Slashdot Mirror
Would Vendor Liability for Bugs Kill OSS?
Glyn Moody writes "Bruce Schneier has written an interesting column for Wired suggesting that vendors should be made liable for bugs in their software. But where would this leave open source developers? Would what seems like a great idea actually be the death of free software?"
I wouldn't contribute to OSS if I'd be exposing myself to a lawsuit because some dipshit found a creative way to exploit my code. They're the guilty party, not me.
If you want things to really hurt, multiply the purchase price by 10 or so. That would actually constitute a penalty to distribute buggy software for commercial vendors while still not impacting those who give the software away for free.
Large software products will never be entirely bug-free. To keep things reasonable, there should be a standard time-to-fix so commercial vendors also have a fair chance of cleaning up after a mistake.
To Terminate, or not to Terminate, that's the question - SCSIROB
The prices are for the full product. Upgrade editions count as the full product for liability
something similar can be sorted out for large installations, bulk licenses, etc.
Just thinking out loud
"It is a greater offense to steal men's labor, than their clothes"
But since legal liability tends to chase those with the deepest pockets, I can see where the commercial closed source software vendor would face the greatest exposure to expensive litigation from "bug liability". Distributed development processes that are not centrally owned by one company (i.e., open source) could very well be the only way to get anything new written without facing expensive litigation.
Not that I think any of this is a remote possibility, but it could very well cause the opposite of what TFA speculates.
Momentarily, the need for the construction of new light will no longer exist.
But with the support contract come Service Level Agreements. And at this point the software vendor is interested in keeping the Service Level Agreements without too much additional work for him, especially if the support contract is of a "cover all" type (additional fees for some actions might give the vendor the incentive to redefine many support cases into cases which requires additional payment).
In a certain way software which includes free patches and rebates on upgrades is already of the mentioned type: You don't only pay for the first installation software package, but also for the ability to get free (as in paid for beforehand) patches and a lower price at the upgrade (also paid for with your money for the first version).
I remember an article linked here on slashdot about half a year ago, where the author argued that the actual price for the software is only about 10% of the purchase price, all the other money is paid for the additional services (patches and cheaper upgrades). Actually he used his experience in arbitrage business to separate the prices for the different parts of the whole contract.
where is it even in the market place for consumers to have a choice in the matter? You got some serious assumptions you are putting out there as fact, so let's see some proof to it. Where is normal joe surfer software (the OS, some normal userland apps, etc) for sale that comes with a warranty instead of an end user license that says "nothing is our fault" and "this software provided as is, might not be suitable for a dang thing, hope U R feelin lucky"??
bad car analogy time
This is like the car companies saying there was "no market" for electric cars, even though they never put any out there to begin with, and the leased all electrics went like hotcakes and the leasees BEGGED to be able to buy them, yet most got crushed in still fine working order.
You put a good OS and browser and a few more apps out there with a guarantee and warranty that YES indeedy you can use this on the internet and not get hosed and pwned and your printer will work and etc,and see what happens.
People are already dropping serious coin on fixes all the time, so why wouldn't they drop coin on stuff that doesn't need much fixin to begin with?
The rest of industry (I mean A to Z, the *rest of industry*) has come to grips with building to such a quality level that the rate of recall and fixes under warranty is under control, they can still "do business" and "make money" at it. None of their stuff is 100% perfect,none of it, but they got to the point it is plenty good enough, because they got REQUIRED to provide a certain minimal level warranty, even though when it was finally imposed on them they all cried crocodile tears and claimed it wouldn't work and put them all out of business, it just wasn't possible, OMGBBQ we'd have to charge so much money no one will buy our stuff! And other such whines like we hear now from the digital bits vendors. The other industries managed *just fine*.
Software is the last major industry allowed to push snakeoil under the "caveat emptor" rules, way past time that got changed.
And I think for most consumers it would work like this:you charge us serious cash, we want a warranty, you want to give it away as betaware for freebies or cost of media and duplication or download, we'll take it for free and maybe pay a very low reasonable amount of periodic bug fixes.
But charging serious folding cash then no warranty with your "full stable release" stuff is the problem, it is not the solution.
As it is now, we have no consumer choice, pay money for bugs, or download stuff for free with bugs, where is the "very little bugs to begin with at a reasonable price" stuff? I would bet that is what *most* people would eventually go to if it was there to choose from.
licenses. If your software is licensed including the requirement that you don't modify it and don't duplicate it, then a responsibility should be implied that they take care of said software.
If the responsibility of upkeep becomes too much, a vendor can always abandon the software.
Microsoft can't be expected to fix windows '95 bugs forever, but on the other hand, people have paid for a working product that they should expect to be able to use forever. Seems to make sense to me that when they abandon upkeep, they should lose the responsibility over that product as well as the ownership, it becomes public.
A law making it so could replace much of the copyright law system. We could use the same concept with products, music and books, once they are out of production, out of print or unatainable by commercial means, they lose their exclusive license to the product and anyone can distribute it.
As I said in another message elsewhere, the differentiation is control after the sale.
If you are simply "Licensing" the software and not "Selling" it (IE: If you are trying to control what happens to the software after it leaves the store shelf, by preventing copying or redistribution or modification) then you should be liable.
When a company chooses to no longer be liable for bugfixes and the like, the product should be made "Free" so that you can make copies and modifications yourself (as it should if the company chooses to stop selling it). Not that I expect users would fix all these bugs, but at least it would give us a chance!
As is, if they find some security hole in windows '95 or '98 that is truly critical and MS chooses not to fix it, you may be out a computer (assuming your are ignorant of Linux anyway)--let's say your computer will no longer serve the purpose you paid the money for it to serve.
Of course since laws in the US are being purchased by corporations, I don't expect this "Logic" to fly in any future I can imagine, but I can always dream.
Should self-proclaimed security experts, like Bruce Schneider, be liable for bad security advice?
That is, if Mr. Schneider tells people that a certain thing is secure, and then it turns out to not be secure, should he be liable for it? For example, if he had told me to use MD5 ten years ago, could I sue him now that MD5 has been discovered to be "insecure"?