Slashdot Mirror
Would Vendor Liability for Bugs Kill OSS?
Glyn Moody writes "Bruce Schneier has written an interesting column for Wired suggesting that vendors should be made liable for bugs in their software. But where would this leave open source developers? Would what seems like a great idea actually be the death of free software?"
Would what seems like a great idea actually be the death of free software?
No.
That was easy.
Oh, by the way, it doesn't really seem like that great of an idea, either.
Information wants to be anthropomorphized.
It wouldn't kill OSS if the liability was limited to the purchase price. That's plenty of liability to keep commercial vendors interested in fixing flaws, and it doesn't hurt the little guy.
I wouldn't contribute to OSS if I'd be exposing myself to a lawsuit because some dipshit found a creative way to exploit my code. They're the guilty party, not me.
I'd like to see any business in the world able to operate like this. You'd shoot simple projects right thru the roof in terms of cost.
"Bruce Schneier has written an interesting column for Wired suggesting that vendors should be made liable for bugs in their software. But where would this leave Microsoft? Would what seems like a great idea actually be the death of proprietary software?"
specify that in the contract, and leave everyone else alone.
If I paid $$$$$ and it's broken, I get really upset. If I paid $0, and it's broken, I accept that it's my responsibleity to bring it from being wirth $0 to worth something.
This would not only kill OSS, but the whole software industry would go bankrupt in no time.
To the producer: If you make money selling the software you should be liable for the bugs. If you don't make money selling the software you should not be liable. If you make money distributing the software you should be liable for the distribution aspects, not the software.
To the consumer: if you get it for free and it breaks you get both pieces. If you want to have liability coverage you have to buy it (either stand-alone or with the software).
This really isn't that freakin' hard.
As usual, regulation increases the barrier to entry for a business. By making software vendors liable for bugs, they make it difficult for OSS and small shareware developers to compete. Keep in mind that the question is not whether the OSS developer will be found liable, but whether they will be sued in the first place. The legal fees alone are enough to hamper or even kill small scale software development.
IMO this would actually help OSS...I think everyone is missing the key word here "vendor" as in seller as in you paid for the software. MS might be hit hard by this but not open source.
The simple fact is that this is too hard to police anyway. Where did the bug occur? Was it in the program, or some library it called? Now we have to establish whether the programmer could reasonably have known there was a security update to the linked library. Just proving where the fault occurred would be a huge legal SNAFU. Sure, such a thing would kill OSS first but it would effectively destroy the computing world. Only a luddite could seriously believe that this is a good idea.
The only proper way to handle this is through contract - not an implied one, but an explicit document which clearly describes the areas and extent of liability. There is a market for this kind of software, and it exists already. This is the only reasonable solution - get a contract, and if you don't, caveat emptor.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Why should I assume that this would kill only Free Software?
Wouldn't proprietary software be more vulnerable to liability? People only sue those with deep pockets.
Here's a tip, Mr. Schneier: analogies can be good for illustrating a point, but going on for 2 pages about your anaology without actually using it to make a point is just dumb.
My guess, since the story was posted at 2AM, is that he had a deadline to meet and wrote this piece of crap in 15 minutes while drunk.
Don't blame me; I'm never given mod points.
You get what you pay for ;-)
--LWM
If you want things to really hurt, multiply the purchase price by 10 or so. That would actually constitute a penalty to distribute buggy software for commercial vendors while still not impacting those who give the software away for free.
Large software products will never be entirely bug-free. To keep things reasonable, there should be a standard time-to-fix so commercial vendors also have a fair chance of cleaning up after a mistake.
To Terminate, or not to Terminate, that's the question - SCSIROB
Very often, if not usually, there is no vendor with free sofware, so vendor liability wouldn't affect it at all (it might make commercial software more attractive, since there would be someone to sue for bugs, OTOH, it would make it less attractive to make commercial software.) With free software, very often the user acquires it from someone other than the creator, and gives no consideration of any kind to either the distributor or the creator to acquire or use the software. Often, a contract is created, if at all, only when the person who acquired the software decides to distribute the software, and even then, the consideration (in terms of limitations accepted by the new distributor) is in exchange for the right to distribute, not the right to possess or use, the software.
The problem is that there is no such thing as bug free software, there will always be bugs and there will always be bugs created after fixing bugs.
If people find a bug that harms them and the vendor doesn't fix it in reasonable time, just give them their money back they paid for the product....
Well this wouldn't kill OSS, It would kill microsoft.
Would it kill companies like Microsoft, Companies who do what 60 percent of the code in a major release in 8 months? The same companies that disclose in the EULA that their software is "as-is" and must be accepted with bugs and they are not liable for them? The same company that takes years to release trivial bugfixes and have no real release schedule for these fixes (sorta fly by the seat)
Liability $0.00
Results Priceless
Commercial software can probably get away with limiting liability to purchase price
First and foremost, if we are going to discuss OSS vendor liability, you have to get the CLOSED SOURCE vendors to accept liability. You can't even TALK about OSS until then.
And hypothetically, hell DID actually freeze over with flying pigs, then I would still assert that I don't believe it would be the end of OSS. Not by a long shot.
RedHat comes to mind. They have their Enterprise offering that is anything but cutting edge. Everything is tested quite well and the response to fixes is rather rapid. I don't know this for a fact, but I feel pretty strongly that OSS vendors are a lot more responsive to fixing bugs than closed source people.
I don't think there's been a single issue which has come up with the gov't where they've agreed to some type of compromise, only to return to their prior behavior within a fairly short period of time (and the gov't hasn't yanked their leash to bring them back to the table).
I'm not anti-Microsoft. They've been a good source of income for a long period of time.
But facts are facts.
Until then, this is factors beyond a pipe dream.
I'll save you a couple of clicks.
The meat of the article, minus 3 stories (employee theft, ATM security and tax dodgers), spread over 2 pages:
For years I have argued in favor of software liabilities. Software vendors are in the best position to improve software security; they have the capability. But, unfortunately, they don't have much interest. Features, schedule and profitability are far more important. Software liabilities will change that. They'll align interest with capability, and they'll improve software security.
Failing that, if a peice of code is developed FSF/OSF style, exactly who do you sue for redress if a bug causes you fiduciary loss? The author? Go prove that his code is actually the source of the bug.
"That's not a bug, that's a feature" - isn't that Microsoft's mantra?
Doubtful it would ever happen.
1)No software is without bugs.
2)The costs would be based on marketshare (for equality).
3)MS would have to pay which is doubtful to happen.
4)Vendors dont sell OSS really. They sell you a service with OSS bundled. Or at least could easily modify their product to skirt any law.
Not sure what this would mean for the writers of OSS, but probably not much since it would still happen outside the US. Vendors who didnt manage to get around the law could simply offer it as a download from overseas and if listed with some American Exchange, they could relist elsewhere. Much like why the NYSE is buying EuroNext so they dont miss out on companies listing overseas to skirt Sarbanes-Oxley.
Free software would not face any liability since it's marketed as FREE. You can only sue for the amount you paid. If you paid nothing then you win nothing.
Even if you did manage to sue, you would have to sue yourself for not fixing bugs or other issues in the source code you recieved since you are supposed to evaluate and fix issues as part of your due diligence.
But does the coverage make any distinction between a game-ending bug and a conceptual bug? By this I mean bugs that cause the program to perform differently than the program was being marked as and bugs that are only causes by deliberate/incredibly unique settings/actions? The first should be held as legit bugs while the latter seems hard to argue for. If the bug only expresses itself when you setup a special case that is never seen in the real world, is it really a bug? After all, ALL computer programs have bugs, even the simplest of programs. Even Hello, World! (which almost always depends on system libraries to display, and as such inherit any bugs that they contain).
The simple answer to this is to allow for software to be given away on a "no liability" way. FOSS could be allowed to exist since those that are creating the software are not making money to how many copies they "sell". Those that produce software for a living, like MS, would still be held accountable for their products. But then, IE would not be covered since it is "given away".
There probably is no simple answer to this. Either allow things like FOSS to exist and limit the liability that all software producers have, or open them up to real liability and kill FOSS.
Space for rent, inquire within
Someone wake me when there's an interesting article to read.
You get a receipt. That way you won't get the software free... er, wait- make sure you don't get one - THAT way it is free... oh wait, OSS is already free as in speach and free as in beer. I guess the creator of the software should keep a general ledger. That way the employees - damn it! WTF was did this article even have to do with software bugs. It was more like the history of preventing employee theft. Nothing to see here. Move along.
My humor is probably your flamebait
So here's what the employer does: He hires the customer. By putting up a sign saying "Your purchase free if you don't get a receipt," the employer is getting the customer to guard the employee. The customer makes sure the employee gives him a receipt, and employee theft is reduced accordingly.
I've read that over several times and it still makes no sense to me.
Mod me idiot, or offtopic, or whatever; I'll take the karma hit - but wouldn't a customer be motivated to do the exact opposite? What on earth is the customer's interest in making sure they get a receipt?
Running Windows^H^H^H^H^H^H^H OSX and Linux in the home. (I don't have time for Solitaire any more.)
The prices are for the full product. Upgrade editions count as the full product for liability
something similar can be sorted out for large installations, bulk licenses, etc.
Just thinking out loud
"It is a greater offense to steal men's labor, than their clothes"
....Vista would never, ever ship.
The secret to creativity is knowing how to hide your sources. - Albert Einstein
I can see it now: Satisfaction guaranteed or your software is free.
No Sigs!
Vendors are already liable for their bugs, they just pay out of their userbase instead of their pockets. Which comes out of their pockets indirectly at a later point.
do you know squarepusher?
The vast majority of the article discusses either cash register security or ATM security. By way of analogy, we're supposed to use this information to conclude that vendor liability for software bugs would be a good idea, too.
However, he never discusses any details of how this would actually be implemented, what the laws might look like, how it might work in contracts, what exceptions there might be, what constitutes a "critical" (i.e., liability-worthy) bug, etc. Consequently, it's virtually impossible to answer the question of how this will impact OSS. We need specific ideas to actually try to tackle that one.
