Slashdot Mirror
Free Software at Risk Under Lemon law
mpawlo writes: "Newsforge published a piece I wrote on a lemon law for software. That is - what would happen if shrinkwrap limitation of liability clauses would be banned? I think Microsoft and the GNU Project would both suffer."
I love this little quip:
"We all know that the open and distributed model for development described in Eric S. Raymond's book "The Cathedral and the Bazaar" is much better and creates more reliable products than any closed non-distributed development model. "
I'm wondering if the author can substantiate this claim with facts.
This is the primary problem with Open Source advocacy, it relies a lot upon blind faith.
Really, people, this guy's got a great point. Perhaps that last bit was unnecessary,b ut the rest of the post is rather inshgitful, IMHO.
IANAL, but since open source software is just that, open, a very good case could probably be made that if the person really wanted to, they could just read the source to verify that it works properly...If it then doesn't work as "advertised" it is their own fault. The GPL can use this, Microsoft cannot. The GPL wins. Just a thought.
huge difference (#13146)
by Anonymous Reader on 2002.05.11 13:21
I am not a lawyer (thankfully), but I do know that if I pay for something, and it fails, I am entitled to compensation. If it fails from negligence or designed error, then there can be punitive damages. But let's examine the case of a Linux/BSD web server, running Apache, MySQL, and PostNuke.
To be safe, I download for free a non-commercial Linux such as Debian, or FreeBSD. I might be mistaken, but both are developed by groups of people, and anyone is allowed entry if they are competent enough coders. But a group is not a company. The whole corporation/private/public/IPO thing. I acquire, freely and legally, a copy of their work. They might have benefactors and patrons, but that isn't the same as employers.
So I download Apache, MySQL, and PostNuke. All fall under the same category. Maybe MySQL doesn't, then just replace MySQL/PostNuke with Perl/DBI.
So now a huge bug develops, a hole so large, it had to be coded in Redmond. I lose all my data, my competitors get my secrets, and I'm on unemployment line next to Enron execs. Who do I have to blame?
Let's see, someone or some people worked on a project that was supposed to do some particular task. They made it freely available, source and all, so that others might work on it as well. They made no claims about it's security, stability, etc. Others may have, but they did not misrepresent the software in any way.
I did not contribute, but I saw an opportunity to use their work. So I did. They received nothing from me, not money, not anything. And, the whole time, the company kept no secrets about the product, and in fact, by making the source available, does just the opposite.
There was no intent to decieve, nor any misrepresentation. By not purchasing the product nor any sort of service contract, I entered into no agreement with the group.
Going in, I understand the risks. I assume the responsibility if problems occur. This is 180 degrees different from microsoft, since they make plenty of claims, and since there is a legal agreement between a company and microsoft, and because they are marketing a product with known liabilities.
No, free/open source software doesn't stand to be shut down, rather it stands to gain tremendously. The problem is for companies like RedHat which sell and service open source software. So, form the commercial standpoint, it hurts linux companies who don't have billions to spend on lawyers, like er um, microsoft. But it doesn;t hurt open source software.
rob mandel
^^^----- Posted anonymously here
Computer programs are not material goods and cannot be dealt with in the same way consumer advocates wants the legislature to deal with cars, electric appliances and toys. Computer programs are developed incrementally, and the users are always used as dummies.
In fact computer programs are very similar to material goods. (Not like in "Volkswagen Beetle vs Microsoft Windows", though.) Users of cars, electric appliances, cellulars, etc. are also used as dummies in a sense. Money is what counts. If you pay for something, you can ask something in return. (Read: Liability)
I guess, companies like which _sell_ products or services like Mandrakesoft, Redhat and Microsoft will suffer a lot, whereas groups such as Debian will not.
The legislation would skyrocket production costs for Microsoft if the company were forced to release foolproof products.
Why would this happen? Car manufacturers used the same "skyrocket production costs" argument with the lemon law with cars. But it just doesn't mean that everything needs to be perfect. Instead it just ensures some basic quality control such as practiced in Japan.
As for free software, it would just mean that some of the legal entities that support a packaged product (i.e., Red Hat) would be held to the same standards. IANAL, but if the FSF says 'this isn't a complete product' they can't be held liable any more than a tire company could be for some idiot putting the wrong tire on their car.
I think it's a statistically provable fact that you can never find and fix all the bugs in a software program. I find it hard to imagine this "panel of experts" from the National Academy of Sciences want to enact legislation that punishes a software maker for all bugs. While I can understand the frustration from using software which advertises itself as "secure", "compatable", or "reliable", and perhaps punishing companies which are blatant about bad software, I cannot agree that we should allow a company (or any producer of software) to be liable for flaws in their software.
Does anyone have the original recommendation made by the panel?
While I don't favor turning the sharks loose on software companies, it is obvious there NEEDS to be some sort of liability and responsibility for bugs.
Some sort of "lemon law" that would REQUIRE the publisher to either correct bugs, and distribute patches for free, or else refund the purchase price IS needed.
What needs to stop is companies like MS being able to leave gaping holes in their products, then correct some of them, and releasing them as "upgrades", ala Windows 98 SE and ME... Those were not really "new" OS's, they were service releases that increased the stability of `98...
In all honesty, the commercial software publishers have brought this on themselves. Sure, MS distributes patches for free for the worst holes (ala, the ones that make Code Red, Nimda, and Klez work), but the fact is, they let their products LEAVE the house with those bugs in the first place.
I see bad consequences for free software out of this, created for it by the closed source companies. Perhaps there can be an exception written in for companies that release source, and in effect, have industry wide peer review of their code.
Eventually, if such a law isn't passed, sooner or later the sharks are going to class action sue and crack away ALL such limitations in the EULA's.
There is too much money and lost productivity happening right now due to software defects.
What we need is a defined list of responsibilities, passed into law, that can't be EULA'ed away.
=== The price of freedom is eternal vigilance
"we need a lot of the IT equivalent of crash test dummies"
It's called QA.
This is another advantage that non-free software has over free software (the first being that they can afford the lawyers to handled the claims).
QA doesn't find all the bugs, nothing can, but it finds a lot.
I wouldn't be surprised that if a company can demonstrate to a court that it has a rigourous QA program in place then liability might be reduced (Nb. I totally unfamiliar with product liability). I would be more sympathetic to a company which can prove it tried as hard as it could to find bugs than one which just released a product and let the users find them (as the article suggests happens).
Imagine, if there had been lemon laws in place on software from the start. The early software that some companies produced may have put them out of business. Imagine if Microsoft's MS-DOS ended up costing them money. They didn't start out with much, and they would have folded up before anyone had ever even heard of Windows. Imagine what something like that would have done to the computer industry. Yah, a lot of us don't like MS, but you have to admit, they've helped sell a lot of computers. If not for Windows, or another similar OS at a somewhat decent price (debatable I know), then where would your PC manufacturers be today? Would anyone but geeks have a PC in their home? Would the average end-user buy a $4000-5000 box that they have to blow another $1000-2000 for just the operating system?
And what about the other end of the spectrum? Businesses lose enormous amounts of money if their servers go out. Would IBM be around today if they lost a bank a half a billion dollars every once in a while? Or would the businesses even buy something that would cost 5-10x or more over what they pay today? Just ask your IT manager how hard it is to get his budget.
And yes, Open Source. People writing code for the commmon good. Like losing the Good Samaritan laws, people trying to do nothing other than help would end up bankrupt, in jail, or worse. Besides, its not like most of them are geting paid, or have any other incentive to write code for hours on end.
No, Lemon Laws for computer software would be bad for everyone. I'm not sure that even MS would survive the consequences. Though I feel that a company should be liable for gross neglience. We're not gonna sue MS for my server crashing, but I'd like to if it got hacked and destroyed because of a gaping security flaw. At least give me my money back.
1) The negative PR generated by suing an individual or small group could only hurt the plaintiff's own revenue.
2) The amount of damages a company would recover from the open source shop would not be worth the effort involved in suing them.
So in the end, Free and Open Source sof tware will come out the winner.
If Bill Gates had a nickel for every time Windows crashed... Oh wait, he does.
Neither the federal government nor any state has ever had any sort of warranty/liability law that would affect gifts (transactions involving no payment or consideration), unless the defect was willful and intentional (ie trojans). There is no negligence protection for gifts. I highly doubt that any such software lemon law would break with this ancient precedent.
The GPL clause disclaiming only nondisclaimable warranties exists solely for severability purposes; the "unless prohibited by law" clause appears in almost every warranty disclaimer.
Of course, since those sitting in governemnt are bought and paid for, this means that free software development will have to go underground.
Don't hurry to modify me as a troll, but listen up. The whole point of this law is to cause software developers to pay more attention to the software they develop their software and especially QA it. If there is a Hospital or a goverment database running on software that fails, the developers SHOULD be prosecuted by LAW for this.
The only little detail the law is missing is that people should be expecting what they pay for. If you pay hundreds of thouthands of dollars for lots of software licenses that is ment to be run doing mission-critical operations, the developer should be held liable for his work, because he's getting quite a sum of money. This shall not applicate to Free Software, since it's duh, FREE. You don't go around asking for support for a 10-year old TV set you got for free from a friend.
Does anyone even know for sure what exactly does this law look like ? How many revisions is it supposed to go through ?
No problem, just blame the crash on the library developers and kernel hackers.
Even assuming that such a "lemon law" could be passed (which is, to my mind, a dubious proposition in and of itself), it wouldn't affect Free/Open Source Software (or even proprietary freeware) at all because there's no contract between the the author/distributor of the software and the user.
While IANAL, I did consult one about this once - when you give something away, you have no obligation to the recipient. Specifically, the recipient can't sue you if the product is defective in some manner.
Since I download my linux isos.
>
Alternativley countries who do not accept these agreements can have hardware without copy protection - if only a few countries require it they will not get the up-to date hardware. They will fall behind and the countries without the leglislation will be able to use the most powerful computers. Suddley the US will not have access to a computer more powerful thatn a Japenese games console.
Would you prefer to design a working chip or a cripeled peice of crap which somebody can imitate and it's you're fault. or companies get sued when their server is hacked and someone puts a system onto a FPGA to access the secure content.
Besides isn't it discrimination to say because you cant afford a computer 5 times as expensive to play a holywood movie because a resistor is on a circuit board (nice margins for a 10K SMD resistor!!)
OK so what happens when you try to use the microchip on a military system in a area where it was not approved to be used by columbia pictures the M1 tank sight won't work !! I klnow tanks a re steel cophins but that's taking the P*$s
Even better the NSA and the line in the US will have to have chips without the protection otherwise it would be impossible for them to crack the systems without it or those implemented to only run on certain machines. so the two families would exist but for a production run of 100 P8 processors without the protection it's so expensive you could have probably bought a ICBM.
