Slashdot Mirror
Would Vendor Liability for Bugs Kill OSS?
Glyn Moody writes "Bruce Schneier has written an interesting column for Wired suggesting that vendors should be made liable for bugs in their software. But where would this leave open source developers? Would what seems like a great idea actually be the death of free software?"
I'll save you a couple of clicks.
The meat of the article, minus 3 stories (employee theft, ATM security and tax dodgers), spread over 2 pages:
For years I have argued in favor of software liabilities. Software vendors are in the best position to improve software security; they have the capability. But, unfortunately, they don't have much interest. Features, schedule and profitability are far more important. Software liabilities will change that. They'll align interest with capability, and they'll improve software security.
No way. There are far more of us who develop custom in-house software than people who write stuff that gets sold. You might severely hurt the software-as-a-product industry, but wouldn't touch the software-as-office-automation economy.
Dewey, what part of this looks like authorities should be involved?
The article is horribly misrepresented, here. The core of the article is about the security principle of aligning capability with interest -- that is, when you want something done, you find out who can do it and take steps to interest them (offer them money, the potential of something free, a fine if they *don't* do something, etc.).
Near the end, Bruce mentions the concept of "software liability" as an example of how interest can be aligned with capability. Bad on Bruce for not defining how he uses the term, but bad on the submitter for not researching it before sending in this FUD. Anyone who has followed what Bruce has done knows that he's a huge supporter of OSS.
When Bruce talks about software liability, he's talking about making software makers liable for their marketing claims about security, not for "bugs found in software". OSS would be safe, as long as those project don't say "we're secure" when they aren't.
And on this point, I agree: if I buy a security product that claims "secure file storage", and I find out that they implement this single-DES encryption -- and espeicially if my data is compromised as a result -- the vendor should be liable. They made a false claim!
We may not imagine how our lives could be more frustrating and complex—but Congress can. – Cullen Hightower
As far as I am aware - they are selling the media, not the software.
MySQL, on the other hand, is selling a commercial license to the software, so yes, they would be liable.
Excuse my speling.
Making The Bar Project
I see many here saying that only those that sell software should be liable, while those that give it away for free should not. If such a law were passed, you can bet that FOSS would be killed off in the corporate world, as corporations would gadly rather work with software vendors that can be held liable than those that cannot, as the former have something to lose for having bugs while the latter is free to produce bug-infested crapware. It makes no differnce if the "free" software is actually good; corps would feel safer using software produced by someone that could be held liable.
And as I said in another post, large commercial vendors would survive, as they'd simply buy software liability insurance (ala medical malpractice insurance). Smaller vendors would be hurt if they couldn't afford such insurance.
So FOSS is hurt (corps won't use it because FOSS "vendors" can't be held liable for bugs), small commercial vendors are hurt (since they can't afford software liability insurance), and large commercial vendors thrive since FOSS and small vendors are eliminated.
-- "I never gave these stories much credence." - HAL 9000