Slashdot Mirror
Taking On Software Liability - Again
An anonymous reader writes "You may remember an article in which a BBC correspondent wrote an article criticising current software licenses. In answer to the huge discussion that this brought about, he has written another article defending his views. From the article: 'It is possible to make error-free code, or at least to get a lot closer to it than we do at the moment, but it takes time and effort. Doing it will probably mean that commercially-available code is more expensive and cause major problems for free and open source software developers. But I still believe that the current situation is unsustainable, and that we should be working harder to improve the quality of the code out there.'"
I've got an idea. For non-software developers with great ideas. You program some piece of software for 5 years and then warranty against any bugs or failures. Oh btw, it must be priced competitively with current offerings. This guy can go wank himself in a corner somewhere. Perfect software doesn't exist. If you want something done right, your best bet is to do it internally to your company instead of outsourcing. Walmart is a perfect example. Do it right with people that feel they have ownership in the software they are creating and you'll get a better product. Plus, Arkansas (and my state too) are like Bangladesh anyway in the wages paid to software developers.
This guy sounds like he's just full of hot air because of a bad Norton AV installation. If one program causes something "devastating" to happen, who is to decide that it's not the user's fault, the compiler's fault, the programmer's fault, the OS creator's fault (and if it's OSS, who's package etc?), or the hardware's fault?
The computer world if full of many variables and I don't see this happening anytime soon, though with recent laws you never know.
$fortune
Tomorrow has been canceled due to lack of interest.
is stale software. Bit rot guarantees that all users will migrate from error-free, real stable software, to new-full-of-bells-and-whistles but error-ridden software in 0 time.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
The fact is that the market has already decided the answer to this. People buy the least expensive software they can get away with. If the application is unreliable enough to regularly lose data it gets flushed out of the market. If it works well enough and is for the desktop it becomes popular. If it is used in critical applications where data loss is not tolerated they you have stuff like Oracle which people pay $50,000 per CPU for.
Everyone knows that most free software, by virtue of peer review, has fewer bugs and errors than commercial code does. If what he means is that you have to be licensed, bonded and "protected" by a corporate staff of 800 pound gorillas to write code, then free software will have problems. Such a missallocation of resources still won't buy him better code.
This whole issue is a troll the non free software companies come up with every few years. It's a mistake for them, however, and will blow up in their faces. Free software will overcome such nonsense the same way Good Samaritans do. Worse, what kind of society would outlaw exchanging of advice on how to do something? That's what sharing source code it. Why not outlaw engineering texts instead?
Friends don't help friends install M$ junk.
Bug free software is possible, so long as it is done right and people are prepared to pay for it. Right now, software is mainly "good enough" and "cheap enough". What is "good enough" and what is "cheap enough" will depend on what is being done.
Engineering is the art of compromise.
The Lawyers will love it. They will launch massive class action law suites and will make millions. If you are part of that class action you will get one dollar.
The software vendors will not fix bugs because to fix them they have to admit they have them and will get the daylights sued out of them.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
The keys are:
* Tell users to stop asking for tons of new features in unrealistic timeframes.
* Tell software managers to actually give individual developers time to develop software the write way instead of insisting that they slam code out.
* Get compentent testers who can help catch any aggregious problems before it goes to market.
* Stop hiring assholes who just have certificates and get some degee holding professionals who actually know what the f*ck they are doing.
* Stop outsourcing to india where most programmers are taught to slam out code no matter how messy it is. (I know this because I've worked with a few people who've come from that environment to the US)
All of the above costs money. If you're willing to spend the $$$$ that all of the above will cost you, you're software quality will improve.
Until then STFU.
Later, GJC
Gregory Casamento
## Chief Maintainer for GNUstep
The author has a point here. We accept a lot more ... "bugginess" in software than we do in any other product (Cars, Banks, Tools, etc.) And it's pretty much become the norm that if there are problems, folks just shrug, claim it's just software and move on.
But if the folks building bank vaults left as many holes in their products as software, people would be screaming bloody murder.
I've done software development as a hobby myself, and don't release my code to the public, because I know it's not even up to my own standards of stability, reliability, security.
Programmers/developers need to take more time with their products, and think security & reliability from the start of a project, not as an afterthought.
With as many products requiring patches within the first couple weeks of release, consumers do need to start getting angry about this stuff. Or, at the very least, start challenging software companies when the products they do release require more MB in patches than the software was originally....
