Slashdot Mirror
Would Vendor Liability for Bugs Kill OSS?
Glyn Moody writes "Bruce Schneier has written an interesting column for Wired suggesting that vendors should be made liable for bugs in their software. But where would this leave open source developers? Would what seems like a great idea actually be the death of free software?"
It wouldn't kill OSS if the liability was limited to the purchase price. That's plenty of liability to keep commercial vendors interested in fixing flaws, and it doesn't hurt the little guy.
I wouldn't contribute to OSS if I'd be exposing myself to a lawsuit because some dipshit found a creative way to exploit my code. They're the guilty party, not me.
I'd like to see any business in the world able to operate like this. You'd shoot simple projects right thru the roof in terms of cost.
"Bruce Schneier has written an interesting column for Wired suggesting that vendors should be made liable for bugs in their software. But where would this leave Microsoft? Would what seems like a great idea actually be the death of proprietary software?"
specify that in the contract, and leave everyone else alone.
If I paid $$$$$ and it's broken, I get really upset. If I paid $0, and it's broken, I accept that it's my responsibleity to bring it from being wirth $0 to worth something.
This would not only kill OSS, but the whole software industry would go bankrupt in no time.
As usual, regulation increases the barrier to entry for a business. By making software vendors liable for bugs, they make it difficult for OSS and small shareware developers to compete. Keep in mind that the question is not whether the OSS developer will be found liable, but whether they will be sued in the first place. The legal fees alone are enough to hamper or even kill small scale software development.
IMO this would actually help OSS...I think everyone is missing the key word here "vendor" as in seller as in you paid for the software. MS might be hit hard by this but not open source.
The simple fact is that this is too hard to police anyway. Where did the bug occur? Was it in the program, or some library it called? Now we have to establish whether the programmer could reasonably have known there was a security update to the linked library. Just proving where the fault occurred would be a huge legal SNAFU. Sure, such a thing would kill OSS first but it would effectively destroy the computing world. Only a luddite could seriously believe that this is a good idea.
The only proper way to handle this is through contract - not an implied one, but an explicit document which clearly describes the areas and extent of liability. There is a market for this kind of software, and it exists already. This is the only reasonable solution - get a contract, and if you don't, caveat emptor.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Why should I assume that this would kill only Free Software?
Wouldn't proprietary software be more vulnerable to liability? People only sue those with deep pockets.
Here's a tip, Mr. Schneier: analogies can be good for illustrating a point, but going on for 2 pages about your anaology without actually using it to make a point is just dumb.
My guess, since the story was posted at 2AM, is that he had a deadline to meet and wrote this piece of crap in 15 minutes while drunk.
Don't blame me; I'm never given mod points.
If you want things to really hurt, multiply the purchase price by 10 or so. That would actually constitute a penalty to distribute buggy software for commercial vendors while still not impacting those who give the software away for free.
Large software products will never be entirely bug-free. To keep things reasonable, there should be a standard time-to-fix so commercial vendors also have a fair chance of cleaning up after a mistake.
To Terminate, or not to Terminate, that's the question - SCSIROB
Very often, if not usually, there is no vendor with free sofware, so vendor liability wouldn't affect it at all (it might make commercial software more attractive, since there would be someone to sue for bugs, OTOH, it would make it less attractive to make commercial software.) With free software, very often the user acquires it from someone other than the creator, and gives no consideration of any kind to either the distributor or the creator to acquire or use the software. Often, a contract is created, if at all, only when the person who acquired the software decides to distribute the software, and even then, the consideration (in terms of limitations accepted by the new distributor) is in exchange for the right to distribute, not the right to possess or use, the software.
The problem is that there is no such thing as bug free software, there will always be bugs and there will always be bugs created after fixing bugs.
First and foremost, if we are going to discuss OSS vendor liability, you have to get the CLOSED SOURCE vendors to accept liability. You can't even TALK about OSS until then.
And hypothetically, hell DID actually freeze over with flying pigs, then I would still assert that I don't believe it would be the end of OSS. Not by a long shot.
RedHat comes to mind. They have their Enterprise offering that is anything but cutting edge. Everything is tested quite well and the response to fixes is rather rapid. I don't know this for a fact, but I feel pretty strongly that OSS vendors are a lot more responsive to fixing bugs than closed source people.