Crap leglislation will not stop coming but inthis case public awareness and buying power (or not for a cripeled system) may well win the day if the people are informed!
Besides unless they enforce a system where overnite everyting is obselete how do they intend for a system not to be hacked when there are systems out there which will not comply.
Already we cannot agree on a universal standard for DAB sow now each country will need a chip for it's different copy protection system. compuiters from abroad will be illegal adn exporting the protection system to another country would be illegal. so now how long untill it's illegal to E-mail another person because you're not in the same DVD zone??
a bit lengthy adn tangential but hopefully some of the absurdity will appeal. P.S. it was written to quickly!
I ain't no lawyer. Even with Lemon Laws, there are limits to liability. If I drive my new car off a cliff and now the cup holder fails to hold my cup, I don't really have a case. The same can apply to software. Create use restrictions on that software to limit in what cases liability would apply. Even the legislators would see the wisdom in this and would have to craft these limits into any software lemon law. And if they don't, it will be left to the courts to decide. It will not be one-sided. There will be some semblance of balance.
"The great thing about multitasking is that several things can go wrong at once." -me
Somebody must change
You are the reason I've been waiting so long
Somebody holds the key
Well I'm weary and I just ain't got the time
Oh, and I'm wasted and I can't find my home
Come down on your own, and leave your body 'lone
Somebody must change
You are the reason I've been waiting all these years
Somebody holds the key
Well I'm weary and I just ain't got the time
Oh, and I'm wasted and I can't find my home
The lemon law applies if you have no recourse but expensive repairs at you own expense to a product which doesn't function as advertised.
Granted Apache should serve up web pages and FTP should transfer files and php should work on the server to generate HTML pages or whatever else you programmed it for. AS ADVERSITED...
But, with open source code, you get the source code, you get access to the entire open source community.
With open source, you get to roll you own on if you want a particular product to something nobody ever thought of making that product do.
With M$ or anyother canned software company, you'd better be able to convince them that its in their interest ($) to provide it.
With open source, you get to take out features you don't want in the product.
With M$ or anyother canned software company, you're fucked . Features NEVER disappear regardless of how stupid, downright bug-riggen, security hole prone or outright nefarious they are.
GPL'ed software comes with the source. Feeling screwed? You can DO something about it.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
... their lightplane industry before inventing any new product liability laws.
It got so that anyone who flew whilst drunk and crashed a plane that he hadn't maintained for years could sue the manufacturer for many millions with a fair chance of winning. And even if the manufacturer won their legal costs would wipe out the profit on many aircraft. So basically the US lightplane industry closed down. (It has since started up again, as a shadow of its former self, following some law changes.)
OK, that didn't affect all that many people. Closing down the software industry would be a different game altogether.
Let's say I write some super-important thing using the ABC and XYZ toolkits. My program fails and bad stuff happens. Do the people suing me have to prove that it was my code, and not in ABC or XYZ, that failed? Do I have to prove that it was not my code? And finally, how the hell could you prove something like that, anyway? [Especially if it was not repeatable - what if it was the OS, or the hardware, or something else entirely?]
I really don't understand why this is called a lemon law, actually. A car that's a lemon doesn't work, or works for a while and then throws a rod or something. I don't quite see the analouge between that and software.
In fact, someone mentioned a web server dying at some important moment, and the users of that web server losing a lot of money (ebay or amazon or something). Does this qualify under a lemon law? If I have to get somewhere important, and my car doesn't start, can I actually sue the makers of the car?
This law will force application developers' to license their work for some particular computer configuration. If user decides to install or remove any application on this computer the warranty will be nullified, similar to removing cover from you TV Set nullifies any warranty supplied by the manufacturer of this TV. So the question is: Do you really would like to have a computer where you cannot install any other application but the ones installed by the manufacturer? In fact this can bring a new type of license, the same one, which comes with a used car, you know, "AS-IS, NO WARRANTY".
I think publishing the source should allow the disclaimers to be in force. MS does publish the source to some customers, and GNU to everybody. With the source you can (in principle) verify the functionality and absence of backdoors, and you can (in real life) fix problems yourself instead of having to wait for a Service Pack or other official upgrade.
That should permit the current market to proceed without too much disruption, and still allow small companies to market great ideas without risk of getting sued off the planet in case of a critical bug.
I'm in a Unix state of mind.
...is that Microsoft spends a lot on marketing to tell you that their stuff will streamline your business, keep your toilet from clogging, and whiten your teeth while you sleep.
Meanwhile, their EULA practically says that you're better off playing Russian Roulette with five bullets and only one empty chamber, than to trust their software in a mission/enterprise-critical environment. We can't get access to their source code to check it for bugs ourselves, which would shift liability to us if we could do so, did, and then okayed it for use-- we just have to take them at their word, and hope that the server farm doesn't melt down and bankrupt our company.
Free software, on the other hand, is just 'out there'-- it's like finding a still-wrapped condom on the street. Sure, you can pick it up and use it, but if bad things happen, well, how is that anyone's fault but your own?
Liability-eliminating EULAs are an affront to any kind of truth-in-advertising regulations. A software company should definitely be able to be held financially liable for losses caused by failings in its products-- not to a degree that would instantly put them out of business, but a fair amount. Say, equal to their annual marketing/advertising budget?
Let's look at it with the car company analogy. Suppose Ford's commercials said that the airbags in their cars would save you and your family's lives? Okay, now suppose someone dear to you was killed in a head-on collision while driving a Ford. How would you feel if, when you tried to sue, Ford said, "But wait, your loved one agreed to the EULA by deploying the airbag... let me read you this paragraph from it that says, if the airbag does not work as we said it would, we aren't liable."
This law will not do anything more than what market forces does. If companies/people put out bad code with lots of bugs, people will just stop using them and look for better solutions. Hense Linux! We don't need any more laws and the government telling us more what to do.
Many of you are discussing this and saying it doesn't apply to OSS.
Technically, under thet respect, it doesn't apply to Microsoft either.
If you buy a uesd car, and in the next couple months have to put a lot of money into it to keep it running (i.e. a prime candidate for the 'lemon law'), you don't sure Ford/GM/whoever for making a crappy car that no longer works, you sue the person who sold it to you. In effect, you sue the distributor for charging you for a crappy product, not the publisher.
It should be the same with software. Microsoft ships software to retailers and OEMs, windows get sold to consumer, consumer is unhappy, consumer sues retailer/OEM. After this, the OEM will no longer buy windows from Microsoft, so the quality of the product and the strength of the corporation will be indirectly affected, but it shouldn't be directly. If 50 owners of windows sue Microsoft, many will lose as they don't have the resources to beat out a large corporation in a legal battle. If Dell or HP/Compaq stopped selling windows with its PCs because they got a very large bad review from those consumers who bought their PC, it will have a much larger impact on Microsoft and its lines of products.
In this case also, with OSS, the writers would not be the ones who can be sued, but the corporations (RedHat, Hummingbird, Ximian et. al)
It would certainly bring some accountability to the big software development companies. They better provide a secure product. Being crappy and slow doesn't necessarily cause damage except perhaps lost efficiency. But I don't think you could sue over something like that.
But the threat of lawsuits would definitely make companies think twice about securing the software they produce.
And this only means it must be secure to a reasonable degree. Nothing can be completely secure. If some uber hacker wants in she'll get in.
As for open source firms. It may affect the big corporate ones somewhat. But for completely free products, I don't think a lawsuit is very viable. The producers of the product may have very little money to give.
You generally sue someone if they have something to sue for. If it's a non-profit foundation, what can you get?
This is left as an exercise for the reader.
Most open source software seems to be in the perpetual beta state anyway, but if a lemon-law were to pass, maybe the commercial vendors would move toward this as well. Never releasing a "finished" version, just alphas, pre betas, betas, preview editions, release candidates, etc, etc, etc.
If this were to happen, it might actaully help the public, forcing the commercial vendors into a system where they actaully have to admit that thier product is never finished. Maybe then the public would stop shelling out money every time the latest edition comes out, lining the pockets of Gates and company.
If there is a Hospital or a goverment database running on software that fails, the developers SHOULD be prosecuted by LAW for this. But what about the hospital or government? Shouldn't they bear a good deal of the responsibility for either selecting solid software, or hiring someone to select such? In what manner is the liability to be limited? If I install RandomLittleUtilityX and it runs fine, and then install BigCorporateAndGenerallyTrustedProgramY and it breaks all over the place but runs fine on computers that don't have RLUX installed, is that RLUX's designer's fault, BCAGTPY's designer's/distributor's fault, or mine? If I write up a quick little utility to do something on my computer and it gets onto other computers through some P2P utility unintentionally and causes problems, should I have to pay for damages?
Think!
That is - what would happen if shrinkwrap limitation of liability clauses would be banned?
Any company without $40 billion in cash to pay for lawsuits would go out of business. Microsoft would rule the world.
The analogy of the automotive lemon refers to a specific instance of a car that has faults. When ever single car of that type has a fault it is a design flaw, and can lead to a recall in the extreme cases. Of course in software, there are only global design flaws.
But software systems are complex, and they will always have bugs. And the industry is too powerful to permit a law that would not recognize this and regulate it the same way simpler products are regulated.
All of us who have written software know why we want to disclaim liability, and people who use it know why they accept those disclaimers. It's a hard problem to figure out if there is a middle ground that will satisfy both user and author.
Has it been over a year since you last donated to the Electronic Frontier Foundation
I think this will eventually happen, mainly because Microsoft will see it as a way to get rid of Free Software (Microsoft can afford insurance and the lobbyists necessary to turn the law in their favor).
It makes sense to think NOW about what we as the free software community would want that law to look.
We'd need it to be strictly defined so that only the distribution vendors could be sued. Makers of say Apache, should never have a non-beta version, milestones, ok, but never "released." Users should be protected from beta versions at all. The distribution vendors, with the wherewithal to test (and responsibility!), should decide whether the package in its current form should be considered releasable.
Debian should probably never release either.
The distribution vendors will become much more careful about blessing any particular component by adding it to their distro (a good thing, since quality will go up). Additionally, they will have to budget for liability insurance. Cost of doing business, welcome to the world outside of the software industry.
The lawmakers and the courts will have to work out the reasonable equivalent of software malpractice. EFF, FSF, Red Hat, etc. will need to lobby to protect the free and open software movement.
Other ideas?