If this is mandated, then the software manufacturer will only warrant the software fit for specific uses. This warranty is void if: The user connects to any network not on Microsoft's approved network list. The user installs any software not explicitly covered on the MS Software compatibility list. The user ever enters data incorrectly. ...
You can see where I'm going here. It's not just ms, EVERY vendor would have to create a similar license
But since legal liability tends to chase those with the deepest pockets, I can see where the commercial closed source software vendor would face the greatest exposure to expensive litigation from "bug liability". Distributed development processes that are not centrally owned by one company (i.e., open source) could very well be the only way to get anything new written without facing expensive litigation.
Not that I think any of this is a remote possibility, but it could very well cause the opposite of what TFA speculates.
Momentarily, the need for the construction of new light will no longer exist.
No way will software developers be liable for bugs! To do so would eliminate all software development except in-house work.
You will find that Microsoft only offers bug fixes to maintain general problems in glaring issues with their software. Defects just happen. if they didn't fix them people would get pissed
However you will find that companies will listen to requests for bug fixes if you have a support contract. This indemnification costs the customer money. This is a way software companies make money.
FOSS has equal deniability to commercial software. However you have the option of paying the support contract on the FOSS software to get your issue sorted, or if you so choose, fix it yourself, and the community benefits. Of course you have the option to add features etc. at will.
It's a dumb suggestion because there is already a solution to this problem. And a lot of people make money out of it. Its how a lot of FOSS based companies do their business.
Just make the fine equal to some percentage of the retail price for the product multiplied by the total number of users...
Just convince them to modify the code a little bit. Then they become part of the liable party.
Here is what Marcus Ranum had to say about this topic.d itorials/lawyers/index.html
/ index.html
Inviting Cockroaches To The Feast http://www.ranum.com/security/computer_security/e
On a related open source topic read this
Stupid About Software http://www.ranum.com/editorials/software-lawsuits
some people get into a psycological state wherein they deign it necessary to control things like a madman.
some years ago people went crazy for handgun control...yet it is (in some ways) easier than ever to buy a handgun and get a concealed carry permit...because official, non-discriminary processes are in place. crime is way down. there are a record number of legal handgun owners. there has been no spike in handgun crime or violence.
it's the "commie mommie" syndrome...the government must mandate things and take care of us, penalizing those who make us uncomfortable...or we "think/feel" might cause us danger, when the facts indicate the opposite. responsible people behave responsibly. stop watching oprah and rosie o'donnell, stop filing restraining orders against every male within ten miles of your house, and (for a change) go take care of your f*cking children, bitches.
my car has had two minor recalls on it. i had to take part of my day out to go get the issues taken care of. were the fixes free? no...it cost me time to go do it. it is assumed that a person using or buying a product assumes some responsibility for the maintainence of the product. it's my responsibility to make the vehicle available to the dealer for these kind of occasional repairs...not to "sue them" because the vehicle has a minor flaw.
it's my responsibility to know the licences on the software i use. the GPL and most other open sauce licenses have full legal disclaimers. it's my responsibility to take care of the software by checking for updates, etc.
let me guess...hillary clinton is somehow involved in this legislation.
Doesn't the GPL containa a disclaimer of warranty anyway?
Almost every OS developer has a day job paid by a company selling software.
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
A provision like this should indemnify vendors who provide source code. The thought behind this is that if the customer has access to the source code, he can perform his own audits and the vendor has made a good-faith effort at full disclosure (as far as the vendor itself is aware). Also, many eyes looking at the same code will reduce the likelihood of fault. If the customer chooses to use the software without audits or tests, then the customer is 100% accountable. If the customer performs sloppy tests or audits, then the customer is still at least partially responsible for his decision to use the software (50/50 I'd say).
The other concept here is warranty. Perhaps software should be warranted against defects and updates for problems (not enhancements) should be free of charge. Again if the source is provided, then the customer can identify and correct problems themselves, attributing more responsibility for damages on the customer's decision to knowingly use the software. In my mind, software provided free of charge cannot be required to have a warranty, since there is no loss of value to the customer. It's purely up to the customer whether or not he uses the software, and anyone that blithely deploys free software in a mission-critical application is 100% responsible for the outcome.
In these scenarios closed-source vendors would ultimately end up being insurance companies. The cost of potential payouts would need to be built into the software price, and so customers would be paying to indemnify themselves through ignorance (lack of access to source code and inability to perform due diligence before using the software).
there's plenty of money floatin' around, it's just no one wants to spend it. This would mean tons of new programing jobs.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
If this was structured like most liability laws, what would happen is that vendors would be forced to raise their prices in order to pool the money in a big liability insurance fund. This fund would then be harvested by unscupulous lawyers using sympathetic clients whose claims pulled on the heartrings of juries, like: I spent so much time trying to keep my browser from crashing that I forgot to feed my cat and she starved to death; or I got so mad at my filesystem for losing my files that I smacked my kid and gave him brain damage. Legitimate users who organized and filed class action suits over business costs caused by real bugs would be tied up in court forever by defendants legal teams because the magnitude of their claims would make a vigorous defense an economic necessity. Free and Open Source software authors would have to form non-profit corporations to front for them, and rely on contributions from sympathetic sources to buy their insurance. They would be routinely attacked by lawsuits drummed up by front companies funded by a certain software giant in a fashion that might remind some people of the SCO lawsuit. Testify in these bogus suits would tie up all the time of FOSS developers, effectively slowing open-source development down by a factor of 10. In the end, only the lawyers would benefit - exactly the way it works in most industries.
"Sic Semper Path of Least Resistance"
Having the word "vendor" in there implies that the is some sort of financial transaction involved with purchasing the product (or a license to use, etc, etc.). In that context, Free Software doesn't really have "vendors". The implication is that it is a best effort, but all code is provided "as-is".
Charging for support of a free product would be a little trickier if a change that you advised caused a problem, but most companies providing support probably indemnify themselves against that kind of thing anyway.
I'm not sure if it would kill OSS, but what it will do is force commercial software to have exponentially less features, so that the few features it does have are approved, thoroughly, by the lawyers. The cost of developing software will skyrocket.
Take your favorite software you work with every day. Remove 80 - 90% of the features. Make it cost 10 times as much, or more. Sit back and enjoy your secure bug free software (as if there is even such a thing).
For you people who think software liability makes sense for non-critical applications, you get the software you deserve.
Well, such a proposal has two possible outcomes:
1) OSS coders would be responsible for their code, and if a security bug was found that, oh, caused some big disclosure of personal information under some law like HIPAA, then the coders could/would be sued by a corporation that ran the software. Thus, coders would NOT contribute to OSS, thus killing OSS.
or
2) OSS software would be exempt from such a rule, meaning that implementation of OSS software by a company would mean it would become liable for it's misuse due a flaw that was coded by someone else. If I was in the shoes of any VP who analyzes risk, I would be like, "STAY AWAY FROM OSS", thus killing OSS. For those companies that do decide to implement OSS Knowing the risks, they will increase their prices, driving their customers to cheaper vendors, taking said company out of business... thus kiling OSS.
It's a lose-lose situation!
The question reveals a lack of understanding that OSS is a service model, while proprietary is a commodity model. They are two different paradigms. OSS isn't sold; support is sold. "Linux vendors" don't exist ... Red Hat, Yellow Dog, Debian, Ubuntu, et. Al. are Linux support vendors; they sell a service, rather than a product.
/' as root in the process of supporting your need to back up your data, then they would be held liable for the flawed support .
Everything would be exactly as it should be in the proposed model. Microsoft sells you their garbage and it no longer pays. If Red Hat advises running 'rm -Rf
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
While I'm sure that anyone who has "purchased" any 1.0 version of software (and by purchased I mean either spent money on it or downloaded something freeware or shareware) which contains bugs which hobble its purported functionality or its security has had the knee-jerk, road-rage desire to see those people responsible for that inconvenience held liable in some way.
However, the reason why we don't have this sort of "consumer protection" already in place is quite simple: any increase in the liability for a producer of any consumer or commercial product is a decrease in the motivation to produce that product. All software of any reasonable complexity has bugs. To hold a software company or the open source community responsible either through update or, if loss is involved, compensation (how you'd manage this is anyone's guess) would ultimately break even with the income produced by the software.
This is particularly of concern with freeware.
For example, let's suppose someone makes a freeware product which some company decides to use for some aspect of its business. Unfortunately, this product is immature upon 1.0 release, and bugs lose data, files, or are prone to security risk which causes that company material loss. Theoretically, that person could be sued for that loss, which is a damn bummer because there is no profit with which to ameliorate whatever damages are brought to bear. Of course, one would be a fool to sue someone who could never pay up, but the mere statement of legal entanglement is enough to take most garage shoppers off the market.
It also introduces a number of other interesting quandaries.
1. It creates a sort of intellectual property servitude. Since the intellectual property lasts longer than potentially the individuals who created it, does that mean that even after the product(s) are out of production, are those who created it are still liable for its upkeep? Can they still be sued for material loss? What's next after that? A Chapter 11 intellectual property bankruptcy backdoor for people who now regret ever writing that damn spreadsheet code?
2. In the case of open-source and freeware, who gets nailed if the consumer gets litigious?
3. What about misuse of the software? Who'd ever write a disk utility of any sort knowing full well that the very tool itself in its proper operation is an invitation for less-than-knowledgeable people to harm their file system? Bug or idiot? Who decides? A legal system which already has very little computer savvy?
4. That brings up the point of any type of "expert" software, what purpose is their in even giving experts software that can do harm, whether from a bug or from inappropriate use? How would you screen these sorts? Even an expert can make mistakes anyway? Why would you as a developer want the liability?
In fact the reason for the "as-is" clause is one of the few common sense statements in any EULA you look at. Without it, you would have defacto liability and we all know how litigious a world we live in. If anything, the "tough luck sweetheart" clause is the most basic protection to continued software innovation, by protecting it from the occasional mishap and the liability which can issue therefrom.
I see cameras by cash registers alot more than I see the "free if not given receipt" note.
FREE - Java, J2EE and Ajax Audiobooks for Software Developers - www.DeveloperAdvantage.com
The article has one paragraph on computer security and software liability and a bunch of aimless bullshit about employee theft, the cash register, ATM fraud, and tax fraud; and a nonsensical reference to a liquor store sign, "Your purchase free if you don't get a receipt."