I don't think there's been a single issue which has come up with the gov't where they've agreed to some type of compromise, only to return to their prior behavior within a fairly short period of time (and the gov't hasn't yanked their leash to bring them back to the table).
I'm not anti-Microsoft. They've been a good source of income for a long period of time.
But facts are facts.
Until then, this is factors beyond a pipe dream.
I'll save you a couple of clicks.
The meat of the article, minus 3 stories (employee theft, ATM security and tax dodgers), spread over 2 pages:
For years I have argued in favor of software liabilities. Software vendors are in the best position to improve software security; they have the capability. But, unfortunately, they don't have much interest. Features, schedule and profitability are far more important. Software liabilities will change that. They'll align interest with capability, and they'll improve software security.
Failing that, if a peice of code is developed FSF/OSF style, exactly who do you sue for redress if a bug causes you fiduciary loss? The author? Go prove that his code is actually the source of the bug.
"That's not a bug, that's a feature" - isn't that Microsoft's mantra?
Free software would not face any liability since it's marketed as FREE. You can only sue for the amount you paid. If you paid nothing then you win nothing.
Even if you did manage to sue, you would have to sue yourself for not fixing bugs or other issues in the source code you recieved since you are supposed to evaluate and fix issues as part of your due diligence.
But does the coverage make any distinction between a game-ending bug and a conceptual bug? By this I mean bugs that cause the program to perform differently than the program was being marked as and bugs that are only causes by deliberate/incredibly unique settings/actions? The first should be held as legit bugs while the latter seems hard to argue for. If the bug only expresses itself when you setup a special case that is never seen in the real world, is it really a bug? After all, ALL computer programs have bugs, even the simplest of programs. Even Hello, World! (which almost always depends on system libraries to display, and as such inherit any bugs that they contain).
The simple answer to this is to allow for software to be given away on a "no liability" way. FOSS could be allowed to exist since those that are creating the software are not making money to how many copies they "sell". Those that produce software for a living, like MS, would still be held accountable for their products. But then, IE would not be covered since it is "given away".
There probably is no simple answer to this. Either allow things like FOSS to exist and limit the liability that all software producers have, or open them up to real liability and kill FOSS.
Space for rent, inquire within
Someone wake me when there's an interesting article to read.
You get a receipt. That way you won't get the software free... er, wait- make sure you don't get one - THAT way it is free... oh wait, OSS is already free as in speach and free as in beer. I guess the creator of the software should keep a general ledger. That way the employees - damn it! WTF was did this article even have to do with software bugs. It was more like the history of preventing employee theft. Nothing to see here. Move along.
My humor is probably your flamebait
So here's what the employer does: He hires the customer. By putting up a sign saying "Your purchase free if you don't get a receipt," the employer is getting the customer to guard the employee. The customer makes sure the employee gives him a receipt, and employee theft is reduced accordingly.
I've read that over several times and it still makes no sense to me.
Mod me idiot, or offtopic, or whatever; I'll take the karma hit - but wouldn't a customer be motivated to do the exact opposite? What on earth is the customer's interest in making sure they get a receipt?
Running Windows^H^H^H^H^H^H^H OSX and Linux in the home. (I don't have time for Solitaire any more.)
The prices are for the full product. Upgrade editions count as the full product for liability
something similar can be sorted out for large installations, bulk licenses, etc.
Just thinking out loud
"It is a greater offense to steal men's labor, than their clothes"
....Vista would never, ever ship.
The secret to creativity is knowing how to hide your sources. - Albert Einstein
I can see it now: Satisfaction guaranteed or your software is free.
No Sigs!
Vendors are already liable for their bugs, they just pay out of their userbase instead of their pockets. Which comes out of their pockets indirectly at a later point.
do you know squarepusher?
The vast majority of the article discusses either cash register security or ATM security. By way of analogy, we're supposed to use this information to conclude that vendor liability for software bugs would be a good idea, too.
However, he never discusses any details of how this would actually be implemented, what the laws might look like, how it might work in contracts, what exceptions there might be, what constitutes a "critical" (i.e., liability-worthy) bug, etc. Consequently, it's virtually impossible to answer the question of how this will impact OSS. We need specific ideas to actually try to tackle that one.
If this is mandated, then the software manufacturer will only warrant the software fit for specific uses. This warranty is void if: The user connects to any network not on Microsoft's approved network list. The user installs any software not explicitly covered on the MS Software compatibility list. The user ever enters data incorrectly. ...