And a question that many, many businesses will ask themselves before considering open source solutions, be they GPL or any other licensing.
I believe open source products are better than closed source proprietary products.
One word. Apache. Most widely used web server.
Two words. Open Office. Yes, not as feature laden as Microsoft Office, but MS has had a lot longer to get to that point. As it stands, Open Office is fully usable and a damned high quality piece of software.
Samba. I've seen it work better than Microsoft's own SMB implementations, and not for lack of configuration on boxes.
And those are 'big' projects, with lots of support. I'd take Apache over IIS any day, same with Samba. If I wasn't on a 56k, I'd be using Open Office instead of Microsoft Office. Why? Quality. Speed. Efficiency.
Big projects.. Everyone expects them to be great and usable. What about all the smaller projects, of which there's a few thousand running around?
I admit, many of them are bug-ridden crap.
But should we look at Microsoft operating systems?
How many programs are commercially availible for any version of Windows that don't measure up to even the lowest standards?
I think, for now at least, that open source products have a lower crap to "w00t!" ratio than commercial products. That could change, though, especially with the growing popularity of open source.
Is not & Cannot be subject to lemon laws. Thus, this subject is unimportant except that it means Microsoft is going to go down more in flames than its current slowly waning away.
As long as such lemon laws only apply to purchases, we are fine. If there is a risk that they apply to other contracts or other kinds of software, then we need to lobby to have it changed. Extending lemon laws to free software would also create enormous problems for scientific software, and I suspect the National Academy is probably going to be careful to make the distinction.
With free software, no contract exists between two parties as to its merchantability, express or implied, with the software. In order to enact a contract, there must be some concept of formal exchange. This isn't the case with free software. You take it or leave it, and that's it. It's just like finding a tire on the side of the road. If you put it on your car, and it fails, you can't turn around and sue either the manufacturer or the previous owner of the tire. They may not lay claim to its ownership, but by the same token your taking posession of it does not automatically give you rights. Furthermore, free software isn't a requirement for your life, or a constitutionally-guaranteed necessity. So, unilke free access to public roads and the safety you, there's no need for free software. Sorry, but I can't buy the article.
If sensibly implemented, this would put the burden of responsibility on commercial distributors of open source software. If I download an open source product from some coder's website, there's no transaction, there's no contract, and no liability. However, if I pay $100 to RedHat to purchase the same software, that should be treated the same as if I paid Microsoft for the same, and they should bear the burden of responsibility.
I would even go so far as to say that such a law would be good for open source developers, if not the open source "community" which is full of many leeches. Many of the companies that sell open source software these days are playing the "something for nothing" model; they take open source software that someone else has written, put it in a box, and charge for it, without undertaking development themselves. (See, for example, the controversy over OpenOSX.com.)
This is, of course, a much better business model than conventional software development... they get all of the money for none of the work. These are the people who would be most hurt by product liability laws... and forcing people who profit from the open source community to be responsible for it as well doesn't seem like such a bad idea to me.
This simply is not something we ever have to worry about. I'm sure Microsoft owns enough congresspeople that they could get it laughed off the floor. And they have significant interest in doing so, because they are going to be the first company the sharks go after if something like this becomes law.
:)
Microsoft is our friend here.
Lemon laws require full refund by the seller if what he sold was a lemon. MS offers money back on all their products for as long as I can remember. Not sure about RH/SuSE/Whatever, never bought their stuff.
Why couldn't one limit the maximum liability to, say, 10 times the license / distribution price? So a typical private MS customer might claim some thousand dollars while a company or school (with a single contract covering thousands of machines) could start multi-million dollar lawsuits. Obviously, the risk for authors of free software is then still zero. For linux distributors, the liability might be limited to the non-free software parts (like yast in SuSE) and to the editing process (identification of alpha/beta/production grade software). In any case, big money will only be at stake for companies which make big money.
Ultimately, however, the burden of proof will be where this law fails. Say Windows crashes. Who is at fault? What program were you using when it crashed? Was it Microsoft Certified? What hardware do you have in your system? One slightly faulty RAM chip can cause lots of crashes. Is that Microsoft's fault? Oftentimes Linux will be able to handle the fault better than Microsoft. Does that make Windows a Lemon?
What about drivers, programs with Ring0 access? Giving a program access to the hardware is an inherent liability because it can cause a crash. Then you get into the interactions of various drivers..I've had cases with DriverA running HardwareA and DriverB running HardwareB. There was a crash, and removing HardwareB solved the problem, but so did simply upgrading DriverA. Who's at fault?
Windows, by itself, is actually quite stable. If these laws come about, what would end up happening is that Microsoft would always shove off the blame for a "lemon" on a third party, and they'd have the money and lawyers to do it.
lemon laws should only affect products which are sold, opensource or otherwise.
If I give you a car, for free, with no value returned to be of any kind. I can't be sued under current lemon laws. But if I sell a car, I can. at least in FL.
to me the point of lemon laws are to protect consumer investments. You can't sue someone who gives you a bad gift.
The law would affect open-source consultants and businesses though ( ie. redhat et. al )
Based on upvotes, Ageism is the only "-ism" Slashdotters care about and think isn't SJW
Haven't you ever seen the phrase, "In no case shall [provider]'s liability be construed to extend further than the price paid for the product." If I buy RedHat from LinuxCentral.com for $10, I don't think I can reasonably expect to sue them for a million dollars. Can't they explicitly state that I can't?
Secession is the right of all sentient beings.
I'm usually on the "left" of most arguments, but software is one area where the "market" should be allowed to make these decisions. If someone doesn't like a piece of software, go use something else! If anything, bad commercial software being allowed to exist only pushes FS/OSS software usage way up anyhow. :)
The only instance I'd be ok with this is in embedded systems for medical devices, etc, where if stuff doesn't work... people DIE. So in this case, the problems of intervention are definitely outweighed by the possible weight of what could happen if the gov't doesn't stand in. As it is, most embedded systems like this do have a good reputation (if they didn't, they'd cease to exist), but when actual lives are at stake, it's a different issue, so the added weight of punishment for negligence, etc, is acceptable.
The Free desktop that Just Works
How can you be sued for providing information to someone?
If this does come to pass, it'll mark the last time I distribute a binary, that's for damn sure.
If you were blocking sigs, you wouldn't have to read this.
The company for which I work develops custom software. IANAL, but one of the ways we limit liability is through collecting and documenting requirements for the software, and testing that those requirements were met. We also follow a strict software development process, which supports out ability to develop a quality product. By developing this documentation, we are able to pass liability off to our customers. I.e., They have agreed that our software meets their requirements and our tests are sufficient to prove that it does. Now, if we knew our software didn't meet the specification, that is different (usually called FRAUD).
I would think that something like this would work for the larger Open Source projects. If they could have the requirements of the project documented (i.e., what it is suppose to do) and have tests written to verify this, then they may have a out. The problem is M$ case is that they know of the problem, or their quality process is not sufficient, and do nothing about it.
The dogcow says "Moof!"
Your example of the GIMP is a pitiful one for two reasons. The first is that the GIMP is held up by patents in various areas. The second is that GIMP and Photoshop are not the kinds of products that the article is talking about. Say what you will of the GIMP's features and interface, it is no less dependable a program than Photoshop. I've never heard tales of GIMP users losing critical data any more so than Photoshop users.
Perhaps comparing IIS breakins vs. Apache breakins, especially given that there are more Apache servers on the web (and probably run by more amateurs than IIS admins). Or FreeBSD vs. Windows 2000 vulnerabilities. Or, to be fair, sendmail vs. Exchange (although I'm guessing a lot of people are using things like exim these days). Or how about PostgreSQL vs MSSQL?
These are critical pieces of software that are actually vulnerable to massive data loss. GIMP and Photoshop do not qualify in the same way. Throwing out the term "anecdotal evidence", does not change the fact if you look at the list, you'll find that more often than not, open software beats or at least matches the security and reliability record of its closed counterparts.
"I may not have morals, but I have standards."
I think any liability laws would unfairly punish smaller companies.
Some people are in favour of Lemon Laws specifically because they dislike Microsoft and think that Microsoft software is insecure. This is stupid and shortsighted.
Deal with Microsoft's monopoly abuses seperately. Monopolies come and go but bad legislation is forever.
Create laws that arm consumers with security information. Perhaps a grading scheme where software that doesn't connect to the internet is given a A rating. If it is a client then it gets a B rating. If it is a server it starts at C then for every three exploits within the last year the rating increments by one.
After you have informed the consumer you can let the market decide. If they still use software with a G rating then that's their own problem.
Many people claim these laws would force MS to fix their bugs/security holes...but don't they already? The problem I see is that no one patches. Look at Code Red. The patches for it were out a long time before it hit. If everyone patched it would have been a big non-event.
I say companies should fire incompetent people that don't maintain systems. That last thing we want is regulation in the software industry.
I have. I ran Linux for several years (Slackware first, then Debian later) then switched to FreeBSD when I got fed up with Linux then I finally switched back to Windows 2000. Now I'm using XP and have no plans of ever going back. I just want my computer to work the way it is supposed to -- I don't have time to spend hours dicking around with free software trying to get it to work right.
(Whenever it is time to upgrade my computer, I think I will try Mac OS X though. A friend of mine has a Mac and it is a really nice system.)
I still have a legal Windows-98 partition on this computer,
Let me give you a tip before you embarrass yourself any further... Windows has come a LONG way since the 98 days -- NT/2000/XP are a million times more reliable than the 9x series.
Normally I use Windows when I'm paid to do so.
I am paid to use Unix on servers (Solaris) and I don't have a problem with it, but I'm never going to use freeware unixes on the desktop again.
We did just fine BEFORE there were shrinkwrap licenses. What makes anyone think we will do worse if they were gone again?
Think about it. How many times did DOS crash and how many times did you call up your lawyer and sue?
As for open source software: If you pay $3.00 at Cheapbytes or some other place then, as the lawyers in most places will tell you - "You're getting what you payed for."
I think that, as long as someone can limp by they will do so more often than asking for their money back. Not that that is a good thing. It's just that that is how things seem to work. People don't sue - they just work around the problems in the software or they go buy something else to do their work with.
Why not just add a clause to the law that says if the source if freely available and editable than the author is not liable to damages.
would protect opensource, yet would still go after the companies that write crappy software.
If the software behaves as promised, no liability laws can affect you. Therefore, it only makes sense to specifically promise that the behavior of the program is documented by the accompanying source code. Since source code is the ULTIMATE documentation, there can be no false representation. For free software, this is not an issue because it's distributed with the code.
