: log4j says there is no support or warranty provided in their licence, however if they _actually_ do not provide support or warrant, you would be slighted by this.

To me this does not sound fair at all. Your boss at least pays you for your time as part of your contract. What do the log4j developers get for their time? Absolutely nothing. Yet it is expected they should provide support even when the licence says they won't? That's just comes off as entitled.

Drew DeVault has blog post that covers this better than I can: https://drewdevault.com/2021/06/14/Provided-as-is-without-wa...

Right, and I disagree with that post in this sense: there is a social expectation of fitness for a purpose that cannot be disclaimed with a license.

Many projects under licenses providing no warranty are nevertheless of high quality and well-maintained. Making the category in question precise is difficult, but it includes log4j. Projects by organizations such as Apache and eminent individuals like Bellard or Valsorda fall in this category. There is therefore an expectation that if you are such a project, yet unwilling to hold yourself to that standard of quality, you should make it clear for your users. Using a license with a no-warranty clause does not achieve it because it is not a distinguishing factor. The license, of course, protects from legal liability and so on, but no one is talking about legal matters here -- only about whether we should be collectively unhappy with the log4j maintainers.

The reason for this unhappiness would not be that they aren't willing to donate more of their time, but that their stewardship of the project is poor. Vulnerabilities are found in FOSS all the time; this instance was special because the misfeature in question was an egregious inclusion in the first place. It appears to be not a case of lack of time for review, but a lack of sense to say, "no, interpreting strings after formatting is insane and will never be part of this library." Obviously, they are entitled to include whatever code they want in their project, but some code is incompatible with it being useful -- if they do not aim to clear that bar, they should make it clear, because others in their position do.

I would say that something like opening your README with "this is not a serious project, you should not use this in prod" would be reasonable. This warning needs to be front and center and explicit, not merely sating "we are unpaid volunteers" or similar. There is precedent for this. Yes, some ignore such warnings and complain -- as long as this verbiage creates a useful distinction, such people are wrong and we should ridicule them. This warning would stand in contrast with the great many projects which aim to be fit for a purpose in practice, such as Postgres, Linux, Blender, etc. Obviously, such projects are usually better funded than log4j -- making it clear that you're not funded well enough to dedicate much time to the project an important part of this warning's content.

To continue the workplace analogy, I would be the unreasonable one to complain if the company specifically warned that they were significantly more trigger-happy that the normal company hiring at-will.

There is no such context. The licence specifies clearly and completely the terms of use. You cannot handwave an unwritten "social context" into existence, that adds and obligation to the creators that their licence explicitly refused to accept. What you get, of course, is the actual source code.

It's understandable that you would assume such a spurious obligation, human history is full of references to such obligations, up until the age of Big Data, which is when we realized that most of these assumptions were false. It's been a painful time for all of us.

In fact, the actual obligation is yours, if you decided to use this logging library. Seems there was a severe vulnerability in the code. It also seems that the people who responsibly forked the code, ran their own security audit, discovered the vulnerability and then patched decided not to make their contributions known to the general community of users of the software. They, if they exist, seem to be acting as if no obligations exist with respect to the code they acquired.

Speaking of assumptions, your proposed actions regarding your employment assume that your boss was obligated to tell you the reason your contract was terminated. Again, no such obligation exists. They can't fire you out of disgust for your Satanism, or because of your Innuit heritage, or because there are ambiguities regarding your gender. Luckily for them, at-will employees can be terminated, well, at-will, so there is no need for them to specify that it was not, in fact, because of your quite stylish haircut. Your public postings might in fact earn you a letter from the legal department, since you have no way of knowing the real reason was that you downloaded logging code on to mission critical servers, and lacked either the inclination or capacity to verify this internet code, and then when asked about your decision to do this thing, you quoted an imaginary "social context," an unwritten, unknown construct, that in this case silently tacks on the term "users of this library will receive free, unpaid support in perpetuity" that functioned exactly like Adam Keynes "invisible hand," that is, some rationalization to absolve you of the responsibility for explaining problematic aspects of the mental model used in your decision making. This was a vast surprise to the administrators of your company, who, understandably, know very little about logging libraries, which is why they hired someone to provide the required functionality.