You can see where I'm going here. It's not just ms, EVERY vendor would have to create a similar license
But since legal liability tends to chase those with the deepest pockets, I can see where the commercial closed source software vendor would face the greatest exposure to expensive litigation from "bug liability". Distributed development processes that are not centrally owned by one company (i.e., open source) could very well be the only way to get anything new written without facing expensive litigation.
Not that I think any of this is a remote possibility, but it could very well cause the opposite of what TFA speculates.
Momentarily, the need for the construction of new light will no longer exist.
You will find that Microsoft only offers bug fixes to maintain general problems in glaring issues with their software. Defects just happen. if they didn't fix them people would get pissed
However you will find that companies will listen to requests for bug fixes if you have a support contract. This indemnification costs the customer money. This is a way software companies make money.
FOSS has equal deniability to commercial software. However you have the option of paying the support contract on the FOSS software to get your issue sorted, or if you so choose, fix it yourself, and the community benefits. Of course you have the option to add features etc. at will.
It's a dumb suggestion because there is already a solution to this problem. And a lot of people make money out of it. Its how a lot of FOSS based companies do their business.
Just make the fine equal to some percentage of the retail price for the product multiplied by the total number of users...
Just convince them to modify the code a little bit. Then they become part of the liable party.
I think it would be the death of small software vendors. One frivolous lawsuit and they go under.
Please sign petition to restore sanity to our banking system!!!
http://financialpetition.org/
Doesn't the GPL containa a disclaimer of warranty anyway?
Oh, by the way, it doesn't really seem like that great of an idea, either.
I disagree. As a software engineer I get annoyed with the way in which people bandy about the title "software engineer". As in, "I completed a six week course at DeVry on Visual Basic, therefore I can call myself a software engineer". Nobody goes through a three day Red Cross course on basic first aid and then presumes to call himself a doctor or a nurse, so why the same with engineer?
Don't get me wrong, I don't think that there is anything wrong with having hobbies. Specifically, programming is a great hobby. The point is that if you are a firm that specializes in professional software development (MS, Sun, Oracle, IBM), then you should be held to professional standards. If you build a wood footbridge to go over a small brook behind your home, that is fine. If you show up and build a bridge across Tampa Bay, that is fine too. The first requires very basic skills and can be reasonably accomplished by a hobbiest. The latter requires very serious professional qualifications. Nobody seriously starts a civil engineering firm employing amatuer bridge builders and claims that they can build a bridge across Tampa Bay.
The point is accountability for professional conduct. I understand that software tends to blur the lines somewhat. However, that is no excuse to me for professional software developers to shirk responsibility. Yesterday there was an article about major engineering disasters. The Hyatt hotel disaster was a classic example of the engineers shirking their responsibilities. Those guys lost their licenses. Now, you may think, "but software doesn't kill people." Go look up the Therac-25 incident. From the references linked at the bottom of the Wikipedia article:
What would happen if a civil engineering firm designed and had a bridge built? What if it collapsed under normal use and it is foundout that they didn't bother to stress test the specified materials for their load bearing characteristics? That would likely be considered criminal negligence.
Holding software vendors accountable for bugs in the software they sell/support would do wonders for improving the quality of software in general.
Almost every OS developer has a day job paid by a company selling software.
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
A provision like this should indemnify vendors who provide source code. The thought behind this is that if the customer has access to the source code, he can perform his own audits and the vendor has made a good-faith effort at full disclosure (as far as the vendor itself is aware). Also, many eyes looking at the same code will reduce the likelihood of fault. If the customer chooses to use the software without audits or tests, then the customer is 100% accountable. If the customer performs sloppy tests or audits, then the customer is still at least partially responsible for his decision to use the software (50/50 I'd say).
The other concept here is warranty. Perhaps software should be warranted against defects and updates for problems (not enhancements) should be free of charge. Again if the source is provided, then the customer can identify and correct problems themselves, attributing more responsibility for damages on the customer's decision to knowingly use the software. In my mind, software provided free of charge cannot be required to have a warranty, since there is no loss of value to the customer. It's purely up to the customer whether or not he uses the software, and anyone that blithely deploys free software in a mission-critical application is 100% responsible for the outcome.