Well, no shit! If I didn't pay for the item it was free and I wouldn't have a receipt either, DUH! I'm sorry, but that has to be the WORST piece of "journalism" I've ever seen!
To address the topic of the article (which had nothing to do with its content), I'd say this. Yes, vendors who are SELLING software for profit, and are supposed to be supplying support resources for said product, should be held liable for bugs. I don't know why he doesn't think that they aren't. If a piece of software is buggy, people will flood their tech support lines, and if not fixed will stop buying it! Duh, again!
As for the impact on OSS software, simple, NONE. You accept the liability of the reliability of the software because you got it for free. I'm sure there's something in the BSD license or GPL to that effect. If not, there certainly should be.
Somebody smack the bottle out of Bruce Schneier's hand (and maybe the bong too) and have him take a journalism class-or maybe just a basic writing class. He sucks!
Wired, if you're listening, I'll be happy to write for you...a ton better than this idiot.
A lot of open source stuff says "Free to download! Enjoy - but Note: This comes with no warranty / use at own risk" etc. Beat that.
========
77 77 77 2e 6d 65 6c 76 69 6e 73 2e 63 6f 6d
Hasn't this kind of ages-old horseshit been splashed all over the Internet a few years before ? "Nobody is responsible for open source ..." kind of Allchin or Ballmer brainfart. If FUD is lame how's recycling the same old FUD ?
OH, and don't forget to mode me flamebait or troll.
How to create efficent software liability laws without hobbling the industry.
1. It only applies to distribution of binaries. Not source. Contributing a patch to Darwin's Kernel != makes you liable for Apple's sales. On the other hand, even though Linux is open source, if you distribute a binary kernel, you may potentially be liable.
2. It only applies in cases where money changes hands. No free distribution. You don't want non-profits forced into paying for insurance for freely distributed products. Besides; caveat emptor, if you're going to run your company on free software, you should pick up the tab in terms of liabilty. Otherwise, go buy the same software from your friendly local Linux vendor; they're the ones paying many of the developers!
3. Minimum levels of damage, not maximums. I don't know why people keep suggesting "The Purchase Price". Rather, it makes more sense to make a "you can't litigate below a certain level of damage" minimum. Something like $10,000 per instance per user.
4. Levels of certification for mission-critical liability. This would be done via standards, established by industry groups (I'd suggest the IEEE). The idea would NOT be to certify individual products; rather, to set requirements for products, using open standards. If your product does not reach these standards, you are immune to liability from prosecution *in that particular industry*. For example, Presume there is an IEEE working group on certification of automobile software. Unless your solitare application meets the requirements of this certification, you are immune to prosecution from anyone using your solitare application on a car's computer. Similar working groups would be established for telecomm, the medical industry, industrial manufacturing, military usage, and aerospace/nautical transport, in addition to any others as the need arises.
Now, see, the way #4 works is that in mission-critical instances, where the chances of large liability risks are very high, achieving certification for your software product becomes optional. So, why would you ever want to achieve that certification, forcing you to be liable for problems?
I'll tell you this: If you don't know the answer to that last question, you've never worked with a large insurance company (which every mission critical industry does). If you are Boeing, and you have the choice between Microsoft and IBM software, and Microsoft software is immune to liability, and IBM software is certified as appropriate, and IBM can be held liable.... Well, AIG (or whoever Boeing works with) will REQUIRE that Boeing use IBM software. Or they'll bump their rates up 1000x.
Liability is a difficult to concept to grasp, but in the modern world it is intricately tied up with insurance, risk, and damage. No matter how you slice it, bugs (software or hardware, Microsoft or General Motors) *will* cause real financial (and otherwise;health, property, whatever) damage. To write effective legislation, one must remove small potatoes from the equation (its never efficent to litigate for amounts under $10k or so), and one should provide a path of least resistance (certification=optional) so that if market solutions turn out to work better they become an option (any company that can independantly work out their liability issues with a supplier can sidestep the legal system, saving both sides tons of money).
P.S. All of this is predicated upon the repeal of all existing liability exclusions for software.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
As a open source developer, I declare that I will refund 100% of the purchase price if you find a bug in my code.
However, use of this software is provided strictly on an "as is" basis. The user assumes all risk and responsibility for determining the fitness of this software for their application.
If the penalty of bugs was tied to the price of the software, where the liability increased for the creator based upon the price to purchase or own, then this would actually be a really excellent boost for open-source software. Basically, this would mean that it would be in most people's best interest to make software open source and just move to a charge-for-service style of working.
This could cause quite a change in the software community if everything was open source because innovation would skyrocket and it would finally get to the service-based market that everyone seems to want so much.
As a software developer, I write software that yes, may contain bugs and holes. My responsibility to my customers is to repair bugs and patches for all my software as part of the selling agreement. Some paid software I release I do take steps to test heavily and will take bugs and patches for security holes but some scripts I have done in my free time I take no responsbility for, esp. when they are done very quick for someone as not part of a paid project.
In my opinion, if you sell software to someone it should do what it is going to. Not have to mess with to fix a bug. If your customer says something isnt working or you find a security hole, the software needs to be fixed as a business practice to your customer.
Bryan
If the cost to the company for buggy software is a refund of the purchase price? I can see one model that works really well -- you get the bits for free, and the vendor charges you for a support contract. OSS wins. In fact, it would make OSS the default business model.
My book, podcast
No way. There are far more of us who develop custom in-house software than people who write stuff that gets sold. You might severely hurt the software-as-a-product industry, but wouldn't touch the software-as-office-automation economy.
Dewey, what part of this looks like authorities should be involved?
Depends on how the law was written. What if liability was on the party with access to the source code. So, if company "A" distributes a binary without source, they assume liability since the customer isn't able to verify the code is "safe".
An open source project on the otherhand, at a minimum ships a binary and also makes the source available to the end user, thus transfering the liability from the distributor to the customer.
www.sguil.net
The Analyst Console for NSM
I think it is odd that many people think this would crush MS, as opposed to OSS. The standard EULA issued my MS forces you to sign away all your rights to sue... basically, the program is supposed to work how it ends up working, even if that means erasing everything on your hard drive every time you hit the enter button. And I'm pretty sure Bill hires some darn good lawyers...
If a nation expects to be ignorant and free, in a state of civilization, it expects what never was and never will be.-TJ
I would say that closed source would be liable as the customer is unable to inspect the code themselves and relying on the company or developer's reputation to say there isn't any bugs or security holes.
With open source software, the customer has the means to inspect for themselves whether the software can perform as advertised. So if the source code for the software is avaliable then the burden should shift to the customer as it is today.
Please read my suggestions on working software liability, and see if they address your concerns.
I haven't covered all the bases, but its pretty close. I earnestly believe its possible.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
...and I seem to recall someone mentioning that they (Sony) ought to be liable for the trouble its bug(s) caused...
Just an observation.
This space intentionally left (almost) blank.
Ok, as usual there are a lot of people who chimed in on the subject without thinking this through.
If you PAID for a software product to a vendor, the vendor IS liable. The extent of this liability is not necessarily defined by law or formal contract. Some of this liability is inherent in the principles of a market economy, i.e., if I paid for something and it doesn't work I have a legitimate grievance with the seller/producer of the product that I can seek remedy for. That inherent liability is supposedly covered through a customer service mechanism, in the case of computer software this is the tech support department. This group is supposed to act as a feedback mechanism to the software developers for fixing bugs, and to assist the customer in either working around the problem, or otherwise providing a solution. If a solution cannot be found, and the product was purchased, the bug identified in a reasonable amount of time from purchase, then the customer CAN seek remedy of the problem by demanding a refund for the purchased price (maybe minus some handling fees and/or taxes). This happens all the time and there are organizations, like the Better Business Bureau, the Federal Trade Commission, and others, that enforce these rights under Federal and State guidelines. Mileage may vary.
Now, if you didn't pay for a product, because it was free or you just plain stole it (pirated it in the case of computer software), then there is no recourse for remedy if the product is defective, nor is there any moral, ethical, or legal stance for liability passing to the creator of said software.
I don't have case law in front of me, but this has to have been tested somewhere by now.
Why wouldn't they? If you could offer me a car that will make it 200,000kms without having problems or needing more than an oil change, would it be worth 80k instead of 55k? Possibly! Personally as a person who's time is valuable, I'd pay more for quality. Why is it that many American cars, despite in most cases being cheaper, are being outsold by Asian and European markets? Quality, reliability, and service [plus making a car that is desirable].
People are so quick to bash higher priced items. In the business world, we stress TCO: Total cost of ownership. If you waste gigabytes of bandwidth, time to clear off spyware, time to patch, upgrade, test, and deploy- time to update workstation images and deploy regularly. How much time does an IT manager spend doing this versus just installing a program and not thinking about it (the good ones of course)?
So offer me an OS at double the price that takes half my time to operate. Do realize that that $700 OS is probably worth about 7-10 hours of a good corporate sysadmin's time. If you put more 3.5-5h of time into each machine to perform upkeep, then you're wasting money.
I've always said- if Windows 95 came out right now, but never crashed, never froze, never leaked memory like anything, didn't have horrible hardware support, and worked- I'd be happier than getting crap for the past 10 years and having to upgrade it every 3 years and patch it every week.
-M
when you see the word 'Linux', drink!
Standard software licenses include waivers of liability under a handful of standard civil law standards. What Bruce is saying is (i) impose by statute and (ii) make it *illegal* for a shrink wrap style license to include a waiver.
From an economics standpoint, the justification for such a standpoint is inequality of bargaining power and market power (i.e., monopoly or near monopoly) in the software segment.
His argument from "principle" is interesting but ignores a much more interesting avenue for exploration. Look at heavily negotiated software license agreements between parties with equal bargaining power and consider what liability standards are commonly accepted.
I haven't done this research, but I would suspect that *support* rather than liability is the typical approach taken by customers who are in a position to get a fair deal.
OK, so we could make support contracts mandatory for the consumer. There might be some advantage to consumers if it were illegal to sell software without a support infrastructure in place, because it would arguably reduce the cost per consumer.