Ask Microsoft to ship full source code with their products for a full disclosure of what it actually does. Since they're not willing, you have to take their word for it, which is hardly comforting.
leave the licences the way they are, or have no warenty at all, software will survive or die off depending on its merits, with all the BBS & and other comunucation between people the word on bad software will travel faster than good software... P.S. don't read the mainstream AOLish web sites for reviews i bet those are rigged... the way i feel about the choice between opensource (linux) & closed (M$FT) is i rather use OSS, because m$ft's OS & apps have plenty of bugs too & linux people know all OSs are gonna have some bugs to be worked out so why pay mickysoft high dollars for a OS with bugs when i can get linux with bugs free, and linux users don't have that pretence that Windoze zelots have about computer bugs. personally if it was not for other friends & family that are mostly ignorent of linux & would probably crash it, so i keep Win9x on here to keep em out of my linux, atleast untill i can get them educated in it, allready have my niece dualbooting Redhat7.1 & Win8x too :) HappyTrails
All MS has to do is ask these questions:
1) Is all of your hardware HQL approved?
2) Are you running only Microsoft products (if you have a single custom ASP page running on your server answer no)?
3) Are you running the current versions of all software and protocols used?
4) Do you have all current updates and service patches applied?
5) Was/Is your installation completed and maintained by someone who is MSCE for every aspect, component, and method of use for the MS software and protocols you are using?
If you have answered no to any of these questions, you are TSOL.
... what Billy-Borg would think about this? Is it time to give Mr. Gates an interview, /.-style?
--joshua
Such a law would be good in the context of a reformed liability law. Right now if someone is .001% liable they can still pay 100% of the damages. This applies if they didn't know or intend the outcome.
Open Source software can be much like a public park. There should be an exemption for free, public *anything* that doesn't involve criminal negligence. If you don't pay admission, it would be up to you to make sure you don't do anything stupid on the play equipment.
At that point, Red Hat, SUSE, etc. can assume as much or as little liability as they want as they add a paid layer on top of the commons.
Further, Source is stuck somewhere being a device (like a toaster) or a book. If you don't like the ending of a book, or how the cake turns out, the book is in no way defective. If you can't follow instructions, or even if you simply won't, or the instructions are wrong or dangerous, you normally can't sue the author. You can sue if the toaster is defective and is actually an ignition source when used as directed.
An EULA in the usual form Microsoft uses basically declares it to be a device. If I can't read it or analyze it or quote it, but only use it, it is a device and not a book. Also it says you don't even own it (even the single copy as under copyright).
GPL on the other hand says lets discuss, improve, analyze the work, and by the way, you can run it and maybe use it to do something useful (like a recipe in a cookbook). It might be used as a device, but it is still a "book". And I think you could tweak the GPL if necessary to make it legally fall into the same liability category as a book.
Between tort reform, and resolving the device / artistic work dichotomy, I think GPLed software would thrive.
But we do not have wise leaders, and Microsoft sends more money to prevent clear thought on the part of our legislators.
"Computer programs are developed incrementally, and the users are always used as dummies."
Not used as , they are dummies
[alk]
At least for Free Open Source Software.
:-)
It doesn't include "It's free, use it on your own risk, it's not final version"
In general it excludes licenses like commercial, GPL, FreeBSD, etc. as they are now, but it can't exclude open wide beta testing, prerelease promotion. So, with adding to GPL restrictions clause like that, that would define software as such, would be possible to avoid lemon law restrictions.
Software in development never matures to it's final stage. Yes, I know people like 1.0, 2.0 etc. But where is the final stage? Simply defining always "Development in progress, but this is what it's done so far", would avoid that kind of law. On the other hand people have no signed contract or receipt to show that as evidence at the court.
I know that in case such law would be passed, I would just make a clause on my web page. "ENTER" if you.... "LEAVE" if you.... Works for XXX pages.
Putting on web page something likethat is easy. Here is an example
"Enter if you're interested in this software, but by entering you agree that this software hasn't matured to it's final stage (at least out of legal points, which don't allow free software to be passed on in different way, then being treated as work in progress), you also agree that software has provided you with license which defines how this software should be treated regarding distribution, usage etc. just the same as this software would reach it's final stage.
Considering legal points passed by "lemon law", this clause and describing maturity state of this software, it's unfortunate necessity for this software being able to be passed on freely."
Of course, I'm from Europe and I'm not concerned with stupidity like that.
Hope somebody is not offended with my bad English...
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
MS should be buying underpants by the palletload, but I cant see this scaring the Open Software movement a lot!
Sent from my ASR33 using ASCII
Rather, I think we might look at ladders or cotton swabs. In both cases, litigation or the threat of litigation threatened the industry, pretty much due to people doing stupid things. I suppose that some of the problems, particularly with ladders, were caused by incompetent manufacturers, but most of the problems were caused by incompetent users. Both industries were saved; ladders now carry excessive safety stickers, and cotton swabs carry bogus instructions.
If we judge existing software by current manufacturing and safety standards, we see that software has a large amount of pent up liability. Combine that with MS billion dollar bank account, a lot of hungry lawyers, and an explosive situation develops. At some point we will have lemon laws for software, and companies will be liable for making excessive claims. Software companies can either moderate themselves, pay out defensive amounts of money, and in general do a better job, or they can make class action lawyers rich. History, so far, teaches us that companies would rather make class action lawyers rich.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Now I don't know if his fears are well founded or not, but I'm sure he had some reason for taking the action of yanking the previously available source. Perhaps an anti-lemon law with an explicit "software made available for no cost is exempted" would be better, although even then I'm not so sure it's a good idea. Should Red Hat be held responsible if one of the beta products in the distribution is buggy (say, the situation with Mozilla a year ago)? Besides, what level of bugginess is okay? Is 99% uptime sufficient? 99.999%? 100%, every crash results in a lawsuit? I just don't know about this...
"The question of whether a computer can think is no more interesting than that of whether a submarine can swim" -EWD
So you slashdotters are too lazy to read a EULA but you will examine and test every line of code you use?
If you have the source code, then you have an exact description of what the code will do, bugs or no. Everything is documented in a GPL program in a way that Microsoft just cannot provide. Some line like:
"This code is guaranteed to do exactly what the code states. Anything else is explicitly denied."
GPL programs could have this, as the code is included, but Microsoft cannot, and would have to take the liability.
Fellowship 9/11
Legal liability is not an inherently bad thing for the software industry. Start writing and lobbying your congress critter to push for an exclusion to liability laws along these lines:
1 )if you get the source you can't hold the provider liable.
2) if you don't get the source, then the provider is assuming liability.
The folks making money by selling you closed source binaries are, in effect, claiming that their software is correct and does not need external review. Along with that claim comes assumption of liability. Instead of accepting this liability, most of the traditional software companies would probably be forced to start distributing source with a do-not-propagate license. That's a pretty fair compromise since code can be reviewed by a third party, but not legally copied.
Folks distributing via open source, aren't claiming the lack of necessity for external review -- instead it's embraced. The should be cool with this approach.
Here's a ramification I have not thought through:
What would such legislation do to DMCA?
In forming your opinion as to if this law is a good idea or not, consider this:
I work for a medium size company, that among other things sells software for use in hospitals. Our software provides all sorts of "critical" operations, and I assure you that we don't have an EULA, we have legal contracts.
Basicly we are just one of many companys who provide software which we *are* held accountable for.
There is software you buy off the shelf, and then there is software you need lawyers to purchase, and both of them already exist. What this law may be trying to create (ie. accoutability for software) already exist, and trust me, it ain't cheep.
If you're asking will the cost of software go up if this type of thing is implented, the obvious answer is YES. How much is the only question, and that I'm not sure of. It may not be that much for off the shelf software, and then again, there may end up being no be such a thing as off the shelf software.
If you want proof that it will cost more, it is not uncommon to contract 25 user licenses for this type of softare and it costing over 100K (yes thats one hundred thousand dollars), and then there's the yearly maintenance that you *must* buy with the software, you can guess at prices there.
..still a good idea. If we are stupid enough to apply it to hobyists, that is a different problem.
the only thing GPL projects would have to do would be to describe something like the gimp as
the gimp: a program which attempts to modify graphics
note: for a full description of what this program does exactly, read over the source code. this program will do exactly what the code says.
presto. since the source is out there, it's the full description of what the product does. its out there for everyone to see. unlike photoshop or something which is advertised as 'make pictures pretty!' and then it fails to, gpled software simply says 'does exactly what the code says it does!' and if you don't read or understand that exactly, you can't really sue someone else for your ignorance.
I like this analogy. However, is it fair to say that a software project like WinXP Pro (2+Billion lines of code, right?) or something as complex as an Enterprise Relational Database Engine is actually far more complex then a Car - especially when defining a "reasonable working condition". Either a car is running reasonably well, or it's not. Either it meets simple safty regulations, or it's not. With software, the functionality is not only far more complex, but the potential failures are also far more complex. Many times it takes a serious investigation just to determine which software package caused the problem (was it caused by Linux? Mod_Perl? Apache? MySql?), and even then we aren't always sure. "Best Guesses" may work for debugging and fixing a problem but it won't work in court.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
If I build a tree house on my property that is unsafe and someone tresspasses and uses this tree house (which I haven't even said he could use) and gets hurt then I am potentially liable both crimally and civilly. It's called an attractive nuiscence.
I didn't charge anybody anything... I didn't even give permission for it to happen. Yet I am still at fault.
Just because I don't profit off of a transaction doesn't give me a right to put somebody at risk - financially or physically - unless perhaps I am completely forth right; and even then often not. And simply saying "Well, at your own risk," is not completely forth right, not even close.
The only different with purchasing the product is that the legal agreement is explicit. And in an explicit agreement risk can be accepted by the customer. But in the implicit agreement it is assumed that risk is accepted only if it obvious.Otherwise you're buying the right not to be put in a dangerous situation. Which u can't buy because u fundamentally own this as a citizen.
As for the suggestion that there can't be a law suit because there is no company - I think it is pretty clear in the american litigation system there are no lack of defendants.
Leaving aside the issue of whether or not I can sue you for something you made on your off-hours, warned me was imperfect, and charged me nothing for (after all, I could sue you for any frivolous old reason...) this sort of legislation will still fall harder on commercial vendors over open source/free geex. Why? Because lawyers, like bank robbers, go where the money is.
