It doesn't hold at all. Open source licences usually clearly state that there are no guarantees. The contract is clear and log4j (or any other) authors don't owe anything to anyone. If you want guarantees, pay for it.
This is the same blame the victim line of thinking that cigarette companies perfected to get out of any responsibility for killing millions of people. It’s a Dark Pattern and we need to stop repeating it.
This notion that people don’t “have to use OSS” is demonstrably false. As is the “build a better mousetrap” aphorism that was so common during the dot com bubble. It can be true when there is one OSS tool in a space, but every tool eventually becomes a monopoly, or part of an oligarchy. There is not space in a grocery store for an infinite variety of soda (though by god do they try). There are many you will never have heard of because the noise ratio has climbed too high. Every. Single. Solution is an opportunity cost.
Same is if all of my friends try to throw a party in the same week. Nobody is going to all of them, and most people are only going to one. Some might not go to any for fear of picking wrong, and just opt out and do their own thing. If they go to the worst one then they missed out on a good time. That is partially on the host, yes. I don’t owe you an amazing time, but I owe you a not awful one.
I can’t sell a tool that minifies JavaScript files. That is a comoditized space. If all the tools suck? I’m entitled to be a little upset about it, and who are you to tell me otherwise? DevEx matters and many people still don’t try, at all.
No one in this thread mentioned licensing or legal issues.
As an edge case, consider a CLI that solves a trivial problem but also turns the computer into a space heater via an always-on service. It will rightfully damage the author's reputation with the users and they'll avoid using that person's code again, but they won't sue of course.