It might reduce *average* total costs across the industry. But this does not necessarily translate to advantages all consumers in all situations.
As an aside, where Bruce's argument theoretically and practically leads is the standard of "strict liability". This is a dangerous doctrine to impose on IP products with zero marginal cost; it drastically changes the economics of production. And yes, this is a potential disaster for open source products.
No, I'll still write it and distribute it. If you want me to take responsibility for what it does, then we'll have to negotiate a specification, a contract, and a price. I'll make the software do what I want; if you want me to make it do what you want, that's extra.
The article is horribly misrepresented, here. The core of the article is about the security principle of aligning capability with interest -- that is, when you want something done, you find out who can do it and take steps to interest them (offer them money, the potential of something free, a fine if they *don't* do something, etc.).
Near the end, Bruce mentions the concept of "software liability" as an example of how interest can be aligned with capability. Bad on Bruce for not defining how he uses the term, but bad on the submitter for not researching it before sending in this FUD. Anyone who has followed what Bruce has done knows that he's a huge supporter of OSS.
When Bruce talks about software liability, he's talking about making software makers liable for their marketing claims about security, not for "bugs found in software". OSS would be safe, as long as those project don't say "we're secure" when they aren't.
And on this point, I agree: if I buy a security product that claims "secure file storage", and I find out that they implement this single-DES encryption -- and espeicially if my data is compromised as a result -- the vendor should be liable. They made a false claim!
We may not imagine how our lives could be more frustrating and complex—but Congress can. – Cullen Hightower
What if you write an api or even a program and some commercial vendor uses your code. THe bug was found in your code and the vendor gets sued.
How do you know vendor X wont come after you to pay for their court costs?
Also businesses would purchase liability insurance. Mabye their agreement with the insurance company is to sue others and use that money to help pay the insurance company so they can maximumize profit by minimizing losses when they got to court.
Also many vendors would go out of business and if your in IT you would need to compete with many exemployees from these vendors. Last businesses might let you go as the price of software goes through the roof and the IT department needs to stay within budget by cutting costs by firing people.
ITs a no win situation for everyone but the lawyers of course.
bugfree software can exists but the software engineers(not programmers) who design such customized products charge twice as much for their labor. No one wants to pay $700 for an OS. Thats how much it would cost if you double the price of WindowsXP
http://saveie6.com/
When I sell a product, I'm kinda liable for its functioning according to spec.
:)
When I give it away, or better, throw it away for someone to pick it up and do "what he wants" (GPL nitpickers read that quotation marks right!) with it, I take no responsibility. Use it or don't. I didn't say you should use it. I didn't sell it to you. In fact, I just put it there so people who want to take a look can. I'm not saying it does anything useful. I'm not even saying it doesn't do anything harmful. All I say is that it's there and if you're so inclined to use it, be my guest. I don't care.
Very different when you actually SELL software, a service or whatever you plan to call it. When money is involved, people tend to expect something in return for their dough. If they don't get it, they get pissed.
We'll see just HOW pissed when Vista finally comes out.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Open source is used without compensation. The point of holding closed source developers liable is to recoup lost investment. When a user uses open source software its "at their own risk."
I am a real no kidding licensed engineer. I only get to work at two levels, one where you ask for a free opinion and you get what you paid for, and the other, where I put a stamp and signature on it and say "its good". Once I do that, I have liability for the life of that item. And my only defense is that the usage (and failure) was so wildly unforseable that I could not reasonably be expected to predict it. And the only way to prove that is having my army of experts challenge the plaintiffs army of experts in front of a jury that can barely do algebra. I can't just say the users weren't supposed to do something stupid. I can't go around administering intelligence tests at the point of sale. OSHA, UL, NEC, etc. all exist for a reason. At that level, liability is a real consideration to be taken seriously.
Software designers get off easy and they don't want the noose around their necks like the hardware guys have. They whine and cry and tell us it is hard to get it right. Yeah, it is, but other industries have done it before. Step up to the plate and get with the rest of us. Say you will stand behind the work you've done, and then maybe you'll get some respect on all those other burning issues you have with society.
Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
where is it even in the market place for consumers to have a choice in the matter? You got some serious assumptions you are putting out there as fact, so let's see some proof to it. Where is normal joe surfer software (the OS, some normal userland apps, etc) for sale that comes with a warranty instead of an end user license that says "nothing is our fault" and "this software provided as is, might not be suitable for a dang thing, hope U R feelin lucky"??
bad car analogy time
This is like the car companies saying there was "no market" for electric cars, even though they never put any out there to begin with, and the leased all electrics went like hotcakes and the leasees BEGGED to be able to buy them, yet most got crushed in still fine working order.
You put a good OS and browser and a few more apps out there with a guarantee and warranty that YES indeedy you can use this on the internet and not get hosed and pwned and your printer will work and etc,and see what happens.
People are already dropping serious coin on fixes all the time, so why wouldn't they drop coin on stuff that doesn't need much fixin to begin with?
The rest of industry (I mean A to Z, the *rest of industry*) has come to grips with building to such a quality level that the rate of recall and fixes under warranty is under control, they can still "do business" and "make money" at it. None of their stuff is 100% perfect,none of it, but they got to the point it is plenty good enough, because they got REQUIRED to provide a certain minimal level warranty, even though when it was finally imposed on them they all cried crocodile tears and claimed it wouldn't work and put them all out of business, it just wasn't possible, OMGBBQ we'd have to charge so much money no one will buy our stuff! And other such whines like we hear now from the digital bits vendors. The other industries managed *just fine*.
Software is the last major industry allowed to push snakeoil under the "caveat emptor" rules, way past time that got changed.
And I think for most consumers it would work like this:you charge us serious cash, we want a warranty, you want to give it away as betaware for freebies or cost of media and duplication or download, we'll take it for free and maybe pay a very low reasonable amount of periodic bug fixes.
But charging serious folding cash then no warranty with your "full stable release" stuff is the problem, it is not the solution.
As it is now, we have no consumer choice, pay money for bugs, or download stuff for free with bugs, where is the "very little bugs to begin with at a reasonable price" stuff? I would bet that is what *most* people would eventually go to if it was there to choose from.
Having liability for software vendors and developers doesn't have to mean ridiculous rules, unrealistic standards, or absolute liability. For example:
Anyone who produces or distributes software has the obligation to undertake reasonable steps as appropriate to the nature and intended use of the software and the abilities of the producer to ensure that the software performs as claimed, is fit for the purpose for which it is marketed, is free from unecessary security risks, and does not interfere unduly or unexpectedly with the functions of other software of the sort normally expected to be functioning in the intended environment. If it can be proved that a developer or distributor knew or ought to have known of significant security risks or bugs in the advertised or implied functionality of the software, or knew of undesirable behavior or side effects of the software, and failed to take appropriate measures to correct those problems or provide potential users with adequate warning, then the developer may be held liable for a refund or replacement of the product as well as liable for any damages arising from the normal use of the software. Likewise, if it can be proved that the developer or distributor knowingly overrepresented his ability or competence and in so doing so misled customers about the likely level of reliability or correctness of the software, he may be held liable for any damages or failure of the software to live up to generated expectations.
In other words, if you claim to offer an enterprise-grade, rock-solid, reliable, secure application, and if you calim to be an expert in security and software engineering, you may be on the hook if your application is buggy, insecure, and unreliable. But if you just claim to be a hobbyist doing it for fun and make no particular claims about the software or your own ability, you wouldn't be found liable unless you did something wantonly irresponsible like suggest the use of your software in life-or-death situations or deliberately inserted malware into your code.
That wouldn't be bad, would it?
Compare the volume of business at McDonalds to the volume at a fine steakhouse.
Movie theatres vs. Live performances.
most people balance quality and cost, they don't get the best, but they don't pay the most.
some people are willing to pay more for a better product; such as Steakhouses, Live Performances, Macintosh, cellular data; while some can't afford much; mac-n-cheese, broadcast TV, and library computers, landlines.
If you want better software, it'll cost money.
If you want better software for everyone, it'll end up like Healthcare in the US. Only those with money can get it.
Sure. Let the vendor be liable. For what is paid for the software.
Hows this, vendor will pay back the price of the software if the bugs are too much. Software = $0 support = $500 per month. The vendor will really be a front for OSS communities.
So if vendors are made liable, Microsoft will go bankrupt, while developers of Linux et al will pay back exactly what they received for the product in the first place.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
If you buy Windows (especially with a credit card), find out it doesn't work within 30 days, you have recourse to demand a refund from the place you purchased it from. Really, really. Most people don't follow up on this and just take it in the rear, and that's why this has been allowed to go on for so long. You actually do have a 'right' to a refund. There are ways to bring liability to bear, but no one does it! It's staggering!
I can tell you that if enough people actually did follow up and bring the BBB, or the FTC to bear on MS for their absolute excrement they call software, something would be done. No one wants to take the time, that's the problem. Me, I took a different tack. I just stopped buying their crap! And, if I get promoted to a higher level in my organization I'm going to do everything I can to stop them buying their crap too! That's the other way you punish them, through accountability. If they build crap, and they won't fix it, you stop buying it, or you sick the dogs on them. Consumer laziness is the only reason why these vendors are getting away with this. Plain and simple. The system is in place to stop this, no one seems to want to use it.
But with free software, there is no contract because there is no consideration (money) on the part of the user (you could argue that this nullifies things like the GPL, but that's another story). So, it would be impossible to claim damages for something when you never entered in to any contract. FOSS would be immune to liability laws.
Surely OSS developers would be able to give the software vendor a heads up on any bugs found in the code and even fix them before a lawsuit appears on the horizon. If the vendor did not open source the code, they would have to find the time and funding to locate all the bugs themselves.
People think accountability is good and I agree.
But liability in potential litigation is anything but. I feel the lawyers will have a field day on this like they always do for everything else.
Yes, I am heavily in favor of tort reform and think lawyers are the scum of society but I have never seen anyone sue anyone other than to make a quick buck at the expense of society.
I certainly would not develop any software available on the internet and would pull anything as someone could just incorporate my code, be sued, and then sue me claiming its my bug.