Let's say the lemon law goes into effect. Am I, as a plaintiff's attorney, going to spend my energy going after a big fat corporation whose liability is clear, or should I instead try to round up and name as a defendant class a bunch of sympthetic-looking nerds, many of whom live in foreign countries, and who have maybe a million bucks of personal assets between the lot of them? Simply put, attorneys' sense of righteous moral indignation moves in a linear correlation to: (amount of dollars that can be shaken out of your ass pocket)*(the cost required to shake you down). Geographically-separated volunteer programmers are lean, bony pickin's, and rounding them up is more trouble than it's worth, especially compared to taking periodic chomps out of fat, slow-moving corporations. Nuisance suits might occur under such a law, but they could just as easily happen today.
To know if a lemon law is bad or not you have to know what situations it applies to and what it's limitations are.
If you buy a car and find find out right away that the brakes are bad that's covered by a lemon law. If you buy it and find out 6 months later the brakes are bad that's a whole different situation.
For a software lemon law to be good it would have to take into account distrobution/developtment model. It would have take into account the claims of the developer and the claims of the seller/packager.
If a developer provides a package in an open fashion or free of charge and make no claims about the quality and or suitablility of said package for a particlular use there should be no liability. If someone else provides that software individually or as part of a bundle and does claim that the package is suitable to fullfill a particular need they should be the ones held liable.
What seems to me to be the most difficult question is the timeframe. There must be some kind of timeframe where liability shifts from the supplier to the user. How much time is enough time for the user to discover that a software package is not doing what it should and claim thier rights provided by the lemon law.
there can be no liability in something that is open to inspection and fixing.
Perhaps the real problem is in making software creation and modifying easier, so that more can participate.
why does everyone keep insisting that if they get hacked it's a bug in the software?
if someone smashes my window and steals my stereo was it a bug in my house?
liability laws are impossible to correctly define/enforce since security requirements are constantly changing and vague.
you can't blame someone for not protecting against an enemy (i.e. new crack) that previously never existed and therefore wasn't even known about, which seems to be exactly what people want in their extreme arrogance over this issue.
the SVLA.
That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze
Remember what got the ball rolling with car manufacturer liability. Ford manufactured a car that roasted its occupants when hit from behind. Ford figured it would be cheaper to pay the victims than it would be to fix the car. When this surfaced, public outcry did the rest.
Most cases aren't as clear-cut. Continuing on the car industry example, can you hold a vendor liable if you're not wearing seatbelts, and suffer serious injury as a result? Probably not. Can you sue if you are injured in a parking accident by the airbag? Probably not. Now, why were you injured in the first place by said airbag? Because they are inflating with the power required to restrain a person not wearing seatbelts. Anything wrong with this picture? You bet. The consumer has a responsibility of his own, in this case: wearing the seat belt.
Liability is eventually determined by a judge and a jury, and in corner cases it's just a lottery, which is why car manufacturers err on the side of safety -- theirs, not the safety of the customers who are wearing seat belts.
The same thing is looming on the horizon when a software lemon law gets introduced. Vendors will still go to great lengths to skirt their responsibility, and even if that works to "improve" the product, chances are the consumer will be hurt in the end.
For a preview of things to come, look at Microsoft's security fix to Outlook. It is available, so like seat belts, common sense holds that if you don't apply it, you willfully accept the consequences. But unlike seat belts (which are at worst an inconvenience), applying this patch will cripple Outlook beyond being usable.
You can't win this one. Frankly, I'd settle for a law that demands truth in advertizing w.r.t software products.
Bert Driehuis -- All I asked was a friggin' rotatin' chair. Throw me a bone here, people.
Wow, the law-makers are really biting into this whole "software is not free speech" thing. Next you'll need a license to code. The only problem is, they would have to include a "beta testing" clause and that means everyone would just release beta-software to get around the law. Mybe they should just change it to only apply to commercial software and we might forget about their crack addiction if you know what im saying. Also, someone would legislate against talking out of your ass.
This comment does not represent the views or opinions of the user.
Create laws that arm consumers with security information. Perhaps a grading scheme where software that doesn't connect to the internet is given a A rating. If it is a client then it gets a B rating. If it is a server it starts at C then for every three exploits within the last year the rating increments by one.
I think this sounds pretty nice, but it has problems. For instance, clients are not necessarily more secure than servers, a well-written anonymous ftp server could theoretically be infinitely more secure than a poorly-written web browser which downloads and executes code without express permission.
Also, most linux distributions would minimally start at a "C" rating under this scheme, while windows 98 would begin at "B" (without enabling "file/printer sharing"). Which do you consider to be more secure on the average? Do the ratings reflect that?
These problems are indicative of a greater flaw in this scheme, software doesn't have to rigidly conform to _any_ model, be it client/server, P2P, etc. Laws take a long time to be changed, software can be changed in weeks (witness Microsoft's court history.. pretty soon they might be stopped from producing Windows 95 ;) - if we draft laws or even form committees which define certain software paradigms as insecure, software will simply change paradigms to achieve a higher rating until the ratings-board is able to change criteria to match.
Alternatively, we could have panels of elected security-analysts pore-over every piece of software that is voluntarily-submitted for a rating (in source form), at a cost to the software producer (based on some criterion I don't know), and they could arbitrarily grant ratings based on their findings.
I don't know that this is the best solution, but it sounds more practical, it's similar to other analogous (movie ratings, supreme court, etc.) systems for ideal-compliance which are already in place and doing a reasonable (not perfect) job.
Thoughts?
Under "lemon laws," free software authors most likely will not face any liability, mostly because the software is FREE. Lemon laws exist to protect paying consumers from being sold something under the pretense of it being a quality product, and ending up with a piece of junk. If someone gets a product for free, however, the consumer cannot go after the provider, because the consumer got it for free anyway.
The same sort of thing would likely be written into software lemon laws. It would have to be, to protect students from software they produce and release for free as part of a programmer's educational process. Volunteers who code for charities and non-profits are in the same boat. Coders giving away their code to people who know that they aren't getting a commercial product don't have much to worry about.
How about a law (not aimed just at software) that says that when a company advertises a product as having certain qualities, then it is responsible for the product actually performing as advertised. I'm not sure _why_ such a law is needed in the first place, as it would seem to me that to advertise that a product is fit for a certain purpose and then to hide lawyerly gobbledygook in the EULA contradicting all their advertising is fraud....
Hmm, lemon law is there to protect the consumer. When a car is bad, the consumer get its money back.
GNU, BSD, other open source programs aren't sold. People already get their money back.
End of discussion. Story moderation: -1 Troll
--- Hindsight is 20/20, but walking backwards is not the answer.
Would open source software be unrated? Who would bare the cost of rating open source software? Would the distributor of an open source application be the responsible party? Define distributor while we are at it -- Red Hat? Source Forge? Download.com? The implications are potentially enormouse.
If you raise the cost of entry to a market you are protecting the current players -- i.e.: invoking a rating system, passing a liability law, etc. will help to make sure that the same players are in power for years to come. We've seen the comparison several times on this thread -- the car manufacturers were made liable under the lemon laws. How many car makers suffered because of it? How many changed their business practices drastically? Didn't the presence of the law force any potential new players to pass a higher bar to play in the field? Legislation is one sure way to reduce competition.
With law you must be very, very careful what you ask for -- you may get it and have to live with unanticipated consequences. The established players will go over any new law with a fine toothed comb to lobby for or against it. They will also spend money on ensuring compliance. Law's tend to drive up complexity in the business world -- again raising the bar for entrance.
What about allowing the transferral of costs caused by defects in software at the user level, instead of at the producer level? Insurance does this quite well. The costs of insuring your company (or yourself) against defects would be based on what software you are using. The cost of insuring a given piece of software would be a function of claims paid because a particular piece of software was found at fault. Perhaps, companies could even be allowed protection from software they produce and use internally. There are a number of complexities that I can see arising, but here I'm just presenting this as an idea.
I'm very wary of trying to use traditional liability law in the software industry. I fear that, if software liability is implemented (and it WILL be implemented) in a traditional manner, the ultimate casualty will be openness, not pocketbooks.
Use of traditional liability law would almost certainly make development of truly open and free software impossible. Even if the producers of free software are allowed a large amount of protection from litigation, very few will use it precisely because they will have no recourse should they be affected by a defect in such software.
As far as the broader software industry in general is concerned, it would shut tight as a trap. Many people have put in alot of hard work to get software companies to be more forthcoming with regards to defects, especially as they relate to security. This hard work has paid off quite well. It has made our lives much easier. Do we want to return to the days when it was next to impossible to get patches, let alone information on what the problem actually is? If sofware companies are made liable for defects in a traditional manner, only a select few will have access to bug announcements, and then they will only have access under a NDA. Life will become extremely difficult for those of us responsible for making sure machines are running and secure. Any public acknowledgement of a bug could then be possible grounds for a lawsuit, which is just a bad place to be. Any information we would get would normally be a result of a law suit, and probably too late to be of any real use. I value the amount of information I have access to. It has saved me countless hours, and I don't want to see that go away.
We need to find some way to induce some sort of liability for non-criminally negligent defects without sacrificing openness. Will this work? I think it has a chance to.
Don't you think we would have switched back if the OSS really wasn't better?
Yes and No.
(1) No, many Open Source advocates are quite willing to use an inferior product to maintain philosophical purity, forward a political/religious agenda, or to stroke their egos by being elite, rebellious, etc. I don't mean to imply all advocates are like this. Back in the day I would have killed to have Linux on a PC at home rather than have to dial in to the VAX at school, but science and engineering majors are geek home turf for OSS. We too often think what is good for us is good for all.
(2) Yes, many people who do try Linux, FreeBSD, etc. immediately return to Windows after deciding the OSS wasn't for them for whatever reason. I don't mean to suggest that there is anything wrong with Linux, FreeBSD, etc., just that they are still pretty much built by geeks for geeks.
Personally I think the future will bring a hybrid approach, part open, part closed. MacOS X is a good example. Other examples will be more open source libraries used by commercial apps, examples: compression, encryption, image processing, etc.
First, warranties only are meaningful in the context of a commercial transaction. There's no reason to expect a warranty on a free good. So this is not a problem for free software.
Second, warranties aren't that expensive to manufacturers. Under 5% of the cost of a car is in the warranty. More to the point, in the gambling industry, where full financial responsibilty for errors and downtime is the norm, GTech, which runs lottery systems, pays out about 0.3% of revenue in penalties.
Compensatory damages and blame management are real issues. But this comes up in other areas, and the suppliers work it out between themselves, as in the Ford vs. Firestone tire failure issue. In computing, we should expect full warranties on the OS from manufacturers who preload an OS. Let Dell and Microsoft argue between themselves who's responsible.
