I did setup the question in a way that the developer doesn’t harm someone themselves but sells it to a state actor. I.e extremely similar outcome to finding a zero day and selling it to a state actor except it is “more” secure - need private key.

The point about MIT is that they are saying to the world when publishing “as is” folks. Not claiming I haven’t backdoored it for Uncle Sam.in fact I’m not claiming anything, use at your own risk.

It used to be the law to implicitly do this by weak encryption for exports.

> that the developer doesn’t harm someone themselves

The harm in question is causing the backdoor to be inserted in the first place. Its irrelavent what else you do, like selling it, although that could be a separate crime.

> The point about MIT is that they are saying to the world when publishing “as is” folks. Not claiming I haven’t backdoored it for Uncle Sam.in fact I’m not claiming anything, use at your own risk.

Just because you think that is what those words mean, doesn't mean that is what those words actually mean.

> It used to be the law to implicitly do this by weak encryption for exports.

Not comparable. Even now, the MIT license would probably protect you from any consequenes of using super weak encryption. It would not protect you from the hypothetical you setup. They are very different sutuations.

Selling to a state actor is also likely to be illegal depending on the conditions of the sale and who the buyer is.

There's a great South Park episode about this, titled "Human CentiPad." Not for the squeamish.

That's exactly right. Imagine a license that said "...and I can come to your house and kill you if I want to." Even if someone signed it in ink and mailed a copy back, the licensor still can't go to their house and kill them even though the agreement says they can.

I can imagine the case of maybe a "King of the Hill"-type game played on bare hardware, where you're actively trying to hack into and destroy other players' systems. Such a thing might have a license saying "you agree we may wipe your drive after downloading all your data", and that might be acceptable in that specific situation. You knew you were signing up for a risking endeavor that might harm your system. If/when it happens, you'd have a hard time complaining about it doing the thing it advertised that it would do.

Maybe. Get a jury involved and who knows?

But somewhere between those 2 examples is the xz case. There's no way a user of xz could think that it was designed to hack their system, and no amount of licensing can just wave that away.

For a real world analogy, if you go skydiving, and you sign an injury against waiver, and you get hurt out of pure dumb luck and not negligence, good luck suing anyone for that. You jumped out of a plane. What did you think might happen? But if you walk into a McDonald's and fall through the floor into a basement and break your leg, no number of "not responsible for accidents" signs on the walls would keep them from being liable.

> For a real world analogy, if you go skydiving, and you sign an injury against waiver, and you get hurt out of pure dumb luck and not negligence, good luck suing anyone for that. You jumped out of a plane. What did you think might happen? But if you walk into a McDonald's and fall through the floor into a basement and break your leg, no number of "not responsible for accidents" signs on the walls would keep them from being liable.

Even this is a bad example, since it is just gross negligence and not intentional. A better analogy would be if mcdonalds shoots you.

I use to go to the In-N-Out in Oakland that just closed. That was a possibility, believe me.