> If log4j2 is responsible for your company's success, you have a moral obligation to donate to the person who creates this library thanklessly.
This is false. Free software is given away by those who produce it. When you receive a gift, no moral or ethical obligation is created.
This idea that you can do things with free software that are contrary to the spirit (such as create a profitable company around it and not pay the original author) is a false one. It is free as in beer, too.
You don't owe anyone anything when you receive a gift freely given.
> This is false. Free software is given away by those who produce it. When you receive a gift, no moral or ethical obligation is created.
The ethical obligation is to your own users: you should be making a reasonable good-faith effort to ensure that your software's dependency projects are healthy as a transitive consequence of ensuring the health of your own software project. This has nothing to do with the ethics of accepting a gift, and everything with professional ethics (which raises the debate of whether writing software should be a profession).
Arguably, the dependency projects also have a similar obligation, or at least the obligation to make the health status of their project explicit.
Does that also mean that it is morally OK for the author to backdoor their code or sell zero days they discover in it? A direct reading of the license says there's no warranty so they have no grounds to complain, right?
Yes, I would say it does. It expressly disclaims even fitness for a particular purpose - if you don't read it, it could very well be example backdoor code.
This is false. Free software is given away by those who produce it. When you receive a gift, no moral or ethical obligation is created.
This idea that you can do things with free software that are contrary to the spirit (such as create a profitable company around it and not pay the original author) is a false one. It is free as in beer, too.
You don't owe anyone anything when you receive a gift freely given.