They're not blaming, legally speaking. But they're communicating that open source software caused their outage. OpenAI chose to use software that explicitly came without warranties, and are legally solely responsible for problems caused by open-source libraries they choose to include in their product.

I understand where you're coming from. But there is certainly an audience for this kind of post that would like to read about the objective source of the bug without connecting it to some expectations around responsibility.

I read this post, and I don't see it assigning blame to anyone other than themselves. See this bit copied from the post:

> Everyone at OpenAI is committed to protecting our users’ privacy and keeping their data safe. It’s a responsibility we take incredibly seriously. Unfortunately, this week we fell short of that commitment, and of our users’ expectations. We apologize again to our users and to the entire ChatGPT community and will work diligently to rebuild trust.

The questionable part is saying "open source". They refrained from naming the library, which is good; but then why bring up that one fact about it right after?

The facts could be more clearly stated by defraining from stating open-source software as the cause.

Why mention it is open source then? What does that add?

"there was a bug in an outside library that we used" does not mention open source but has the same meaning, and would probably provoke the same complaints ("they're trying to blame somebody else for their problem").

In that case, though, they could say "look, we used a popular open source library because we had more faith that it would be better tested and correct" which would be a compliment to open source. That's essentially the information that we have.

In today's world, who builds anything from anything close to stratch? embedded developers, probably come closest. It's no worse or better to say "there was a bug that our release uncovered." If they continue to announce as many details as possible, we as the audience can develop a sense whether they're creating bugs or just uncovering bugs we're glad to know about.

I think it's fair to mention the bug originated in redis-py, but I don't find it relevant at all to mention «open-source» in the opening line of the public statement about the outage. Or «outside library» for that matter. It was ChatGPT release QA that failed, and then they failed to admit it.

"given enough eyeballs, all bugs are shallow" is a compliment to open source, and telling your users that you use open source is a positive reassurance on other dimensions as well; it's relevant, and the truth is always relevant; there's no harm in mentioning it.

"Release early, release often" and "move fast and break things" are respected ideas that diminish the importance of QA. The more effective and efficient any QA you do is, yes, very valuable, and QA that finds broken things, all the better. But don't move slow is an OK compromise.

It might be redis-py originally and someone at public relations advised to replace it with something more general so that it would sound being nice.

On the other hand, why overthink it?

why not mention it? What does mentioning it subtract?

«Open source» was in the opening line of the statement as if it was something to blame.