In these scenarios closed-source vendors would ultimately end up being insurance companies. The cost of potential payouts would need to be built into the software price, and so customers would be paying to indemnify themselves through ignorance (lack of access to source code and inability to perform due diligence before using the software).
there's plenty of money floatin' around, it's just no one wants to spend it. This would mean tons of new programing jobs.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
If this was structured like most liability laws, what would happen is that vendors would be forced to raise their prices in order to pool the money in a big liability insurance fund. This fund would then be harvested by unscupulous lawyers using sympathetic clients whose claims pulled on the heartrings of juries, like: I spent so much time trying to keep my browser from crashing that I forgot to feed my cat and she starved to death; or I got so mad at my filesystem for losing my files that I smacked my kid and gave him brain damage. Legitimate users who organized and filed class action suits over business costs caused by real bugs would be tied up in court forever by defendants legal teams because the magnitude of their claims would make a vigorous defense an economic necessity. Free and Open Source software authors would have to form non-profit corporations to front for them, and rely on contributions from sympathetic sources to buy their insurance. They would be routinely attacked by lawsuits drummed up by front companies funded by a certain software giant in a fashion that might remind some people of the SCO lawsuit. Testify in these bogus suits would tie up all the time of FOSS developers, effectively slowing open-source development down by a factor of 10. In the end, only the lawyers would benefit - exactly the way it works in most industries.
"Sic Semper Path of Least Resistance"
Having the word "vendor" in there implies that the is some sort of financial transaction involved with purchasing the product (or a license to use, etc, etc.). In that context, Free Software doesn't really have "vendors". The implication is that it is a best effort, but all code is provided "as-is".
Charging for support of a free product would be a little trickier if a change that you advised caused a problem, but most companies providing support probably indemnify themselves against that kind of thing anyway.
i agree -- bugs in software are already the death of the company these days.
we are already locked into a few vendors unfortunately, but up-and-comers that can't seem to debug simply don't make sales.
-- lol pwned
I'm not sure if it would kill OSS, but what it will do is force commercial software to have exponentially less features, so that the few features it does have are approved, thoroughly, by the lawyers. The cost of developing software will skyrocket.
Take your favorite software you work with every day. Remove 80 - 90% of the features. Make it cost 10 times as much, or more. Sit back and enjoy your secure bug free software (as if there is even such a thing).
For you people who think software liability makes sense for non-critical applications, you get the software you deserve.
Well, such a proposal has two possible outcomes:
1) OSS coders would be responsible for their code, and if a security bug was found that, oh, caused some big disclosure of personal information under some law like HIPAA, then the coders could/would be sued by a corporation that ran the software. Thus, coders would NOT contribute to OSS, thus killing OSS.
or
2) OSS software would be exempt from such a rule, meaning that implementation of OSS software by a company would mean it would become liable for it's misuse due a flaw that was coded by someone else. If I was in the shoes of any VP who analyzes risk, I would be like, "STAY AWAY FROM OSS", thus killing OSS. For those companies that do decide to implement OSS Knowing the risks, they will increase their prices, driving their customers to cheaper vendors, taking said company out of business... thus kiling OSS.
It's a lose-lose situation!
The question reveals a lack of understanding that OSS is a service model, while proprietary is a commodity model. They are two different paradigms. OSS isn't sold; support is sold. "Linux vendors" don't exist ... Red Hat, Yellow Dog, Debian, Ubuntu, et. Al. are Linux support vendors; they sell a service, rather than a product.
/' as root in the process of supporting your need to back up your data, then they would be held liable for the flawed support .
Everything would be exactly as it should be in the proposed model. Microsoft sells you their garbage and it no longer pays. If Red Hat advises running 'rm -Rf
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
While I'm sure that anyone who has "purchased" any 1.0 version of software (and by purchased I mean either spent money on it or downloaded something freeware or shareware) which contains bugs which hobble its purported functionality or its security has had the knee-jerk, road-rage desire to see those people responsible for that inconvenience held liable in some way.
However, the reason why we don't have this sort of "consumer protection" already in place is quite simple: any increase in the liability for a producer of any consumer or commercial product is a decrease in the motivation to produce that product. All software of any reasonable complexity has bugs. To hold a software company or the open source community responsible either through update or, if loss is involved, compensation (how you'd manage this is anyone's guess) would ultimately break even with the income produced by the software.
This is particularly of concern with freeware.