Its a problem for those who prefer to use BSD style licenses. THis means I have no legal recourse since I said in my EULA that they can use my software in their product. It was my fault that this vendor lost millions of dollars, shouldn't the company be compensated for, etc? PRetty hard to defend myself
http://saveie6.com/
... Hello, Vista crashed and I lost all of my data. MS- well, it was clearly not Vista's fault, You must have caught a virus or something ... No, I was just going through all these dialogs and it just crashed man
MS- All your data you say? ... Yea
MS- Great, thanks for calling MS ... Don't you have to be held liable for bugs?
MS- Not so long as there's no proof of them
click
A long time after all proprietary vendors fall dead.
/etc would have to pay? No, it is not going to be cheap.
Just think how much MS / etc
how long until
In the US a last minute amendment would ensure that large companies are well protected from any responsibility while a simple accusation would be sufficient to bankrupt an independant or a startup. For example, the only allowed penalty might be jail time (at trick which is widely used to protect corps from their crimes) or there might be a large ($100,000+) guarantee required. If you don't pay it you are deemed guilty, if you do pay it, it is held in escrow for a year or two then released less "administrative costs".
Anywhere else in the world, this has no teeth. The devs can always release their source as an "example of how one might do things" rather than as a binary product. Alternatively, the source could be distributed in a way that requires a minor change which "voids the warranty".
licenses. If your software is licensed including the requirement that you don't modify it and don't duplicate it, then a responsibility should be implied that they take care of said software.
If the responsibility of upkeep becomes too much, a vendor can always abandon the software.
Microsoft can't be expected to fix windows '95 bugs forever, but on the other hand, people have paid for a working product that they should expect to be able to use forever. Seems to make sense to me that when they abandon upkeep, they should lose the responsibility over that product as well as the ownership, it becomes public.
A law making it so could replace much of the copyright law system. We could use the same concept with products, music and books, once they are out of production, out of print or unatainable by commercial means, they lose their exclusive license to the product and anyone can distribute it.
The problem with liability isn't who the software comes from before bugs have been found; it's who is permitted to fix the bugs when they show up?
//they are the only ones allowed to fix them//. If you give me permission to fix bugs as they're found, then it's my own damn fault if I don't. But if you insist that I come only to you to fix bugs, I damn well better have some recourse if you drag your ass.
Vendors should be liable for bugs becuase
If customers don't have modification rights, then they should demand rights to damages in case of negligence. Whether those rights are secured through existing contracts, or through legislation is an optional debate.
This model would mitigate lock-in pressure by proprietary vendors while preserving the competitiveness of FOSS.
You don't need a contract to be liable.
If I damage your property, I'm liable for damages.
Doesn't matter that there is no contract.
I imagine such a law would result in people identifying the intended use of their software as something that "provides no function beyond consuming storage space" and other weasely BS to get out of it.
In many jurisdictions consumer protection law throws out liability or warranty disclaimers (waivers, whatever, go hire a real lawyer.)
It's all about intended use. If a program does not properly work for its NORMAL INTENDED USE and was purchased commercially, then vendors should be held liable. However, if the product was used in a way in which it was not intended to be used, then there should be no liability.
If you press your brakes on a new car and they don't work, then the car manufacturer should be held accountable. However, if you drive your car through a building and the brake line gets severed causing the brakes not to work, then the car manufacturer cannot be held liable.
Of course, however, comming up with the definition of "intended use" can be quite difficult. That, and there still aren't any solid definitions for computer industry best practices so there's no legal way to tell if a company has applied due diligence to adhere to coding standards (don't get me started about that).
OSS, I think, should not be held liable except for malicious intent since it is distributed "as is".
Faith is a willingness to accept something w/o complete proof and to act on it. Reason allows you to correct that faith.
Potential Compromise (which, since it is 150th something comment will probably never be seen):
Allow liability only to the amount of profit made from the product... or at most punitive to the amount the customer paid to the software creation company.
Additionally I think there should be a limit on the types of bugs... standard bugs should NOT be considered neglegence but SECURITY related bugs should.
Hard to sue an OSS group unless there is an org around it. the right wording in the law could result in more OSS software.. in order to avoid being taken to court corps could do OSS for key components of their software.
Democracy Now! - uncensored, anti-establishment news
if anyone has a problem with my FOSS programs, then I'll pay him all the money back, that he gave me for them...
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
I have long supported vendor liability for software. I believe that it would allow commercial software and OSS to coexist better. And by the way, for those of you who didn't RTFA, the author doesn't imply that open-source contributors should be liable for bugs. Here's my take on the idea:
1. Open-source software generally costs nothing, and no warranty is made on the function of the product.
2. Commercial software generally costs money, and no warranty is made on the function of the product.
As of right now, there seems to be little difference - except that someone gets paid for making commercial products, which may or may not function as the consumer is led to believe. So let commercial software companies voluntarily increase the value of their products by making certain guarantees on performance.
For commercial software to stay relevant, I believe that every product needs to include a basic guarantee of the functions that it must perform. Note that when I say "guarantee", I don't mean that the company ensures that there are zero bugs - this is unrealistic for complicated products. By "guarantee" I mean that when the product fails to perform its specified functions, resulting in damage, the company should accept liability for the damages.
This wouldn't kill open source software. It would enhance the ability of end users to choose according to their needs. The "software guarantee" would be like a form of insurance. Customers for whom a product failure might be very costly would opt for the commercial product, in a risk-averse fashion. Customers for whom product failure would cause small-claims damage would likely opt for a free, no-guarantee product instead. There's my two cents.
If you provide source code, then your liability should be reduced or eliminated, because you've given the users of your code a way to deal with bugs without relying on you. But since proprietary software vendors don't allow you to fix bugs in their software, then they should be held liable for those bugs.
How would this work in a software product? I would argue that any liability regulation as applied to software needs to make it very clear that liability is limited to the purpose for which the product is sold. (In other words, there would be a document which can be easily accessed by the consumer which states what the software is known to run on, what the software is known to do, and what the software is known NOT to do.)
Let's say there's a bug in the Linux kernel that prevents it running on processors made of swiss cheese (such as the Itanium). That bug is declared as part of the product. Part of the purpose for which it is now being sold is to NOT run it on processors made of swiss cheese. It would be absurd to hold a company or person liable for selling you a product that does what it says it does.
This means that developers would need to clearly document what they know FOR CERTAIN works, and what they know FOR CERTAIN does not. (IANAL, so how do I know that this is even vaguely plausible? Because people do stupid things with otherwise functional products and yet civilization is still essentially intact.) Clear, quality documentation will not kill Open Source. It stands an excellent chance of improving it, because others will have a clearer idea of what isn't working (yet) and why.
Now, what about all those people who sue for no obvious reason, just because they see a chance of getting some quick cash? Well, the documentation should prevent such people from actually getting said cash, because it is clearly stated what purpose(s) the product is usable for. Absolutely no use outside of those limits would count.
However, legal cases aren't cheap, so you'd probably want something extra in there. I'd suggest something along the lines of "developers are not liable for the consequences of abuse of the product" (just to make things clear) and "whereupon it is shown that the case is frivolous, malicious or criminally stupid, the plaintiff is liable for all legal costs by the defendant, plus damages to their reputation". This should limit the number of cases and might even help fund Open Source developers where court cases result from FUD or attempted robbery by the suit addicts.
(It might even force companies to tone down the anti-Open Source FUD - each case won by the developers would damage the credibility of FUD perpetrators. It would become too expensive to keep believing them.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Every one of his annecdotal examples deals with a punishment for dishonesty. Charging software developers could be punishing for incompetance. Also, a software developer, I couldn't even count the number of times a bug has cropped up within the operating system layer (both microsoft and linux) that made my application fail.
We have something like this with our mainframe that holds all our financial data. Thing is super reliable, I'm not aware of it ever crashing or losing data ever. However, cost aside, there's another major downside: We can't screw with it at all. Software isntallation isn't permitted, configuration changes aren't permitted. The support contract basically specifies that we will leave it the hell alone, and any changes have to go through IBM first.
Now it makes sense, you cannot predict the interactions between new programs. If we were just allowed to mess around with it, as we do with desktop computers, sooner or later we'd install soemthing that would conflict with something else and cause problems. The software can only be verified if it's a known system, so they just don't allow any new software to be added without prior approval and a lengthy and expensive verification procedure.
That's fine for the financials DB, but I'm not putting up with that for my desktop. I need to be able to install software on no prior notice from any source. Yes, this can lead to problems, but I'l take those problems to have the flexability I do.
So yes, you cna have a rock solid system if you are willing to pay a lot for it, deal with slow development, and accept a very restrictive environment. If those aren't ok, then you takes your chances. Open, comoddity systems CAN be very stable, I've seen servers go years with no OS or app crashes, but they cannot be gaurenteed to be so.
Most software is non-critical, and the software that is critical (flight control systems) are developed with security and reliability in mind
Just becasue the failure of some software doesn't maim or kill people, or is not the direct cause of millions of dollars in losses, doesn't mean that consumers shouldn't be warranted against defects. Commercial software is notoriously lax in comparison to most other consumer goods--for example, about all Microsoft warrants against is damaged physical media. The law is significantly more stringent for minimum warranties on physical goods, even "non-critical" items. Your car isn't just warranted against safety-related problems for example (to bring up that tired "if Windows was a car" analogy, if Windows were a car it would not be covered under warranty if an engine flaw caused it to stall every 10 minuts because there are no performace guaranteed). The least they can do is give you a refund for the cost of the software.
There has to be a reasonable balance, and right now the software industry is "unbalanced". End users certainly don't demand "ciritcal-systems" reliability from their home computer's productivity applications--they just want value for their dollar. If I go to Home Depot and buy an electric drill that falls apart due to poor design or manufacture I expect I should be able to take it back because it cannot properly drill holes or drive screws. On average commercial software is more expensive than a drill, however I have a much harder time returning it for refund because it crashes my computer when I try to use it for the purpose it was meant for (say, I cannot e-file my taxes with the tax program or something, when it says right on the box it can do the job). It's not like we want millions in liability coverage included.
