Would Vendor Liability for Bugs Kill OSS?

Glyn Moody writes "Bruce Schneier has written an interesting column for Wired suggesting that vendors should be made liable for bugs in their software. But where would this leave open source developers? Would what seems like a great idea actually be the death of free software?"

God-awful submission!

[Proteus]

The article is horribly misrepresented, here. The core of the article is about the security principle of aligning capability with interest -- that is, when you want something done, you find out who can do it and take steps to interest them (offer them money, the potential of something free, a fine if they *don't* do something, etc.).

Near the end, Bruce mentions the concept of "software liability" as an example of how interest can be aligned with capability. Bad on Bruce for not defining how he uses the term, but bad on the submitter for not researching it before sending in this FUD. Anyone who has followed what Bruce has done knows that he's a huge supporter of OSS.

When Bruce talks about software liability, he's talking about making software makers liable for their marketing claims about security, not for "bugs found in software". OSS would be safe, as long as those project don't say "we're secure" when they aren't.

And on this point, I agree: if I buy a security product that claims "secure file storage", and I find out that they implement this single-DES encryption -- and espeicially if my data is compromised as a result -- the vendor should be liable. They made a false claim!