For example, let's suppose someone makes a freeware product which some company decides to use for some aspect of its business. Unfortunately, this product is immature upon 1.0 release, and bugs lose data, files, or are prone to security risk which causes that company material loss. Theoretically, that person could be sued for that loss, which is a damn bummer because there is no profit with which to ameliorate whatever damages are brought to bear. Of course, one would be a fool to sue someone who could never pay up, but the mere statement of legal entanglement is enough to take most garage shoppers off the market.
It also introduces a number of other interesting quandaries.
1. It creates a sort of intellectual property servitude. Since the intellectual property lasts longer than potentially the individuals who created it, does that mean that even after the product(s) are out of production, are those who created it are still liable for its upkeep? Can they still be sued for material loss? What's next after that? A Chapter 11 intellectual property bankruptcy backdoor for people who now regret ever writing that damn spreadsheet code?
2. In the case of open-source and freeware, who gets nailed if the consumer gets litigious?
3. What about misuse of the software? Who'd ever write a disk utility of any sort knowing full well that the very tool itself in its proper operation is an invitation for less-than-knowledgeable people to harm their file system? Bug or idiot? Who decides? A legal system which already has very little computer savvy?
4. That brings up the point of any type of "expert" software, what purpose is their in even giving experts software that can do harm, whether from a bug or from inappropriate use? How would you screen these sorts? Even an expert can make mistakes anyway? Why would you as a developer want the liability?
In fact the reason for the "as-is" clause is one of the few common sense statements in any EULA you look at. Without it, you would have defacto liability and we all know how litigious a world we live in. If anything, the "tough luck sweetheart" clause is the most basic protection to continued software innovation, by protecting it from the occasional mishap and the liability which can issue therefrom.
I see cameras by cash registers alot more than I see the "free if not given receipt" note.
FREE - Java, J2EE and Ajax Audiobooks for Software Developers - www.DeveloperAdvantage.com
The article has one paragraph on computer security and software liability and a bunch of aimless bullshit about employee theft, the cash register, ATM fraud, and tax fraud; and a nonsensical reference to a liquor store sign, "Your purchase free if you don't get a receipt."
Well, no shit! If I didn't pay for the item it was free and I wouldn't have a receipt either, DUH! I'm sorry, but that has to be the WORST piece of "journalism" I've ever seen!
To address the topic of the article (which had nothing to do with its content), I'd say this. Yes, vendors who are SELLING software for profit, and are supposed to be supplying support resources for said product, should be held liable for bugs. I don't know why he doesn't think that they aren't. If a piece of software is buggy, people will flood their tech support lines, and if not fixed will stop buying it! Duh, again!
As for the impact on OSS software, simple, NONE. You accept the liability of the reliability of the software because you got it for free. I'm sure there's something in the BSD license or GPL to that effect. If not, there certainly should be.
Somebody smack the bottle out of Bruce Schneier's hand (and maybe the bong too) and have him take a journalism class-or maybe just a basic writing class. He sucks!
Wired, if you're listening, I'll be happy to write for you...a ton better than this idiot.
A lot of open source stuff says "Free to download! Enjoy - but Note: This comes with no warranty / use at own risk" etc. Beat that.
========
77 77 77 2e 6d 65 6c 76 69 6e 73 2e 63 6f 6d
How to create efficent software liability laws without hobbling the industry.
1. It only applies to distribution of binaries. Not source. Contributing a patch to Darwin's Kernel != makes you liable for Apple's sales. On the other hand, even though Linux is open source, if you distribute a binary kernel, you may potentially be liable.
2. It only applies in cases where money changes hands. No free distribution. You don't want non-profits forced into paying for insurance for freely distributed products. Besides; caveat emptor, if you're going to run your company on free software, you should pick up the tab in terms of liabilty. Otherwise, go buy the same software from your friendly local Linux vendor; they're the ones paying many of the developers!
3. Minimum levels of damage, not maximums. I don't know why people keep suggesting "The Purchase Price". Rather, it makes more sense to make a "you can't litigate below a certain level of damage" minimum. Something like $10,000 per instance per user.
4. Levels of certification for mission-critical liability. This would be done via standards, established by industry groups (I'd suggest the IEEE). The idea would NOT be to certify individual products; rather, to set requirements for products, using open standards. If your product does not reach these standards, you are immune to liability from prosecution *in that particular industry*. For example, Presume there is an IEEE working group on certification of automobile software. Unless your solitare application meets the requirements of this certification, you are immune to prosecution from anyone using your solitare application on a car's computer. Similar working groups would be established for telecomm, the medical industry, industrial manufacturing, military usage, and aerospace/nautical transport, in addition to any others as the need arises.