Finally, manufacturers who don't offer a full warranty should have to put a giant "AS-IS" on the box, like those signs that appear on used cars.
If I purchased the software commercially then I expect the software to be merchantable. Is that so much to ask? I dumbfounds me why anyone can think this wrong.
It's not about warranties, disclaimers, licenses, or anything like that. It's about honesty. If you tell me your product works, I give you money for it, and it doesn't work, I want my money back. Plain and simple. To print on the back of a shrink wrap box that MyFoo Deluxe does X, Y and Z, when it in fact does not do X, Y or Z at all is fraud.
Sure, go ahead and disclaim your warranties. But make sure those disclaimers are disclosed to be before the commercial transaction is completed.
A Government Is a Body of People, Usually Notably Ungoverned
The obvious retort is to say that, under any "free" license, if the user is not satisfied with the product then they got what they paid for. Conversly, if I shelled out $5,000 for some software program, I expect some kind of warranty or guarantee about the (1) reliability and (2) usefulness/suitability of the product.
;).
Think about it this way; most lemon laws strive to ensure that both parties come out with a fair deal. The idea is to ensure that neither party is "taken" by the other and that a "dealer" of a product is responsable for providing some measure of quality. Cars, for instance, in a lot of places can be sold as-is without any warranty if the seller does not qualify as a dealer. A dealer is qualified as someone who does it as a business (usually quantified by, say, 5-10 cars per month). The goal of any software lemon law should be similar - hobbyists should be exempt because they are (1) not participating to generate profit and (2) not explictly (or even implictly) providing any warranty or guarantee w.r.t. the software. Conversly, if you are in the business of selling software you SHOULD be held to a higher standard than that of a hobbyist.
RedHat, for instance, should be required to provide a warranty comparable to one that Microsoft would be required to provide on their respective OS products. Besides the for-profit nature of their businesses, they both participate in a manner that requires trust between themselves and the consumer. eg. when I buy a copy of RedHat Linux, I expect and trust that it will perform as they describe. If it does not perform as they describe, I should have the opportunity to return the product for a refund or exchange (the same rule goes for Windows, btw).
Retailers and dealers should be held accountable too. Why? Because, as I mentioned before, they trade in a manner that requires a certain level of trust.
What is the benchmark that says if a product has performed as it says it will? What recourse should the consumer have against the company that created the software? Does the consumer fight with the dealer, distributor, or manufacturer? Valid arguments could be made for all three. However, I believe there should be an implicit warranty between the manufacturer and the consumer. After all, most sane people would blame Microsoft for the shortcomings of Windows - not Dell or Office Depot
Okay, all that deals with the idea of the software not performing as expected. Okay. Fine. What about damages? Spyware can be said to cause damage and, yet, they "clam" to be exempt because they put it in the agreement? What if Office crashes and takes all my important documents with it? What liability does Microsoft have when someone exploits a security hole and makes off with your important (lets say, trade secret, financial, etc) documents? Is there/should there be an implicit or explicit limit to the liability of a company? I happen to feel that a entity (individual or company) should be liable for any damage that their product causes (software or otherwise). But does misuse get factored in? If I run FORMAT.COM on my harddrive, is Microsoft liable because it took my saved e-mail with it? Is RedHat liable for my lost Windows partition if I accidently choose to install it over top?
I guess I've provided more questions than answers, but I'm just thinking out loud here. I do think it is very important to watch how this pans out - to make sure hobbyists aren't discoruaged because of possible legal implications.
Price, Quality, Time. Pick none. What, you thought you had a choice?
What's "appropriate"? Simple: if something you did causes harm to someone else, then you should do your best, within reason, to remedy the situation. What's "within reason"? Simple: if it's within your power and it's not going to break you (cause "undue hardship"), it's "within reason" (and note that this should not be considered in isolation, but in context of all the other liability cases that may arise from the harmful act. So it should not be possible to kill a company or to destroy an individual through a multitude of liability lawsuits).
The problem is that here in the U.S., you can be held liable even if you make a best effort to remedy the problem. So, for instance, if a bug in your software causes problems for someone else, then fixing the bug in a reasonable amount of time (in other words, a short enough period of time that the bug has no significant additional effect on the victim after you've been notified of it) and giving the bug fix to the victim should be considered sufficient effort in many cases. But the way liability cases seem to go here in the U.S., it wouldn't be nearly enough.
That's because here in the United States, it seems that the jurors often take the stance that the "victim" has no responsibility whatsoever for what happens. For instance, it doesn't seem to matter whether or not the victim researched the alternatives, spoke with others about their experiences with the product, read the manual, etc. -- the victim is considered blameless regardless. And to make matters worse, in the U.S. there's this idea called "joint and severable liability" which, in essence, seems to mean that even if you're responsible for only 2% of the damage, you can be made to pay for 100% of it.
Now, in Microsoft's case, it's often that they do not make a best reasonable effort to fix the bugs in their software and, when they do, they often charge extra for them (a.k.a., software upgrades). Microsoft is by no means the only company that does this (in fact, many software companies do the same thing), and it's only Microsoft's immense market penetration that makes them notable here.
I could go on for some time, but the bottom line is that liability in this country is so screwed up that I'm not convinced that it's possible to write a reasonable law, except perhaps for one that completely dispenses with the notion of "joint and severable" liability, and perhaps one which forbids suit against someone who has already faced a lawsuit on the same liability issue.
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
CMYK is patented, and licensing this patent is not at all cheap. Certainly, it's not something that's possible for a piece of software like the gimp.
Claiming that a piece of software is inadequate because the maker of the competing software uses legal means to stop competitors from implementing a piece of functionality is really quite stupid.
himi
My very own DeCSS mirror.
Ok, so they're talking about a law that says software producers can be liable.
We know no details, yet are already saying this law could be the end of OSS. Please. For one thing, anyone can contribute to OSS anonymously, thus eliminating liability.
Also, there can be exemptions in the law for FSF, OSS, free, and other humanitarian-ware. It doesn't make sense to have liability for people who give stuff away freely.
Also, even for corps like MS, these laws don't necessarily mean every flaw is something they can be sued for and held liable for. The wording of the law will tell exactly how liable they are. Should MS be held liable if there's a small bug in its GUI, which was easy to miss? No. Should they be held liable if there's a major flaw which causes massive data loss, or if there's virus or otherwise malicious code in their software? Yes.
Yes, software isn't like cars. But we can still treat it like cars -- anything that was very serious and major should have been caught; minor things are not a big deal.
If Ford makes a car and the heated seats don't work, that isn't cause for a lawsuit. Similarly, if MS makes an OS and some erroneous extra feature doesn't work, that's not cause for a lawsuit either.
However, if Ford makes cars with airbags that don't open, they should be held liable. Similarly, if MS releases a new OS which destroys your data upon shutdown, they should be held liable.
social sciences can never use experience to verify their statemen
Not something that allows lawsuits for any
problems. But a law that said something like:
"If the provider of the program gave a guarantee
that the program would function as intended, on
the customers particular system configuration,
and the customer operated the program according to
instructions given by the provider, then a lawsuit
for any damages resulting from use of the program
may be filed."
That could be useful and not stall closed or open
source development at all. It would allow recourse
for people who have recieved absolute guarantees
that a program would work in a mission critical
situation, but also protect developers against
frivolous lawsuits. Anything more specific would
not provide benefits to harmed consumers, anything
more general would stall development. Though, current
truth in advertising laws probably allow for lawsuits
in such circumstances already.
Most lemmon laws state that products sold to customers must be of a certain minimum quality. This would not impact OSS development projects because they do not sell products or product licenses (live treditional software vendors do). Most OSS organizations that seek to proffit directly from the software being written, tend to sell support contracts. A typical example of this is MySQL AB. It's reasonable to assume that any software lemmon law would contain language similar to lemmon laws relating to other products. This language is usually limited to products sold to a customer, so, again, OSS development activities would not be affected, however anyone seeking to sell softare - typically those with business models tied to BSD style licenses - will probably be impacted and will have to shift to the service and support model of outfits like Redhat. Zealots like Stallman and ESR whould be thrilled by this.
On the other hand the Microsoft lobying machine should be in full force, makind the entirely inane argument that "If this legislation is going to screw us over it should screw over OSS as well". We can only hope that legislators will be able to see through such arguments.
--CTH
--Got Lists? | Top 95 Star Wars Line
Mod the parent up, please.
/should/ be held responsible for your negligence. If you're incompetent, then you should be held responsible for any claims of competence you made. And if you're not willing to accept responsibility for what you do, you shouldn't be doing it.
What is so terribly horrifically frightening about taking reasonable responsibility for your own competence? The same kind of responsibility that an engineer making a component for a car takes, or a builder building a house, or anything else like that?
It's quite simple: do the best job you can, as responsibly as you can, and taking all due care. If something goes wrong after that, then you should be safe from punitive liability. If you're negligent, then you
The only people who can avoid responsibility for their actions are children - is this industry really that immature?
himi
My very own DeCSS mirror.
For instance, clients are not necessarily more secure than servers,
This is absolutely true. However, servers are rated lower than clients for two reasons. First, servers are connected to the internet for longer. Second, servers accept connects from unknown hosts.
In practical terms, this means that if hax0rs want to take advantage of my browser bugs, they first have to send me an icq message claiming that there are pictures of Ana Kornakova on their website. I would immediately visit the site and become infected with virus that makes phone calls to Mongolia from 2 am to 4 am every day. However, with a webserver they can own my box without tantalizing me with images of tennis players. (Clearly the first scenario is preferable.)
Also, most linux distributions would minimally start at a "C" rating under this scheme, while windows 98 would begin at "B" (without enabling "file/printer sharing").
That's not a flaw. A "C" rating is not a bad rating; it just means that there is an open port that users should be careful about.
These problems are indicative of a greater flaw in this scheme, software doesn't have to rigidly conform to _any_ model, be it client/server, P2P, etc.
P2P nodes would be considered servers.
You bring up a good point by using Windows and Linux distributions as examples. Most software comes as collections of programs. In this case take the program with the worst rating and apply it to the whole distribution. If fingerd has 9 exploits in the last year and it is turned on by default then the distro would get an "F" rating.
One of the great things about this system is that it is extremely easy to rate software. Just count the exploits that are possible in the default settings and assign a letter. A college graduate could do it on his fingers.
Would open source software be unrated? Who would bare the cost of rating open source software?
One of the good things about this system is how easy and cheap it is. Software organistations already keep track of vulnerabilities so now they just need to add them up and apply a rating accordingly.
Would the distributor of an open source application be the responsible party? Define distributor while we are at it -- Red Hat? Source Forge? Download.com? The implications are potentially enormouse.