-merlyn
Ah, so he wants people who right software to guarentee their work?
Things will then just never make it out of beta, for fear of the law. If the software breaks "Tough luck, it's still in beta, what were you doing using it for mission critical work anyway?"
This "eternal beta" is also used to avoid other sorts of legal wrangling . The most obvious example is Google News - it's "beta" still because google is worried about capitalizing on other people's news content. While unrelated to software quality, because it's an "unfinished beta", it doesn't get sued out of existance.
So, welcome to using software versons 0.9.9 forever... I can't wait.
None of these demands fosters reliability. It fosters a frantic race to add features and ship stuff ASAP. Everyone seems caught in a massive vicious cycle of upgrades so that nothing ever stabilizes or matures.
Perhaps if/when people stop finding new uses, new formats, new file types, and new applications, then the industry will mature and people will turn their attention to stability and reliability.
Two wrongs don't make a right, but three lefts do.
However relatively bad the security of Microsoft's products are in comparison to what the free licensed and open source communities ( as well as practically every other vendor on the planet ) provide, Microsoft is not alone in the presence of vulnerabilities, this is a major issue for Linux/BSD and Unix as well as ever other OS and vendor.
From the Plimsoll Club history
The risks,issues and solutions for providing a more secure operating and application enviroment have been known for decades.
Those who do not already comprehend the issues and are willing to learn, should take some time out to listen to some of the speeches at Dr. Dobbs Journal's Technetcast security archives, starting with Meeting Future Security Challenges by Dr. Blaine Burnham, Director, Georgia Tech Information Security Center (GTISC) and previously with the National Security Agency (NSA)
The design and implementation of some applications and servers are just too unsafe to use in the "open ocean" of the internet.
Numerous security experts have railed against Microsoft's lack of security, best summed up by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc who rightly said:
However Microsoft's products are not alone in the presence of vulnerabilities, this is a major issue for Linux/BSD and Unix as well as any other OS and vendor.
In a recent speech "Fixing Network Security by Hacking the Business Climate", also now on Technetcast, Bruce Schneier claimed that for change to occur the software industry must become libel for damages from "unsecure" software
I do not think we should automatically exclude free/open source software from our analysis simply because it is produced by teams of programmers working for nothing, and the fact that it is given away does not, of itself, provide legal immunity.
I do, at least to the full extent of the law.
Expecting anything from someone who gave you free/free software isn't reasonable. The fact is, the licenses are there not only to save the developers necks but also to serve as a warning. When something says "AS IS" that means exactly what it says. You take it as it is, faults and all. There is no trickery involved. Nobody tried to sell you a lemon.
Writing error-free code IS impossible because there is no possible way to enumerate all the potential hazards that face the software. In a bubble, on a clean install, software can behave "perfect". Once you let it out into the real world where people have literally an endless number of different conditions on their computers, it's simply not realistic. If the operating system has a single flaw, then the software is inherently flawed as well. We all know about Windows' track record of buginess and of course all OS suffer from bugs. That doesn't mean the developer or corporation is trying to get by with it (well maybe some). It just means that "to err is human".
The way I see it, free software (as in freedom) is a community effort. If it doesn't work, it is just as much as your responsibility to fix it, by contributing either time or money. If you won't help fix it then you are as much to blame as anybody. I guess that sounds harsh but I'm really tired of seeing everyone passing the buck to someone else, especially to the people that are trying to help society by providing possibly useful or entertaining software. These developers are doing us a favor. They don't have to write software for us and we don't have to use it. Expecting anything more than that is absurd.
It doesn't make economic sense to create some kind of liability for the authors of software; there is no single level of quality that everybody needs.
The best thing we can do to increase software quality is to hold the people responsible who can actually do something about it: the people who buy software.
If your Windows PC crashes and you lose data, that's your responsibility; you could have gotten something different.
If the bank's Microsoft-based database server has a serious security hole and someone breaks in and defrauds customers, then the bank should be held fully responsible for that; they shouldn't be able to shift responsibility to either Microsoft or the person who broke in. That will force institutions like banks to negotiate contracts with software vendors that ensure an appropriately high level of correctness. And there is no need to burden our courts with "hackers"--you won't be able to find and lock them all up, so locking up some of them is not a rational strategy for making computers secure.