Now, see, the way #4 works is that in mission-critical instances, where the chances of large liability risks are very high, achieving certification for your software product becomes optional. So, why would you ever want to achieve that certification, forcing you to be liable for problems?
I'll tell you this: If you don't know the answer to that last question, you've never worked with a large insurance company (which every mission critical industry does). If you are Boeing, and you have the choice between Microsoft and IBM software, and Microsoft software is immune to liability, and IBM software is certified as appropriate, and IBM can be held liable.... Well, AIG (or whoever Boeing works with) will REQUIRE that Boeing use IBM software. Or they'll bump their rates up 1000x.
Liability is a difficult to concept to grasp, but in the modern world it is intricately tied up with insurance, risk, and damage. No matter how you slice it, bugs (software or hardware, Microsoft or General Motors) *will* cause real financial (and otherwise;health, property, whatever) damage. To write effective legislation, one must remove small potatoes from the equation (its never efficent to litigate for amounts under $10k or so), and one should provide a path of least resistance (certification=optional) so that if market solutions turn out to work better they become an option (any company that can independantly work out their liability issues with a supplier can sidestep the legal system, saving both sides tons of money).
P.S. All of this is predicated upon the repeal of all existing liability exclusions for software.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
As a open source developer, I declare that I will refund 100% of the purchase price if you find a bug in my code.
However, use of this software is provided strictly on an "as is" basis. The user assumes all risk and responsibility for determining the fitness of this software for their application.
If the penalty of bugs was tied to the price of the software, where the liability increased for the creator based upon the price to purchase or own, then this would actually be a really excellent boost for open-source software. Basically, this would mean that it would be in most people's best interest to make software open source and just move to a charge-for-service style of working.
This could cause quite a change in the software community if everything was open source because innovation would skyrocket and it would finally get to the service-based market that everyone seems to want so much.
As a software developer, I write software that yes, may contain bugs and holes. My responsibility to my customers is to repair bugs and patches for all my software as part of the selling agreement. Some paid software I release I do take steps to test heavily and will take bugs and patches for security holes but some scripts I have done in my free time I take no responsbility for, esp. when they are done very quick for someone as not part of a paid project.
In my opinion, if you sell software to someone it should do what it is going to. Not have to mess with to fix a bug. If your customer says something isnt working or you find a security hole, the software needs to be fixed as a business practice to your customer.
Bryan
I disagree completely (about liability, not calling yourself an engineer after learning VB at DeVry). Most software is non-critical, and the software that is critical (flight control systems) are developed with security and reliability in mind; except for the few well know software disasters as you've mentioned. This kind of critical software is also very, very expensive, and is limited to the features that the engineers can guarantee to work.
It's all very simple, customers do not want secure or reliable software. The refuse to pay more for it, they refuse to wait for it to be built, they refuse to give up features for it. We can all debate this and that in regards to bugs and security, but until someone is willing to pay for it, it really is just idle chatter.
If the cost to the company for buggy software is a refund of the purchase price? I can see one model that works really well -- you get the bits for free, and the vendor charges you for a support contract. OSS wins. In fact, it would make OSS the default business model.
My book, podcast
No way. There are far more of us who develop custom in-house software than people who write stuff that gets sold. You might severely hurt the software-as-a-product industry, but wouldn't touch the software-as-office-automation economy.
Dewey, what part of this looks like authorities should be involved?
Depends on how the law was written. What if liability was on the party with access to the source code. So, if company "A" distributes a binary without source, they assume liability since the customer isn't able to verify the code is "safe".
An open source project on the otherhand, at a minimum ships a binary and also makes the source available to the end user, thus transfering the liability from the distributor to the customer.
www.sguil.net
The Analyst Console for NSM
I think it is odd that many people think this would crush MS, as opposed to OSS. The standard EULA issued my MS forces you to sign away all your rights to sue... basically, the program is supposed to work how it ends up working, even if that means erasing everything on your hard drive every time you hit the enter button. And I'm pretty sure Bill hires some darn good lawyers...
If a nation expects to be ignorant and free, in a state of civilization, it expects what never was and never will be.-TJ
I would say that closed source would be liable as the customer is unable to inspect the code themselves and relying on the company or developer's reputation to say there isn't any bugs or security holes.
