Slashdot Mirror
Software Product Liability?
ben writes "Reuters just ran a story about the increasing number of calls for liability on the part of software developers, with a not-too-suprising focus on Microsoft and its uber-fallible IIS webserver. Given that many other engineering disciplines have some sort of accreditation and licensing body to enforce codes of professional ethics, I'm curious what impact the demand for such a creature in the software industry could have on Open Source developers, especially the part-time hobbyist ones. That is, establishment of some sort of Software Developer's license means the developer is potentially liable for whatever havoc his bugs may wreak, and traditionally the only environment with legal resources adequate to deal with such liability has been the megalithic corporate one."
lets consider two facts..
1) RedHat/Mandrake/Suse/Caledra has been the big push of open source for the business world... without them Linux would be dead in the business world...
2) companies in (1) released products for sale (you buy them) and they sometimes have security bugs (a lot of them has a recent exploit in SSH recently)..
3) companies who uses products by companies in (1) who get 'rooted will sue the companies in (1)
4) companies in (1) will die (they have lot less $$$ then MSFT)..
5) bad for Linux...
-- Note: These Comments are Generated by ME! Not You! ME!
... is really pointless. The argument is: an architect designs a house that doesn't blow over, or a bridge that handles the traffic load without collapsing. However, in these cases, anyone who does something out of the ordinary with the house (fills it with water, tries to open the inside door without opening the screen door), would be laughed at if they called it a design flaw.
Take the usual punching bag for example: IIS. IIS, when used properly, works quite well. You might argue about the functionality/performance/cost compared to [insert favorite httpd], but pass over those arguments for now.
Security is a common complaint for IIS. However, if a person broke into your house by going in through a weak point (a window, the chimney, etc), you wouldn't blame the architect.
Zealots might say that backdoors in software are like using doors without locks. But this is ignoring the fact that software is often not an integration of existing, proven solutions, but an exploration of ways to attack a problem. Also, these failings are plain to the layman, whereas software bugs are often obscure to the guru. You simply cannot have the expectation that software will *NEVER* crash.
An architect has a given set of solutions for common problems (building codes, pre-existing designs, etc). If they can't solve a problem with an existing, proven solution (or a mild derivation of such), they probably wouldn't take on the job. Programmers do not have this luxury. We are inventing these solutions on the fly -- and we will make mistakes.
This will probably be viewed as a troll but I feel I have to say it:
The problem with software is that when a virus/cracker compromises your system, any resulting damage can not logically be attributed to the software developer.
Nobody is out there expressly trying to break and/or compromise Firestone tires. They were sued because the tires malfunctioned of their own accord.
If IIS blew up on it's own and erased your disk you would have a legitimate case. As soon as a third party maliciously tries to compromise it, the case is off.
If someone broke into your house would you sue the lock maker? Likewise, if someone deflates your tires you have no case against Firestone.
If you can show me one case where code in IIS itself was responsible for damage (i.e. damage occurred while the code was running normally without any provocation) then I'm all for this, otherwise (as much as I hate to stick up for MS) you can't possibly blame them for Code Red etc.
The real solution is just to get a better product; if you are having a problem with break-ins buy a better lock, don't just try to shift blame for your bad purchase decisions on someone else.
I'm a firm believer that, in general, ALL SOFTWARE (including Linux, BSD, and Windows) is full of show-stopper bugs, with a probability in proportion to the number of lines of code raised to some power. If one piece of software seems more secure, it's just because the bugs haven't been found yet. And this will get worse as time goes by.
(How the bugs are handled after they are found is another story, perhaps we should be focusing on that instead.)
Microsoft has lots of smart people working for them. Free Software has many smart people looking at the code. Yet, most of this code has bugs. When I write a 10-line Perl script, it has bugs (for instance, what does it do in a full disk situation? What does it do when run by root? What does it do if a Perl library is missing or upgraded?).
Making software writers/distributers liable for bugs is simply impractical. Software is simply not like a bridge or a toaster. Software is incredibly complex, and it runs on machines that are also highly complex, connected to other machines with equal complexity. All the interactions can't possibly be comprehended.
And just what is a bug? If the program malfunctions under certain unforseen circumstances, but when it was written it met all the specs, is that a bug? If you use a formal system to "prove" correctness, are the rules correct? Did anybody make a typo setting it up? Is the program that does the check itself bug-free?
I can understand that if Microsoft promises you a secure webserver, and it's found not secure, you feel Microsoft is to blame. But perhaps a "secure webserver" cannot exist. Even if it did, once installed, it would interact with other software to create a security hole (example: Apache + PHP + anonymous uploads into the web-accessible area + MySQL running as root).
If a law for software liability were passed, it would instantly kill all but a few software companies. Free Software would wither or go underground because no programmer would want to touch it. You would get zero support for your software, unless your setup was 100% EXACTLY the same as the one the corps will support. This would probably be enforced with some draconian DRM. Our lives would get worse.
Of course you say, they could make an exception for Free Software. But what would the criteria be? Exception for no-cost? No, that would mean you can't charge for Free Software beyond the cost of media. No more PayPal buttons on your web site, no corporate sponsorship. And Microsoft would just turn IIS into a free download. Exception for source-code-included? That would be better for little guy (no more binary-only distro though), but Microsoft could just invent a very-high-level language where MS Word is 5 lines, and distribute that along with it. They would find some other way to get around it. Any liability exception would be unfair to someone.
If anybody should be liable, it's the person or company who chose and installed a particular system. This entity put together the components, so this entity is responsible for knowing they all work together without bugs. But like I mentioned before, I don't think this is possible. And even just one small change or upgrade and you don't know any more if your system is still secure.
In 40-50 or more years, the software industry might stabilize to the point where all basic computer tasks are performed using well-known, publically available, stable components and formal systems, and then you could use the term "engineering" and you could conceivably have more predictable software. But I don't really think we're anywhere near that point now. Computer science is still in its infancy.
I'm not optimistic!
Say instead of being a software engineer, I was an enginner who built bridges. Can you image a boss coming up to me and saying:
"I need a bridge built in this location to move some things across the river. We will lose out to our cometitors if this takes any longer than three months, you have two and a half. Tell me tomorrow how much steel you need ordered and I will have the iron workers (actually guys off the street who could spell iron) to start putting it together."
Would you go across a bridge built like that? I wouldn't if I had a choice in the matter. How different is this from many software projects? Not very. Management doesn't care about the software quality since they don't understand it anyway, the coders are passivly taught not to care either because it costs more to write well architected, well tested code. Code can be solid if effort is placed on writing solid code. There will still be bugs, but nothing like is prevelent today in commercial software. Think of all the VB monkeys that managers consider real programmers. (Not that there are good VB programmers, but by and large...)
Welcome to the world of software. As long as the current market drivers are in place, nothing will change.
-Pete
Soccer Goal Plans
What's a printer driver? A printer is an I/O device that is on the OTHER SIDE of an industry standard port. In essence it is a "remote device." What business does that sort of software have running in "ring 0?"
I am aware that many "printers" are dependent on "drivers" because they are missing hardware, but who's idea was that . . . ? Blame goes to: Microsoft.
I'm not sure what you mean by "file filter" but the same argument almost certainly holds. Blame goes to: Microsoft.
Beyond that "windows device drivers" aren't really drivers anyway, they are plugins to the (Microsoft) class driver. If they crash the system it is still Microsoft's fault, because the interface is poorly defined or the class driver does insufficient error checking. Blame goes to: Microsoft.
I have no sympathy at all.
-Peter