If someone gets run down by a bicycle that a hobby repair shop failed to fix, it doesn't matter it was done for free by a guy that learned to repair bicycles during late nights.
The hobby repair shop can only be liable for a very small number of bikes, those they worked on. You cannot restrict the number of users of free source software, and you cannot restrict the user's risk profile. Like "good enough for an offline arcade game, but nothing else". Analogies have their limits.
But yes, lawmakers will decide, and given that they for instance try to de facto prohibit aftermarket OpenWRT installs, I have a guess how they would decide.
The company selling me a car is responsible to validate the security of each piece they got from a third party, and a restaurant is responsible to take care for the quality of the food it buys from the local bazar.
This is a completely unrealistic demand of software and security. I am really surprised of Snowdens arguments here.
The law makers cannot make the internet safer by one bit. Technical experts can and lawyers would dream to have leverage against them. They should be denied.
I deliver software for enterprise and there is no such thing. I even develop software for medical appliances that have an extended software validation process.
It is about minimizing risk and it is a process that acknowledges that risk cannot be removed completely. It just forces you to work carefully and eliminates neglectful practices.
No serious developer will ever commit to ship software free of bugs. On the contrary, that would give people false security, which can in turn lead to further neglect.
People like Simon Tatham and Kurt Roeckx, however fallible they may be, are doing a much better job of deciding how software security should work on the internet than Nancy Pelosi and Mitch McConnell would. The question is not how we can give more power to Nancy Pelosi, Mitch McConnell, Amazon, Google, and whoever the Trump voters vote in as the next president, to regulate Sci-Hub, BitTorrent, Bitcoin, WikiLeaks, DeCSS, Matrix, GDB, and OpenSSL; the question is how we can take that power away from them.
When the wise must obey the commands of the foolish, disaster ensues.
If someone gets run down by a bicycle that a hobby repair shop failed to fix, it doesn't matter it was done for free by a guy that learned to repair bicycles during late nights.