In any case, if one wanted to, one could easily make legal distinctions betwen FOSS and Microsoft/Apple when it comes to liability. First, expert users generally have to accept a higher level of responsibility than non-experts. Arguably, FOSS users are, by definition, expert users. Also, for-pay software involves an actual sale, which can easily and sensibly be regulated differently from non-sale distribution when it comes to liability.
unsustainable - (adj.) 1. Following a pattern which can not continue indefinitely due to the inherent limitations of the system. "Present growth is unsustainable in the long term." 2. A term expressing distaste, annoyance, and a personal desire to change things. "The current situation is unsustainable."
proof, n. A demonstration that a conclusion is implied by certain premises and axioms.
And you get modded down. Genius.
Seriously here people, most free software is complete tripe. The popular projects you hear about, Linux, Firefox, etc. are just a small fraction of what's out there. Peer review only works if people are interested in your project.
Open source tends to be written by/for people who care more about stability than features, and that's a major help, but it is not miraculously better. How many people here have actually sat down, and looked over the source of an open source project to check for bugs/exploits?
Okay, so we've had the predictable reponses about how building software is different from building bridges, and then others point to the respective difference in cost. All true. But if bridges and buildings are so much more reliable than software, it's not only because they cost more. It's also because when they are designed and built, all procedures must conform to known standards (and not a few regulations). The specs are open and auditable, and architects actually have their work inspected all the way.
Should every word processor be built in this way, with open specifications, norms and audits? I don't know. Now how about vote-tallying software?
"Only the small secrets need to be protected. The big ones are kept secret by public incredulity." - Marshall McLuhan
You mistakenly assume that just because someone is given the source code, they are capable of understanding it and making fixes. If your refrigerator manufacturer gives you the blue prints to the frig, does that mean they aren't liable if something goes wrong? Software shouldn't be treated any different than any other product. If there is a safety issue, then the manufacturer should be required to provide a fix. Source code or not shouldn't have any effect.
people demand that it sucks.
Seriously. For nearly every case, if there are two available pieces of software (OSS or not), most people will choose the one that is more feature rich. Sure, those in a mission critical situation or the poor people that get to install and support the software long-term will demand quality and maintainability. But, those people are far outnumbered by the masses that use software casually.
So, given a limited set of resources, quality will always be just barely up to what people will tolerate. Yes, even in open source software. Example: Mozilla Thunderbird -- They have a feature schedule out right now. About half of the planned features are in the current build. Do you think they'll wait until the code is 99.99999% error free in all situations before comitting time to add features? They have no deadlines, no financial burdens, no one telling them to ship the software. Yet, they will ship it. If they don't, their user base will entirely desert them and switch to a horrible, buggy, alternative (probably Outlook Express). This is simply because people demand cool crap. That's why they buy half the crap they buy, that's why the US has a $250 billion trade deficit with China. We collectively love crap.
You realize what you said is true, circular and bad news for commercial software, don't you?
What you call "tripe" is what the author wanted to get done and what no commercial software vendor would provide. Score one for free software - meeting user needs.
The "popular" projects do indeed rock and will be better than anything commercial because no firm can match the development effort. Look at the gnu debugger. The last time I checked it had more than 87 authors. Show me a commercial debugger that gets that much attention. That's just one of the thousands of gnu projects that make free software actually work. Score two for free software - in the end, what needs to get done gets done better.
Finally, you are half right about peer review only working on projects that other people care about. If you can't find a single other person in the world interested in your project you have a rare project indeed and won't find any help. Most people are not so original and will usually find dozens of projects that do something very close to what they want to do. So far, so good, where did you go wrong? When you turned a blind eye to the most popular non free software getting no such help at all. For all your customers can tell it was written by a lone monkey paid in bananas who was forbidden contact with the rest of the world. Final score - free software 3, commercial software zero.
This message composed and transmitted on a system run with complete tripe that just happens to have more features and run much better than any commercial software available.
Friends don't help friends install M$ junk.
But I still believe that the current situation is unsustainable, and that we should be working harder to improve the quality of the code out there.
This is a very different thing that legislating mandatory guarantees on software. Yes, we SHOULD be working harder to improve the quality of our code. But not at the price of authoritarian government.
There are few things in life that are truly a free market, but software comes close. It's no surprise then that spoilsports want to come in and regulate it. That happens wherever freedom begins to bloom. Let me clue you in: the marketplace has decided on a low (as in almost non-existant) demand for guarantees and warranties on consumer software. It's not developers doing this, it's the users.