With open source software, the customer has the means to inspect for themselves whether the software can perform as advertised. So if the source code for the software is avaliable then the burden should shift to the customer as it is today.
Please read my suggestions on working software liability, and see if they address your concerns.
I haven't covered all the bases, but its pretty close. I earnestly believe its possible.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
...and I seem to recall someone mentioning that they (Sony) ought to be liable for the trouble its bug(s) caused...
Just an observation.
This space intentionally left (almost) blank.
Ok, as usual there are a lot of people who chimed in on the subject without thinking this through.
If you PAID for a software product to a vendor, the vendor IS liable. The extent of this liability is not necessarily defined by law or formal contract. Some of this liability is inherent in the principles of a market economy, i.e., if I paid for something and it doesn't work I have a legitimate grievance with the seller/producer of the product that I can seek remedy for. That inherent liability is supposedly covered through a customer service mechanism, in the case of computer software this is the tech support department. This group is supposed to act as a feedback mechanism to the software developers for fixing bugs, and to assist the customer in either working around the problem, or otherwise providing a solution. If a solution cannot be found, and the product was purchased, the bug identified in a reasonable amount of time from purchase, then the customer CAN seek remedy of the problem by demanding a refund for the purchased price (maybe minus some handling fees and/or taxes). This happens all the time and there are organizations, like the Better Business Bureau, the Federal Trade Commission, and others, that enforce these rights under Federal and State guidelines. Mileage may vary.
Now, if you didn't pay for a product, because it was free or you just plain stole it (pirated it in the case of computer software), then there is no recourse for remedy if the product is defective, nor is there any moral, ethical, or legal stance for liability passing to the creator of said software.
I don't have case law in front of me, but this has to have been tested somewhere by now.
Why wouldn't they? If you could offer me a car that will make it 200,000kms without having problems or needing more than an oil change, would it be worth 80k instead of 55k? Possibly! Personally as a person who's time is valuable, I'd pay more for quality. Why is it that many American cars, despite in most cases being cheaper, are being outsold by Asian and European markets? Quality, reliability, and service [plus making a car that is desirable].
People are so quick to bash higher priced items. In the business world, we stress TCO: Total cost of ownership. If you waste gigabytes of bandwidth, time to clear off spyware, time to patch, upgrade, test, and deploy- time to update workstation images and deploy regularly. How much time does an IT manager spend doing this versus just installing a program and not thinking about it (the good ones of course)?
So offer me an OS at double the price that takes half my time to operate. Do realize that that $700 OS is probably worth about 7-10 hours of a good corporate sysadmin's time. If you put more 3.5-5h of time into each machine to perform upkeep, then you're wasting money.
I've always said- if Windows 95 came out right now, but never crashed, never froze, never leaked memory like anything, didn't have horrible hardware support, and worked- I'd be happier than getting crap for the past 10 years and having to upgrade it every 3 years and patch it every week.
-M
when you see the word 'Linux', drink!
Standard software licenses include waivers of liability under a handful of standard civil law standards. What Bruce is saying is (i) impose by statute and (ii) make it *illegal* for a shrink wrap style license to include a waiver.
From an economics standpoint, the justification for such a standpoint is inequality of bargaining power and market power (i.e., monopoly or near monopoly) in the software segment.
His argument from "principle" is interesting but ignores a much more interesting avenue for exploration. Look at heavily negotiated software license agreements between parties with equal bargaining power and consider what liability standards are commonly accepted.
I haven't done this research, but I would suspect that *support* rather than liability is the typical approach taken by customers who are in a position to get a fair deal.
OK, so we could make support contracts mandatory for the consumer. There might be some advantage to consumers if it were illegal to sell software without a support infrastructure in place, because it would arguably reduce the cost per consumer.
It might reduce *average* total costs across the industry. But this does not necessarily translate to advantages all consumers in all situations.
As an aside, where Bruce's argument theoretically and practically leads is the standard of "strict liability". This is a dangerous doctrine to impose on IP products with zero marginal cost; it drastically changes the economics of production. And yes, this is a potential disaster for open source products.
No, I'll still write it and distribute it. If you want me to take responsibility for what it does, then we'll have to negotiate a specification, a contract, and a price. I'll make the software do what I want; if you want me to make it do what you want, that's extra.