Does this jeopardise Free software? I don't think it does at all. If you download free install packages, and especially if you download source for free then compile it yourself, I can't see how any warranty at all can be justified--you take your chances because you get more than what you paid for (which was just your time). However, I'd expect a modest level of warranty for functional deficiencies for SuSE or Red Hat for their commercially distrubuted versions of Linux and other apps, just the same as I do from Microsoft. Is a full refund of purchase price on brand new merchandise really too much to ask for?
In cases where a consultant or systems integrator has made use of open tools, it it they--NOT the original code contributors--who should hold responsible, since it was the consultant who had the job of selecting, modifying and deploying the system (they should review for fitness of purpose). Basically this is the case already--where I work we are responsible for making sure our systems perform as expected, even though our software runs on a Microsoft platform and it is sometimes Microsoft's defects that are the root cause. The reason we are liable is because we made the decision to use the Windows platform and we were responsible for testing and making sure defects in 3rd party software were not critical.
Another poster mentioned the case of collapsing suspended walkways at a luxury hotel in the early 80s. The engineering firm and supplier of the walkway supporting rods were held liable and paid dearly. In the equivalent software situation the liable parties might be the IBM consultant or the designer/developer of a purpose-built, custom software component. Suing Linus Torvalds because a defective system failed due to a Linux kernel bug would be like suing the company that mined and processed the steel to make the rods--because it is one component in a complex assembly of diverse components and should've been adequately tested.
http://schneier.com/
g ning_intere.html
http://schneier.com/blog/
Schneier's column at Wired is about security decisions, not just software. It is a regular feature.
Go to his blog to read the comments from the well-informed readers he attracts rather than the Slashdot monkey mob. Some of the readers there also ask where the beef is on vendor liability, and it turns out the question is not a new one to Schneier's body of work.
http://www.schneier.com/blog/archives/2006/06/ali
The only thing I agree with in what you said is that the Slashdot article summary is misleading. Otherwise, you are at best grossly misinformed, at worst on a bit of an afternoon drunk yourself.
Q: What did the comedian say to the crowd?
A: If I knew, this joke would be funny.
As pointed out by someone else there are not very many details to go on in this article but I would venture to say the author's use of the term "Software vendors" implies he is talking about commercial distribution of software. That would suggest he wants companies who sell or license software to be responsible for it not necessarily the authors of the code.
If so, OSS contributors would not be risking anything unless they were also somehow licensing or selling the code for money. I run an open source project at http://www.freeswitch.org./ If someone turned my free code into a commercial product and started selling it, I would certianly want to see disgruntled customers suing *them* and not me =D
Proof is not the same as possibility. Perception also needs to be taken into account. When it comes down to it, if something seems like it will be expensive, it may stop people from buying. Take a BMW. My experience shows that actual maintenance is about the same as an Acura or equivalent. People believe that the Acura (Honda) will be cheaper to maintain, when in my experience they're pretty similar overall.
It's called spin. Linux has value. You know this and I know this and many Slashdotters know this. If you can tell a decision maker that it's got a huge cost associated with it by showing only some information to them, then you can get the purchase.
Sometimes you have smart bosses, but other times you don't- and you're only as good as the Windows-loving bastard who is advising the upper manager, and the team of dollar-hungry Microsoft goons that come in to convince you to come to the dark side.
So? I'll tell you that California has a huge tech centre. A statement, made by me. Where do I get this idea? A few companies I know are there. The state and city and it's associated groups advertises and promotes this concept. Probably some studies support me. I'm sure some other studies may say other places are better as well. Use common sense and filter out information that works for you.
Bingo. Nothing is unbiased. I'll tell people Linux is handy as a server and much cheaper. It's because there are figures that you can't put money on. Like what beyond purchase price you ask?
I'm sure they used some figures like this:
- training staff to solve problems in Linux- 52 weekend sessions at $2000/weekend by 10 administrators
- purchasing all new hardware that is certified compatible (because the current one only has a Windows sticker on it... which they already have... so $0) $20,000
- training users to use openoffice - $2250/person weekend seminar * 500 employees
See how I just spun those figures? $2,185,000 that you wouldn't have had to spend if you stuck with Windows.
In actuality? Many users would do fine with a day of inhouse training and the administrators will solve problems as they come and don't more than a few crash courses.
-M
when you see the word 'Linux', drink!
Even (theoretically) perfect software can be ruined by a buggy compiler.
As such, it seems to me any liability should be assigned to whomever compiled the software.
That would leave Open Source software developers liable only if they pre-compile their software. If they're just distributing source and allowing people to compile it themselves, they cannot be held liable for bugs the compiler puts in.
Shared source distributers would still assume full liability, since you can't compile that source sode. (Or, if you did, you assume the liability yourself.)
I think Stallman would love this.
The thing about things we don't know is we often don't know we don't know them.
Look. This keeps coming up. If you sell something, then you have an obligation for its quality. If you give it away you don't.
Linus Torvalds would not be held liable for bugs in the Linux Kernel.
Red Hat would be held liable for bugs if people buy their software from Red Hat.
If I was to sell Debian Linux, I would be liable for bugs in it. Debian would not.
Microsoft would be liable for bugs in Windows.
Microsoft would not be held liabble for bugs in software they give away.
If I sell you a toaster, then you should expect it to work.
If I give you a toaster, then don't.
I write and sell software. Typically for $10 to $25. None of my software is perfect (bug free), but it is pretty good and keeps getting better.
I choose to improve the software with extra features all the time (upgrades are free). If I faced a penalty for any bugs, then I would
a) have to fix minor bugs rather than update features (that wouldn't generally be in the best interest of most users)
b) fret about adding features (they inevitably add bugs)
c) worry about being sued out of business
If you make it harder for people to create software, then the inevitable effect will be that fewer people will create software. That will mean software in general (there will be exceptions) getting more expensive and/or more boring.
Why not just try to create a more efficient market. E.g. how about a central site where users could report on the bugginess of software.
VLC Remote for iPhone and Android
One cannot legislate perfection in a field where perfection is not attainable. Did not Fred Brooks show that the essential complexity of algorithmic software cannot be avoided? But all is not lost. Switch to a non-algorithmic, signal-based, synchronous software model and the problem will disappear.
That sounds like an inherent contradiction to me. If vendors are liable for bugs, vendors must have restricted access to source code. Commercial software companies, such as Micro$oft, should be held liable since they rarely let anyone else see their code and they explicitly state in their license that they will take users to court for trying to reverse engineer the code. With open source, everyone can see the code, thus everyone knows or has the potential of knowing what possible vulnerabilities exist within a software program.
I must be entirely missing the point here. I do not see why we would hold any of these companies liable for bugs unless they were contractually obligated to be bug-free, which is just about as far from reality as you can get.
The vendors always clearly provide an EULA among other documentation which states that they are accepting no responsibility for problems in this software, and that you use it at your own risk.
So if you are buying this software why are you then upset when it has bugs? If you want a guarentee that it is bug free then you should make this deal with the vendor ahead of time, or purchase some sort of insurance policy.
Why must people be constantly looking to government to protect them from their own short-comings. The vendor clearly tells you they are not sure the product is bug free, and clearly denies liability, and then you are surprised to find there are bugs? Perhaps these people should run to their mothers for a warm glass of milk to help them calm down.
Big ones, small ones, some as big as yer 'ead!
Give 'em a twist, a flick o' the wrist...
No, it's a feature - bugger off!
I mean really. Like corperations that spend millions a year paying off politicians are going to willingly open themselves up for lawsuits. Since laws won't be made that will enforce that kind of situation, who else will enforce that kind of rule? Certainly the software producers won't. After all they should be doing that now. The end user? Sure, as soon as they figure out how to get around the EULA. For that matter when they start reading them and not installing software with a EULA they don't like.
Nope, liable for software bugs will never happen.
Patently not -- the publishers of every imaginable work from cookbooks to newspapers would rise up in revolt, and the Courts would almost certainly find First Amendment grounds to shoot the idea down.
Well, software libre is no different. Fortunately, the current Supreme Court seems to have acquired clue on the subject (I remain boggled). Lower court decisions that "code is not speech" aren't given much of a chance by the oddsmakers, although they grant that betting on any court decision, much less those of the USSC, is unwise.
The "killer argument" from those who want a legal distinction is that "code" can be used to "make computers do things," as compared to "speech." Those whose courts have been relocated out of caves are familiar with the idea that computer capabilities are improving over time, and that we already have limited speech recognition. Thus, the "killer counterargument" is that the permissible scope of protected speech is shrinking as computer speech recognition improves, eventually to disappear entirely once we reach threshold levels of artificial intelligence.
Don't try to tell a Federal Judge that the First Amendment was a quaint and transitory historical fashion, to be obsoleted by technology.
Thus, liability for "code" falls, in the end, under the same law as liability for any other writing. Which judges really do understand, and are very unlikely to impose in any way that materially threatens software libre.
Sleep tight.
Lacking <sarcasm> tags,
for free ("as in beer") is what...um...let me get out my calculator...
As an Independent Software Developer whose business is contracting with a corps to develop their application, this would put me out of business.
Essentially, this could mean not only developing for free, but being held liable to PAY BACK the money to the client paid and a good portion of which I paid to my developers.
And over what? Some minor errors? I've never released code with critical errors, but minor ones do spring up and get fixed free of charge.
But to be held liable would mean it's no longer a "just fix it" issue, it's hoping your client doesn't unleash the lawyers on you to get the application for free and put your ass on the streets.
Seriously. An unethical client could engage in a software contract with the sole intention of finding ANY bug at all after delivery in order to try to sue me for the cost of the development in total. And at that point, I've already lost.
At that point, the lawyers have one because my money will go to lawyer fees now.
This is the most assinine idea of heard in some time.
But a great way for everyone to get their software for free... but then who'd have time to write software, since you'd have to give it away for free to not get sued, but still had rent and bills to pay. And those working in software would lose their jobs since even MS would have to leave software due to no profits in selling code.
Great idea asshole.
Question to Wired: Why do you accept and publish articles written by people who have absolutely no FUCKING CLUE as to what the fuck they are talking about?
Seems too complicated to make something like this fair to me, and I'm somewhat technically literate. Just imagine how useless a law like this would turn out after our friends in Congress got their stink all over it.