Anyone who charged money for software would be responsible to rate their software.
Red Hat would be responsible because they have CD's that you may buy from them. CheapBytes.com would be responsible to provide ratings too. (Obvious Cheepbytes has an easier job because their rating is the same as the original RedHat rating).
Sourceforge would not be responsible for rating the software on their website because they do not charge for it.
Microsoft would have to rate IE even though they do not charge for it because it comes on a CD which they do charge for.
It would be a difficult situation if SourceForge charged people for downloads. It is not feasable for them to keep track of vulnerabilities in the software on their site. One solution is to give unrated software a default rating of "F."
I like the letter "F" because it forces people to wonder whether the software is unrated or else just really bad. This would make people more cautious about downloading random files from off the net.
If you raise the cost of entry to a market you are protecting the current players -- i.e.: invoking a rating system, passing a liability law, etc. will help to make sure that the same players are in power for years to come.
If anything the exact opposite is true. New players start out with a perfect score and lower their score as vulnerabilities in their software is found.
One of the great things about this system is that it is extremely easy to rate software. Just count the exploits that are possible in the default settings and assign a letter. A college graduate could do it on his fingers. :)
I'm afraid there is a major flaw in such a system. You can't simply count the number of vulnerabilities because they can have different levels of severity. For example, a DoS in psyBNC should not be given the same weight as a remote root vulnerability in WU-FTPD. It just isn't as simple as you make it out to be.
You are correct, the definition of an exploit is a little bit complicated.
A DoS would not even factor in as an expliot in this system. The only exploits that count in this system are ones that either allow illegal read access or destroy data.
The real tricky issue is that companies are not going to count bugs that they discover themselves. We can only make them tell about vulnerabilities that were already known to people in the outside world. On the other hand, we want people who find bugs to report it privately to the software vendors so a fix can be made.
My first draft idea is to define an exploit as a bug that meets the following criteria.
1) In the default settings.
2) Allows illegal read access or destroys data.
3) Has been reported to the vendor 2 or more months previously.
I think 2 months is a reasonable time to create a fix. Also the rating doesn't require companies to explain how they aquired a poor rating only to make the rating available.
For example, there was a known problem with Solaris once that went for nearly a full year without being fixed. That was a case where the fix existed but business reasons made them not release it. Under this rating system Sun could decide not to release the fix but just increment their rating and everyone would be happy.
Something that really bugs me is the comment that this lemon law could kill "OpenSource and Free Software" alltogether. In the case you guys from the US haven't noticed: There are other countries with other laws.
Of course here in Germany a vendor or producer is liable for what he sells, too. But this liability has limitations! In Germany you CANNOT sue McDonald's because you failed to notice that coffee may be hot and McDonald's hasn't provided you with that information! You CANNOT sue a toy company for selling Superman capes without providing a warning that those capes won't give you the ability to fly! And even if you can sue a company for liability (i.e. because they failed to give notice about poisons or side-effects in their products), you won't be rich!
German jurisdiction mostly follows the customs and the common sense. That means: if you pay 1000 Euro for product A it is NOT regarded in the same way as product B which you got for free.
Besides: do you really think that OpenSource and Free Software are dead the same moment the US leaves the building?
-- Beware the Jabberwock, my son!
(recruiter) So what was your previous job experience?
(exec) I ran a huge company into the ground and lost them everything.
(recruiter) Ah, so you're experienced. How would you like to do it again? You're hired!
Surely you shouldn't have committed gross copyright violation by reposting that post from Newsforge. You made no attempt at "fair use", you just ripped it all straight off. You sir, are a blackguard and a scoundrel.
So... if Microsoft runs an Apache web server, and it crashes and they lose all their valuable data, they can sue Apache Inc. Because Microsoft has lots more money, they win the court case. Because Apache Inc has not much money, Microsoft ends up OWNING Apache Inc. They relicense their new Intellectual Property so they can make more money from it.
Can people still legally use open source Apache software in this hypothetical situation? Can they develop it further? Can they fix bugs? Can Microsoft stop them?
huh? lemon laws?
These are consumer protection laws. Consumers in general can't look at millions of lines of code and determine if a product is usable. Acutally, programmers aren't likely able to determine if a software product is going to be reliable in anything like a practical period of time even if they have the source. They might be able to determine that some software is really bad, but having source code shouldn't be a way to get out of liability. All software should be held to the same standards.
Unfortuantely it reminds me of too many optional systems that have been floated and failed. How about content rating for web sites? It's not used because nothing is rated.
Code signing? Used infrequently at best -- and a lot of the best software doesn't use it because the coders are spending their time coding.
If you don't rate a large group of software (open source/shareware/etc.) of what use is the rating system? It will be widely ignored within 6 months of implementation. This approach has a very week carrot (good rating should mean a sign of quality of the software) and no stick (a bad rating will not mean that the software has flaws, rather the majority of the badly rated apps were just never rated -- thus weakening the carrot).
Even if Microsoft and the like were held legally liable for defects in their software, they would use their lawyers to tie the lawsuits up in the courts for years in much the same manner as they've done with the DOJ. Such a law would have no impact on Microsoft, because Microsoft doesn't obey the law!
My personal opinion is that this law would be bad for consumers, because the price of software products would be driven up to pay for new houses for liability lawyers.
It would be bad for business because their software costs would go up dramatically. If these companies want more reliablitiy, they have ways of achieving it now. It costs money, but it appears they are willing to live with a level or software problems as long as the software is less expensive.
It's bad for the software industry because much of the software would have to be radically redisigned in order to be "bug free". This is a tremendous effort, and they can't get a return on the investment until the development is done. A large percentage of the companies wouldn't be able to afford to redesign their software and would simply go out of business. That would trash the tech sector, and put the stock market into yet another crash.
These politicians don't want this law to pass. They're just trying to take advantage of anti-Microsoft and anti big business sentiments to get votes.
The author makes a very poor argument. Consumers have a reasonable expectation of performance from (e.g.) MS Windows because they pay for it. You can't make the same argument for software that you get for free.
This bill cannot kill open source *development*. It may, however, make the selling of open source software much more difficult. If this bill passes, companies like RedHat would now be liable for bugs in Linux. Of course, RedHat can (and does) take a snapshot of Linux and make lots of modifications and tweaks before making a release, but there's no way they're going to catch all of the bugs. They're best bet would be to get heavily involved in the system of releases of open source software. This will be very tricky, though, as developers will not be happy to see a company have such control...
Jason
In other words, if you are not a programmer, does it mean that:
a) you are not protected?
or
b) you can sue because you can't understand the source code and they should accomodate you?
Remember the visually impaired suing websites?
Sorry. this makes absolutely no sense. It brings everything back to the elitist idea that normal people should not install their own software. It's like buying a car and finding a disclaimer that says "everything this car can do can be determined by examining the engine." I mean, a car is an open source system, all you need is a wrench.
I can see a whole new market for people just to read source code.
The author of this piece is a tad misleading about the reality of lemon laws - a lemon law prohibits exemption from liability when the product fails to perform in the primary manner for which it was designed, not that the product is error free.
For example, if your car has a transmission that regularly falls out every time you try to put it in gear, it is a lemon. However, if the error in manufacturing doesn't impede the primary purpose of the vehicle, such as a cosmetic problem, lemon laws don't apply. Typically, if the problem is pervasive or impacting customers badly, they issue a service bulletin and fix it.
Lemon laws for software is a good idea if implemented in this form - if SQL Server fails at the basic function of keeping data in tables, it rightly should face liability for failing to perform as intended. If SQL Server has an error in a wizard that does minor administration but the commmand line still works, that isn't critical to the functionality, just critical to user satisfaction.
Bottom line: If the bugs are bad enough to keep the product from working at the core tasks it was designed for, liability should be there. If the bugs are minor, correctible and/or cosmetic, no liability should exist.
TA
Technology Marketing is what happens when people turn their hard work over to people paid to manipulate others.
This is a really good idea.
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
Passing a law requiring more QA is like passing a law requiring people to be moral. I thought the free software crowd was more libertarian than that, but maybe Gates is right and you're all a bunch of software commies.
The market is the proper mechanism for compelling developers to pay more attention to QA. You want fewer bugs in your software? Make it worth their while.
Other things being equal, you should be willing to pay more for the less-buggy commercial software, or to heap more praise on the authors and testers of free software. Whatever the "coin of the realm" is, you should be ready to give more of it.
Your liability is your job.
The reason that you can't make your own proprietary version out of GPL'd code is because US law (and copyright law in most countries around the world) prohibit it. You need an explicit licence to distribute information. If you accept the GPL, then -- voila -- you have a licence (which you must then abide by). If you do not accept the licence, then nothing grants you the right to distribute it (though you are still free to use it and modify it for your own use, of course).
Your example is also a bad one. The GPL explicitly allows charging any amount of money for distribution. You can legally charge $44 billion for Emacs if you want. This is contrary to your "can only charge for cost of media/distribution" that you mentioned. Where cost comes in is that if you distribute the program and you do not distribute source code along with it, then you are obliged to give them the source code at cost of media if asked.
But again, this is beside the point. The point is that if you do not accept the GPL, you are under no obligation to follow the GPL. And, you do not have to accept the GPL in order to use GPL'd software.
Here is what I believe is the core issue in this discussion: as we practice software development today, protecting ourselves from software liability laws is a practical impossibility. If Software Lemon Laws existed, we'd probably all be out of a job, and/or software would very expensive to own. Plus, the Open Source movement as we know it would probably dry up.
Many of the posts in this discussion focus on the results of, or the viability of, Lemon Laws on the Open Source or the Closed Source software development industries. Futher, many posters have held out automobile manufacturing as a example, both to defend and assault the effects of liability laws on the software industry.
I submit that automobile manufacturing (or most any other manufacturing process) is orders of magnitude less complex than building significant software systems. So much so that I contend that it's currently next to impossible to know with 100% assurance that your software is correct (using current techniques and technologies). Software is too complex (or our testing software and techniques are too inadequate) to test to the point that we can be sure that we won't be sued, or that if we are sued our position is defensible. Also, given the current state of affairs in the liability law arena, if you can be sued, eventually you will be sued.
The beauty of manufacturing is that manufacturing, and the products produced, are constrained by physical laws. Parts fit together in specific ways, they exist in space, they take up room and they interact according to known physical (or chemical or nuclear) laws. Under these conditions it's "easy" (relatively speaking) to model an entire vehicle in software, or in engineering diagrams, before you ever start tooling a plant. Boeing's 777 was entirely built and tested in CAD/CAM before being manufactured.