A Government Is a Body of People, Usually Notably Ungoverned
People won't pay to develop good code. Period. There is no demand for perfection. I was part of a three man team that wrote a prototype media viewer for early release movie content. We provided the backend encrypter application and ancillary libraries under license. Our "proof of concept" was finished in 8 weeks and was so successful that we had our code in live in air airline flight tests with real customers. Awesome work. Very stable. The encrypter application we wrote had a few issues with some non-standard compliant streams from a common encoder suite, which we didn't write. We charged T&M to fly an engineer to the content providers location (they don't like to ship unencrypted media for obvious reasons, and we wanted to do side by side compares for the streams to debug the problem). They already signed off on the PROTOTYPE delivery. They balked at us billing for the post delivery work and turned us down for the follow up contract. The fee schedule for post delivery work was a part of the original contracts. Needless to say they aren't in that business anymore and sold the division in question.
So far our original code for the prototype remains with no bugs outstanding. They just can't encrypt all the possible movie bitstreams they'd like. The same team put an applications development framework together in 3 months of very long days with very few bugs against it. A lot of those are documentation related. The relevant company no longer is selling anything but intellectual property now, but the last code shipped was very solid. about 70,000 lines of code and about 15 total real bugs.
My point is that no matter how good the engineers, there is a cost in time for projects you are passionate about, and a cost in real dollars for real engineers with appropriate architecture and development skills. Most companies don't want ot spend the money. If customers would pay more money for products then companies would pay more to develop them. Customers drive the price structure, and that drives the expenses a company will invest to develop the product. Add to that that a "bandage" patch is cheaper in current dollars that a major rewrite and you end up with large commercial products that are bandages on bandages on bandages. Refactor the code and it will almost always improve if the requirements and specifications changed since inception. Few companies will start a side development group to redesign and rewrite an existing product.
The articles author can just start a grass roots movement to drive the marketplace to only purchase warranteed bug free software. I don't predict success.
- Tjp
I am in wallow with my inner money grubbing capitalistic pig. ... Oink!
Computer software has been mostly unregulated. This has allowed us to watch the "invisible hand" of the market in its purest form. Commodity programs have disclaimers, buy bespoke and you get guarantees, pay yet more and you get formally certified code. The cost of risk and the cost of the program are in effect two seperate purchases - product and insurance.
If you force programmers to carry the risk cost, you don't magically get bugfree code. You just delete the no-guarantees market. In effect you're forcing programmers to bundle insurance with every installation. "Free" disappears. "Libre" might survive in an attenuated form - edit "open source" and you become the liability carrier. You might do it in house, but few could afford to publish.
The guy points out that other industry sectors have this sort of law. Yup, they do, and I contend we're all worse off as a result. Amateurs are frozen out, because they can't afford to jump insurance hoops. Innovations are stifled. Saleable skills are wasted. Personal self-expression is denied. Even though all parties are willing, the law stands in between saying "no". This is nothing to emulate!
Nanny liberals would contend they are protecting buyers from risk. As an adult you have to accept that the universe has dangers. You can't wish it safe, and the utopia of your childhood was an illusion. Who then is best placed to decide when you should gamble and when hedge? Philosophically, no action can be said to be "better" or "worse" without a reference to a person whose goals it serves or thwarts. No person can know another's mind. Therefore, you alone are properly placed to weigh the options and decide on your own behalf. At best a law commands you to take your best choice. At worst, bans it. Neutral or harmful, and (given diversity) certain to be harmful to some. This is why regulation is never better than a free market, even in risk.
My car is way buggier than my software. My car is horrible at dealing with unexpected siutations and abuse. If someone attacks it, say by breaking a window, the window is broken and I have to pay to have it fixed. With software, I get mad and demand that they should fix the bug so the attack CAN'T break it. Likewise the car is not forgiging to unexpected operation. If I floor the gas in neutral, the engine will seize up. However I expect that software can deal with unexpected input and not have any ill effects. Also my car costs money for matenance. I have to regularly pay for things like oil to keep it working, however software I expect updates at no charge.
So all in all it seems I expect MORE out of my software than my car.
They are different things, you really can't compare them.
wouldn't work. nobody in their right mind would chose anything but a "0". i'd buy a copy of the first non-"0" package, find a bug and sue.