Instead of incouraging progression, congress sometimes hinders it. Congress shouldn't do any more than it is authorized to do!
FalconShould there be a Law?
Is it a 1:1 ratio? so if Windows corrupts millions of customer accounts and doesn't report it and I end up backing up corrupted data I can only ask for $199 in damages? Or would a 10:1 ratio make more sense? ask for $1990.. 100:1 ? 1000:1 ?
What is reasonable would be compensation equivilent to the loss times some multiple, say if you lost $1,000,000 then you should be compensated say $2,000,000. Of course this would apply only if the vender/creator didn't try to produce a fix within a reasonable tyme period. However congress should stay out of it and let the courts handle it.
FalconShould there be a Law?
The software reliability soapbox is getting tired. The economic reality is that the price of the software is subsidized by the user's acceptance of bugs. Change that subsidy and the cost will go up. Increasing the cost will make software less affordable to some current purchasers. If OSS is held to the same standard, innovation will be stifled. If not, OSS will truly thrive at the cost of commericial software.
All this proposal would do is to create a software vendor liability insurance industry. Software vendors would buy liability insurance policies (just like doctors buy medical malpractice insurance policies), and pass the costs on to the customers.
-- "I never gave these stories much credence." - HAL 9000
Would improve quality of the next MS Windows a lot ...
Uhhhh, just how accountable is the corporate software? Seriously, when was the last time anyone say MS or any of the other companies held liable for their creations?
Let's be fair now; OSS shouldn't be held accountable to a degree that is different than what current software creators are held accountable to.
How did we get to this state of affairs?
Whether or not a software vendor should be held liable for bugs in their software depends on what they promised to the customer. They should be held liable for no more and no less than that. It's the same as with a vendor of any product, not just software products.
If you go to solutions provider X, and hand them a list of your requirements, and they agree to provide a solution that satisfies those requirements, and you both sign a contract that embodies that agreement, then of course they should be held liable if they fail to meet their burden under the terms of the contract.
If you buy a box of software from Vendor Y that says that its purpose is to enable you to write letters to your grandma, that is an implicit contract, since you are exchanging your money for the product's functionality. Depending on where you live, you might have legal recourse, if the product fails to live up to its stated purpose.
The obvious escape from this, which all software vendors take, is to not state that the software enables you to do anything specific, and to explicitly disclaim fitness of use, for any purpose, in the software EULA. They can then say that the name "Grandma Writer(tm)" was merely meant to convey that the product is so easy to use, that even your grandma could use it, and not that it is guaranteed to facilitate communications between you and your grandma.
So, for example, if you download gcc and your airplane crashes because gcc generated incorrect code for your embedded processor, then you're shit out of luck if you want to sue the core gcc dev team. The license agreement for gcc explicitly states that the software is not guaranteed for any purpose whatsoever, so use it at your own risk. By accepting the licence, you shoulder the responsibility for any damage that results from your use of the software.
In the case of the Vendor Y, the EULA is to cover the vendor's ass, so they can make some profit, instead of spending all their time and money in court. In the case of gcc, the license is to cover the developers' collective ass, so they can continue to develop gcc, instead of spending all their time and money in court.
Vendors: Do what you promised you were going to do. You have a contract with the user. Live up to it. But don't expect users to rush to buy your product if you don't actually promise that it will do anything.
Users: Vendors are responsible only for what they agree to be responsible for. If you need the software to do more than that, then renegotiate your contract, certify it yourself, or get a third party to certify it. The vendor is passing the buck, and it's up to you to either walk away, pass it on or accept the responsibility. You are the solutions provider here. You have to decide who's going to be first against the wall when the revolution comes.
A republic cannot succeed till it contains a certain body of men imbued with the principles of justice and honour.
All that would result from something like this would be extremely specific running conditions. ie, "Must run on Windows XP patched to date X (and no later) running no other software, not connected to the internet, and only using the software specifically as directed in the manual."
Such software could be exactly what's on the market now.
"Software vendors are in the best position to improve software security; they have the capability. But, unfortunately, they don't have much interest."
The article argues that the onus for dealing with insecurities should lie with the entity which has the capability to deal with them. With proprietary software this would fall on the vendor but with Open Source and Free Software anyone that owns a copy has the capability to improve security. There is no reason why the liability should fall solely on the vendor in the case of Open Source and Free Software.
I see many here saying that only those that sell software should be liable, while those that give it away for free should not. If such a law were passed, you can bet that FOSS would be killed off in the corporate world, as corporations would gadly rather work with software vendors that can be held liable than those that cannot, as the former have something to lose for having bugs while the latter is free to produce bug-infested crapware. It makes no differnce if the "free" software is actually good; corps would feel safer using software produced by someone that could be held liable.
And as I said in another post, large commercial vendors would survive, as they'd simply buy software liability insurance (ala medical malpractice insurance). Smaller vendors would be hurt if they couldn't afford such insurance.
So FOSS is hurt (corps won't use it because FOSS "vendors" can't be held liable for bugs), small commercial vendors are hurt (since they can't afford software liability insurance), and large commercial vendors thrive since FOSS and small vendors are eliminated.
-- "I never gave these stories much credence." - HAL 9000
This is ridiculous. You cannot regulate software because it is speech. I have the right to publish bogus sources like I have the right to publish a medical book full of dangerous suggestions.
I you want liability, just require the vendor to comply to a certain certification and if he turns out the product really doesn't conform to it, sue him. Oh wait, this is already done.
So I you want certified software, ask for it and pay the price.
The sooner you fall behind, the more time you have to catch up.
No, but it would put commercial software companies out of business.
Lawsuits are lottery tickets that are ruining society and nothing more.
Are you talking about lawsuits in general or specifically buggy softwear lawsuits? I ask because almost 10 years ago I was hit by a moving van driven by a diabetic who had a history of causing accidents and fled one state to another because an arrest warrant had been issued with his name on it. While I was in a coma the docs told my family it'd be a miracle if I survived, NOT!!! The accident left me with a TBI, Traumatic Brain Injury. Because of the injury I spent more than a year in therapy with three different groups and I still have many problems. Especially with memory, my short term memory is almost shot and long term memory isn't much better. My communications skills are bad as well, I've had to use my dictionary which I keep at hand a few tymes while typing this (and it took about half an hour typing this). The hospital stay and initial therapy I got at the hospital ran to more than $100,000. And the last tyme I was in therapy, about 6 months in therapy 7 years ago, was $1500 a week. I evidentually had to stop the therapy because I couldn't afford to pay for it and insurance wouldn't pay. If it weren't for the fact that while I was in the coma my family got an attorney to hold the company the driver was working for when he hit me responsible there's no way they could of paid my medical bills. As it turned out the company's insurance decided to settle before the case ever went to trial as there was plenty of evidence the driver was responsible and the company was negligent in hiring him. At the tyme I was hit I was a college student majoring in Computer Engineering, but I came to realize while living in a rehab house after leaving the hospital that if I wanted to continue with it then I'd have to start all over again. And that's if I could understand and apply it. Now I don't know what to do.
FalconShould there be a Law?
This issue isn't restricted to OSS. If I buy a copy of Windows at Best Buy, should BB be held accountable for the bugs in Windows? If I resell my copy of autocad to a student, can I be held responsible for the bugs?
I think it becomes clear that it doesn't make sense make the retailer responsible for the mechantability of the products they sell, with the exception of false advertizing.
So if you sell copies of LaTeX, with the claim of it being withought flaw seen or unseen, only to have someone eventally find a bug, then you are liable for false advertizing. But otherwise you are fine.
Would OSS be so popular if customers were able to hold (closed source) vendors accountable for their bugs?
This is nonsense. You are obviously not a developer.
This discussion misses one central point:
[1] It is possible to develop good software.
[2] Quality costs money.
[3] If software is priced (high) to reflect its cost and quality, it will be pirated, and the developers will not cover their expenses.
[4] There is a ceiling to the cost of software, and it is the equivalent of the nuisance value of duplicating the CD.
Not everyone can afford a Porsche, yet Porsche continues to stay in business. Those who can't afford a Porsche, don't whine that Porsches should be free.
You want the software equivalent of a Porsche? Show me how the developer can be fairly compensated and then maybe we can entertain this silly notion of liability.
Slashdot entertains. Windows pays the mortgage.
alot of vendors would go out of business if that were the case. Including MS! MS has bugs in it that are critical.
Only 'flamers' flame!
Does slashdot hate my posts?
the GP said
>This is getting way too complex.
you replied blah blah, 50 or 100 different clauses. isn't the law incomprehensible and unworkable enough already? bearing in mind most long-winded laws start with simple and often good ideas.
no, i haven't read your post. should i? i don't know why you expect anyone to. learn to make a point. stop fantasizing that you get to run the world and fix everything just how you like it.. i'm off to smoke some crack.
What if you could magically replicate the bridge, and not pay the engineers for the 2nd, 3rd, clone etc.? Ignoring the fact the the terrain and other circumstances vary, how would you feel, Mister Engineer, if you sat on your derrière,, unpaid, as your design was copied with no compensation for your efforts?
Don't confuse the economics of tangible goods and services, with the new economics of digital media, which can be copied at no cost. You don't get what you don't pay for.
I don't know what the answer is. Show me a way I can receive consistent compensation for whatever I chose to charge for my software, and I will accept liability. You don't like my price? Don't buy. You think I'm not entitled to charge what I want? Please tell me what language you write and what applications you have developed.
I don't have the iron wring on my pinkie. I am no more qualified to judge your work, than you are to opinionate on software.
Slashdot entertains. Windows pays the mortgage.
>Uhhhh, just how accountable is the corporate software?
Let's see the contract and let a jury decide the level of performance to the contract, and you will have an answer for a specific instance.
-fb Everything not expressly forbidden is now mandatory.
Should self-proclaimed security experts, like Bruce Schneider, be liable for bad security advice?
That is, if Mr. Schneider tells people that a certain thing is secure, and then it turns out to not be secure, should he be liable for it? For example, if he had told me to use MD5 ten years ago, could I sue him now that MD5 has been discovered to be "insecure"?
Yes. Any number of things would kill OSS, but if you really wanted to kill it right now vendor liability for bugs would be a very good way to do it. I say give it a shot. ;)
The alternative is to believe a truely distributed system, such as the internet, is impossible to kill. But that's only a theory.