How many "parts" are there in, say, a Ford SUV (including fasteners)? 25K? 50K? 100K? By today's software standards, this is a relatively simple system.
If we liken a line of code to a "part" in a vehicle (and by "parts" I would even include screws, nuts and washers), when was the last time that you ran across a significant piece of software (an OS, a word processor, a CAD/CAM system, a accounting package) that has less than 100K "parts" (aka, lines of code)? Most significant software, the kind that would require Lemon Law protection, is significantly larger than 100KLOC. But size is just the beginning of the problem.
When was the last time that you were able to model and test a 100KLOC (or 500KLOC or 1MLOC) software system before "manufacturing" it? A new car, or a new airplance, can be almost completely modeled and tested in virtual space before seeing the light of physical space. Not so for software systems, at least not ones that the average business can afford. (not that any software ever really "sees the light of physcial space," anyway ;-)
Additionally, software doesn't function just as the "parts" that are "manufactured." Some "parts" don't exist until the software is executed (i.e., files, objects and other data). So, how do you test something 100% (or at least to a level that makes your lawyers happy) that has 250K (or 500K or 1M) parts, when you can't touch those parts, or even anticipate 100% what all the parts will look like? If manufacturing worked this way (where parts are created and destroyed, modified and manipulated when the product is sent to the field), would Henry Ford ever have been able to create an assembly line. Likely not.
Add to this idea that 100% test coverage of every logical branch, and every permutation of data manipulation, approaches an N-Complete problem. Currently, problems that are N-Complete are considered intractable. As a problem approaches "N-Completeness," it also approaches insoluability (using current technologies). Though 100% testing is not a true N-Complete problem, it is one that is difficult to manage and address -- and doing so ain't cheap.
Finally, stir in the real X-Factor: our users (God bless 'em ;-). Developers: how many times have your users come to you and said "your software is broken," when, in reality, they were using the software for something that you'd never intended for it to do? Once, or twice, I'd guess. When this happened, who was "at fault?"
When software is "driven," unlike SUV's, it isn't constrained by physical laws. There's little risk in "trying something new." On the other hand, SUV drivers understand that "trying something new" (driving off a cliff, taking a corner at high speed, backing into a closed garage door, leaving the windows open during a rain storm, locking your kids inside in the heat of the day) normally has some obvious physical consequence. This is usually not the case for software (unless your software is controlling a CAT scanner... ;-).
With business software, users "try stuff," they get creative, they push the envelope. When you push the envelope in an SUV, it falls over. When a user pushes the envelope in an SUV and it tips over, who's liable? When a user "pushes the envelope" using software and the software "tips over," sending a gigabyte of data to data heaven, who's liable?
Our SUV driver, like every wheeled-vehicle user, is constrained by physical laws. We accept that it may be irresponsible for a driver to "push the envelope" in an SUV. The consequences are obvious and well known to all wheeled-vehicles users. If the consequences are not obvious to the driver at first, they become so quickly. Still, is Ford liable for someone dumping his Excursion into a ditch, even when the user exceeded the design parameters of the system? Not so much.
However, when a software user "pushes the envelope" the consequences are usually not rooted in physics. So, when an intrepid user tries something new, and flushes precious data down the bit-toilet, who's really at fault? The user? Or the "manufacturer" for not anticipating this particular use of the system? A number of a factors would affect assessing blame, and asessing blame could happen in court -- and court ain't cheap.
(Please note that man-rated systems like space shuttle and airliner avionics, nuclear power plant control systems, PET/CAT/MRI control software are, and must be, held to a higher standard than business software and much of what I'm saying doesn't apply there -- but that level of quality ain't cheap, either.)
We could build business software, today, that would better stand the challenges of Lemon Laws, but that would drive up the costs of development. However, would end-users really want to pay $5,000 for M$ Office so that they're assured that it's fully tested -- at least to the point that M$, and it's lawyers, believe they could withstand the assault of a nation full liability attorneys?
What about the Open Source software? Granted, in Open Source bugs are shallower due to the greater number of eyes-balls scrutinizing the code. However, would any of us be willing to spend the time needed to truly test software (peer reviews are effective, but only go so far) to ensure that it'd survive it's day in court? Not likely. Beside, as already noted, since Open Source software is essentially free (without cost), open source developers may not be liable in court.
So, where does this leave us?
To me it seems that Lemon Laws for software are a practical impossibility, at least using today's technologies and practices. Raising the quality bar for software such that it could survive litigation would significantly raise the cost of software itself, likely making software prohibitively expensive. Further, if such laws were enacted, in the current climate (sue! sue! sue!) there would be law-suits. Maybe lots of them. Such activity would sap profits from the industry in the form of legal defense costs. These profits would have to be replaced, further increasing the cost of software to the end-user.
As for Open Source software, as mentioned in other posts in this discussion, Open Source would probably not be liable (or at least "sue-able") under Software Lemon Laws. Hence, there would be little incentive to raise the quality bar sufficiently to protect against litigation.
If it were determined that the Open Source community is liable, since it's primarily a volunteer work force, the work force would dissipate out of fear of litigation. I don't know of too many Open Source developers who would be willing to lose their homes and cars to Software Lemon Law litigation.
The future may change this situation. Who knows? Hopefully, it will. Otoh..... maybe Lemon Laws would force us to get our feces in one sock.....
I was able to scrounge up a couple of references that speak to some of these issues, both for and against:
http://www.kaner.com/coverage.htm
http://www.bullseye.com/coverage.html
http://www.badsoftware.com/qindex.htm
http://www.bostonspin.org/slides/CemKaner.ppt (PowerPoint... sorry)
Some of these issues have been previously discuss here, at our beloved /.:
http://slashdot.org/developers/02/04/21/0058214.sh tml?tid=172
Finally, please note that I don't believe that Software Lemon Laws are inherently bad. What I believe is that they are currently bad for the industry. The industry would not likely withstand the costs associated with protecting itself against Lemon Laws. At least not yet. I remain hopeful that the picture will change in the future.
Thanks for listening... ;-)
P.S.: this is my first post at /., please be gentle... hehehe
-=<tom>=-
While I agree with most of your points about Photoshop, there is one extremely important area PS handles that GIMP doesn't (not even a little bit, as I understand it). That area is CMYK. For an ameteur RGB is just fine, but a professional absolutely needs CMYK, since that's what high end output devices use.
Why CMYK? I can't say for sure, not being a graphic designer, but I assume it produces higher color depth. The K stands for black, which obviously isn't a component of RGB. I do have some friends who are graphic designers, so I could ask them if you really want to know. I did recently interview for a job at a print house, which is where I learned that high end printers, etc, use CMYK.
I would guess that adding CMYK to GIMP is non-trivial. My reasoning is that it's a fundamentally different way of handling color. There could also be some IP issues if some company owns patents regarding CMYK printing. I'm sure a google search would turn up more information.
I've wondered for some time why graphic designers don't think GIMP is ready for them, and it's true that most of the time they seem unable to give a real reason. I asked in as nice a way as possible, and CMYK is the only answer I got. It may not be the only problem, but I think if it could be solved, the rest would be pretty minor.
Under capitalism man exploits man. Under communism it's the other way around.
Logical Liability, not a lemon law. Oh no.
I'll mirror my response to this as I did on comments on newsforge.
A software lemon law is just flat insane. The end effect would to create fused, proprietary hardware and software. You cannot have the current diversity of hardware suppliers in competition, and the resulting low prices and innovation, and this 'lemon law'.
I want no return to the dark days of this wont run on that and this cant talk to that.
A logical liability law does need to be established however so that garbage like Code Red can be accounted for. The total cost for the blatant errors created, identified and ignored is tremendous and the company responsible party sits back and says they cannot unbundle, even though the cause of this global disaster was bundling.
How much does a pro license for Adobe Photoshop cost? Even a small design house could probably afford to pay $2000-4000 (PS Lic. $600 x 3-7 seats), and have a gimp developer fix CMYK support in a few days. Unlimited licensing, too, so it would be an even bigger bargain for big graphic art firms.
But they to rembember most ot the price for that software arn't actually going into the part of accontability but to the fact the it's sertanly are highly specialies software that are used bu a limited set of users. I have been working on other locations where we only have one custumer (Swedish Airforce) and we where repsonsible for our software. Failiture in this kinds of locations are a big thing. But still most of the cost, almost all of it, came from the fact that the software was very complex.
Sorry. this makes absolutely no sense. It brings everything back to the elitist idea that normal people should not install their own software. It's like buying a car and finding a disclaimer that says "everything this car can do can be determined by examining the engine." I mean, a car is an open source system, all you need is a wrench.
Well, as someone who codes for a living and restores old cars as a hobby, I would question the approprateness of your analogy on several grounds (relative complexity, production methods, equipment requirements, ...) but let's run with it for now:
From the Free-as-in-speech angle, source code is a means for programmers to communicate with each other and with computers. If you're neither a computer nor a programmer then the communication is obviously not intended for you, so why complain if you can't understand it ? Stretching your car metaphor to the extreme, this would be like saying it was wrong to receive a set of car blueprints (source code) you couldn't understand - if you can't understand them, you should be buying your car ready-made (binary), like "normal" people do.
I'm guessing though that you're more referring to software that is distributed as binaries, where the Free-as-in-speech issues aren't really relevant other than to ensure that the source is available to you to use if you have or choose to acquire the skills to interpret it. If you buy your car ready-built, you have several options:
(a) you can buy one with a warranty from a dealer at a higher price that reflects that warranty
(b) you can buy one from a private party and rely on your own skills to evaluate it.
(c) you can buy one from a private party and get someone who has the appropriate skills (your friendly mechanic) to check it out for you.
(a) would be buying commercial software, (b) would be a programmer downloading source and figuring out what it does before building and installing it, (c) would be your "whole new market for people just to read source code."
It does already work that way in the car world - or as close as a bad metaphor will allow, anyway - why is it so wrong in the world of software ? People who don't know how to change their oil have to pay someone else to do it for them. Is that really "elitist" ?
What would Lemmy do?
You are correct that the software can be considered "specialty" software, but the same *could* be said of M$ Word (It could be said if you looked at it in the context of what it really is, not what M$ makes it out to be).
Even so, we have thousands of clients through out the US, Canada, Britan, France, Austrailia, Saudi Arabia, and other places I don't even know of.
I will admit that the fact that our software targets more narrow markets than say M$ Word, is part of the reason it costs so much more. However, it is no more complex than Word, I can assure you, so complexity is not part of the cost. I still assert that accountability raises the price.