Gimme a break. I don't care how good you are, there will always be bugs with programs with any amount of complexity. You can't crucify the company because of bugs in their software. If they don't do anything about it then they will lose customers and therefore go out of business. If they have a monopoly then sooner or later an OSS version will pop up that will be better.
Does anybody else here find that that's the only common use for them? The external parts of the ears normally get caught up in the rest of the face washing. I'll admit that one time I poked too far and my hearing went funky for a couple of days, but I don't see that as enough of a reason to explicitly state you should never use them in that way...
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
Also, if you're MS or Oracle or someone with a lot of customers or very important customers and complex product, you can't simply rev the code with a patch, there are usually QA efforts associated with it. In Oracle's case, even if you could rev a patch very quickly for something, you might not be in any position to actually apply it to a lot of the databases that need it because they can't go down except for a very small percentage of time (which is scheduled) to begin with. So you put some kind of good faith, 90 days or something for the vendor to fix it in and then it's meaningless. By the time they come up with the right length of time and the protocol for reporting the defects, when the clock starts, etc.. You've got a new IRS and tax system, it'll be some complex that we won't be able to implement it.
Nevermind that there are classes of "security problems" which aren't seen by everybody as security problems. And also nevermind that fact that some incredibly small percentage of the public actually reads their EULAs or tracks them or takes them seriously.. This seems like an idea that would be ripe for a bunch of pointless law suits.
Not more than commercial software. All software is full of bugs. I'd say a number of companies would be dead before one open source project. I mean, how can you kill something that is free and open for anyone to hack and redistribute? How can you control distribution? That leads to: How can you control free speech? There are ways, but I don't think our society is going for that...
It would kill *ALL* general purpose comnputing.
The only safe language to code in would be assembly, and you'd have to write all the code yourself, unless you wanted to be liable for the output of the compiler or the libraries you linked to.
Shared libraries and loadable modules couldn't be trusted, since if your application had them, someone else could substitute a different library or module, and your code would never know the difference. If you added checking mechanisms to *for sure* know the difference yourself, you'd have to trust the FS.
All applications would have to be embedded applications, since you couldn't trust an OS vendor - what would happen if the system call behaviour was changed by the OS vendor? What if it wasn't by the OS vendor - what if the OS vendor trusted third party companies to write drivers?
What about firmware? The OS trust the firmware to load it! What if the firmware changes, or isn't exactly the firmware you expected?
What about the hardware? What if the instruction set on the CPU changes? You'd have to tie your software to particular hardware; historically, for example, 6502 processors were mask-programmed, and had "in between" op codes - they'd do something, but what the side effects were depended on the chip stepping. Your code could work in testing, but not in production unless you guaranteed the same chip lot, since it might be working as a result of a serendipitous error that was fixed in the next chip.
Down this road, you'd only ever have software sold by people who made the OS sold by the people who wrote the firmware sold by people who built the hardware... and maybe the components of the hardware themselves.
So basically you'd have... what... nothing left, but IBM from the 1950's?
-- Terry
Since M$ doesn't seem to be able to produce software without a plethora of critical bugs, let alone the odd incidental bug. Legislation like this would have a far bigger impact on them than anyone else for two reasons: 1. their software is as buggy as a bee hive 2. Everyone used their software. They'd be screwed!
If somebody breaks into my house and steals thousands of dollars worth of stuff, can I hold the builder responsible for a security flaw in the house? No.
So why is it when you purchase software you would attempt to hold the vendor responbile, if they have made no claims as to its security?
"I wouldn't pay $2000 for a home OS, because it wouldn't be worth my money. "
Why pay money, when you can contribute to FOSS yourself? You said you were a graduated software engineer. Go ahead and download Ubuntu (hell, they'll ship you a CD for free, no strings attached), plug it in, and enjoy it. If you fix 1 bug a year, you're doing far more for the community than you would if you spent $2,000 on Microsoft products. Even just helping people who can't write software to tell the maintainers (as an abstraction layer, if you will) would be of great benefit.
Thanks in advance.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Vendors would simply put the Mother of all Warnings on software:
WARNING: This software may kill your dog, girlfriend, and business in a giant explosion that may melt houses for miles and miles and trigger avalances, mudslides, diseases that make your face melt like hot wax in Pheonix in July, and a losing streak for your favorite team that spans longer than the history of shelled sea life. It may also mis-calculate your taxes and trigger a giant bankruptcy bigger than Enron. It may also result in you going to hell and be butt-raped by Satan himself. You have been officially warned. Otherwise, enjoy your new software.
Table-ized A.I.
Lots of comments around mention how it would be impossible to make bugless code, and that it is hard to find the source of the bug (libraries etc.)
:-)
To me this sounds a lot like "We're inapt to program. Please don't punish us for that".
Right, it's hard to make a product without flaws, but guess what - it's being done everywhere for almost every product!
You think your computers hardware was a piece-of-cake to manufacture? (Think CPU, memory, cards, etc.). Yet if any of them failed, wouldn't you expect liability? This means replacing the product with a better one (fixing bugs), and paying for whatever damage the flaw has caused (if it has). You don't care if the flaw was in one of the many parts that compose that piece of hardware, and you don't care if that part wasn't even made by the same company (think code libraries).
Why should software engineering be any different than any other kind of engineering??
On a personal note, my job is to program software. Yes, I produce bugs as well sometimes. My "clients" are other programmers within the company. Whenever a bug is found in my code, I immediately try to fix it, and offer an update to all of the users. I also compensate whoever found out that bug with chocolate bars
|| Geshem ||
B) If you have no idea what you are talking about, as is clearly the case here, then simply STFU
-- just call me Colmes
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Re: your sig:
:)
For units with bitlength a multiple of 4, (0x2B | ~0x2B) == 0xFFFFF.... So there. (Revision 4 and counting...)
What about: (0x2B | ~0x2B) == ~0
Pavlov. Does this name ring a bell?
that kind of approach can be used for purchasing software; however, it flushes the whole software-as-a-offsehelf-product idea down the drain. maybe this idea's implementation can be started with a target group and slowly expanded based on the usage/feedback
* lon3st4r *
I think that more goes back to Godel.
Switch to a non-algorithmic, signal-based, synchronous software model and the problem will disappear.
Along with your productivity!
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
I't not my understanding that people use OSS because of fewer errors, but rather because it either suits them better politically or because the OSS software they're using is just better than the rest.
...and of course it makes me feel better :)
I'm running several Linux distributions on the PCs at home, and it's not because of fewer errors I'm doing it. I like not having to pay for my software, but rather have the option to donate money to the programmers instead.
A proud member of the Onion-in-Hand alliance
I can't believe someone's named "drinkypoo"
This is one of the stupidest ideas ever.
If the client finds a way to break my sofware, I owe him $1000???? MORE?
Even if it was $10/bug per client, I would never sell software for less than $10000, and I would want all customers to undergo a credit check.
It would kill all software, not free software. If one country in the world exempted from the treaty or exempted OSS from liability, then all software would be produced in that country.
Possible, yes. Necessary? I have to say that legal solutions to non-issues are part of the problem. Is the fact that there are bugs in software such an enormous problem to the industries that choose to use them enough to warrant the warranty? The fact is that the AS-IS, caveat emptor contract only only seems to bother those who've been burned by it and now are looking for someone besides themselves to offset their losses. There's nothing inherently broken about it that requires fixing
From your link, you say: No matter how you slice it, bugs (software or hardware, Microsoft or General Motors) *will* cause real financial (and otherwise;health, property, whatever) damage Yes. It will. It doesn't mean that the person who wrote the software should be liable for that loss. Seems to me that if you put a piece of code out there, and by out there, I mean anywhere that it is accessible, a person has a choice to use or not use a piece of software. That person can choose to use it for mission critical affairs even if the design of the software is inappropriate to that purpose. When you're dealing with software, you are relying upon the user to exhibit a certain level of expertise to avoid damage. If you give the onus of liability to the developer, you've just shifted the burden from the end user back to the developer, making the developer responsible for the end user's behavior. I don't think there are many developers who are comfortable with that arrangement, regardless of how you limit the tort possibilities. Ergo, less motivation to develop software.
Suppose the OSS community managed to lobby for and have passed a liability law that was based on the customer's (software buyer's) ability to have the problem fixed, i.e. you're liable only if your software is buggy and your product by its nature presents technical obstacles to the customer's ability to make any needed "repairs" to make it work properly.
Such a statute would be a huge book for open software and DRM schemes, since it would essentially free open source from any liability, and at the same time it would discourage software companies from using DRM since it lets them out of any "grey area" argument about excuse from liability due to the customer's ability to fix software by disassembly and/or reverse engineering.
STOP . AMERICA . NOW
With the current state of the art, we can only conclude that bug free software is beyond us. Even the space shuttle's avionics software after millions of dollars and a decade of work is not bug free.
Considering that the software is much smaller and does a lot less than a typical desktop machine (imagine if you had to load a new tape to go from email to IM) I think it's safe to say if vendors are made fully liable for bugs there will be no vendors. How many people want to wait 50-100 years for the next release of their favorite OS? How many are ready to spend $100,000 for it?
Even partial liability would do a great deal of harm to the economy. Given tremendous potential liabilities, vendors will be obliged to charge tremendous prices to offset them (either directly or to pay for insurance).
Now, for the article itself. It didn't necessarily say vendors should be held liable for bugs, not even security bugs. It just said we need to align capability with interest. It even made clear that we must be careful HOW we do that or it won't work (the Italy example).
There are many ways to align interest with capability. For example educating consumers to demand security or go elsewhere (yeah, right). Perhaps require the number of bugs in the previous version to be prominantly displayed on all trade dress and marketing materials. If too many security bugs are found (or if they are not patched promptly), the package must display Mr. Yuk for the next few versions.
So, yes vendor reliability could hurt OSS. It would also likely destroy the industry and any others (that is any business larger than mom and pop) that depend on it.
I know that with the GPL, anyone who uses it puts a statement saying roughly "We take no responsibility for whatever this software program does. Use it at your own risk." waiving liability already.