The article is horribly misrepresented, here. The core of the article is about the security principle of aligning capability with interest -- that is, when you want something done, you find out who can do it and take steps to interest them (offer them money, the potential of something free, a fine if they *don't* do something, etc.).
Near the end, Bruce mentions the concept of "software liability" as an example of how interest can be aligned with capability. Bad on Bruce for not defining how he uses the term, but bad on the submitter for not researching it before sending in this FUD. Anyone who has followed what Bruce has done knows that he's a huge supporter of OSS.
When Bruce talks about software liability, he's talking about making software makers liable for their marketing claims about security, not for "bugs found in software". OSS would be safe, as long as those project don't say "we're secure" when they aren't.
And on this point, I agree: if I buy a security product that claims "secure file storage", and I find out that they implement this single-DES encryption -- and espeicially if my data is compromised as a result -- the vendor should be liable. They made a false claim!
We may not imagine how our lives could be more frustrating and complex—but Congress can. – Cullen Hightower
What if you write an api or even a program and some commercial vendor uses your code. THe bug was found in your code and the vendor gets sued.
How do you know vendor X wont come after you to pay for their court costs?
Also businesses would purchase liability insurance. Mabye their agreement with the insurance company is to sue others and use that money to help pay the insurance company so they can maximumize profit by minimizing losses when they got to court.
Also many vendors would go out of business and if your in IT you would need to compete with many exemployees from these vendors. Last businesses might let you go as the price of software goes through the roof and the IT department needs to stay within budget by cutting costs by firing people.
ITs a no win situation for everyone but the lawyers of course.
bugfree software can exists but the software engineers(not programmers) who design such customized products charge twice as much for their labor. No one wants to pay $700 for an OS. Thats how much it would cost if you double the price of WindowsXP
http://saveie6.com/
When I sell a product, I'm kinda liable for its functioning according to spec.
:)
When I give it away, or better, throw it away for someone to pick it up and do "what he wants" (GPL nitpickers read that quotation marks right!) with it, I take no responsibility. Use it or don't. I didn't say you should use it. I didn't sell it to you. In fact, I just put it there so people who want to take a look can. I'm not saying it does anything useful. I'm not even saying it doesn't do anything harmful. All I say is that it's there and if you're so inclined to use it, be my guest. I don't care.
Very different when you actually SELL software, a service or whatever you plan to call it. When money is involved, people tend to expect something in return for their dough. If they don't get it, they get pissed.
We'll see just HOW pissed when Vista finally comes out.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Open source is used without compensation. The point of holding closed source developers liable is to recoup lost investment. When a user uses open source software its "at their own risk."
I am a real no kidding licensed engineer. I only get to work at two levels, one where you ask for a free opinion and you get what you paid for, and the other, where I put a stamp and signature on it and say "its good". Once I do that, I have liability for the life of that item. And my only defense is that the usage (and failure) was so wildly unforseable that I could not reasonably be expected to predict it. And the only way to prove that is having my army of experts challenge the plaintiffs army of experts in front of a jury that can barely do algebra. I can't just say the users weren't supposed to do something stupid. I can't go around administering intelligence tests at the point of sale. OSHA, UL, NEC, etc. all exist for a reason. At that level, liability is a real consideration to be taken seriously.
Software designers get off easy and they don't want the noose around their necks like the hardware guys have. They whine and cry and tell us it is hard to get it right. Yeah, it is, but other industries have done it before. Step up to the plate and get with the rest of us. Say you will stand behind the work you've done, and then maybe you'll get some respect on all those other burning issues you have with society.
Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
where is it even in the market place for consumers to have a choice in the matter? You got some serious assumptions you are putting out there as fact, so let's see some proof to it. Where is normal joe surfer software (the OS, some normal userland apps, etc) for sale that comes with a warranty instead of an end user license that says "nothing is our fault" and "this software provided as is, might not be suitable for a dang thing, hope U R feelin lucky"??
bad car analogy time
This is like the car companies saying there was "no market" for electric cars, even though they never put any out there to begin with, and the leased all electrics went like hotcakes and the leasees BEGGED to be able to buy them, yet most got crushed in still fine working order.
You put a good OS and browser and a few more apps out there with a guarantee and warranty that YES indeedy you can use this on the internet and not get hosed and pwned and your printer will work and etc,and see what happens.
People are already dropping serious coin on fixes all the time, so why wouldn't they drop coin on stuff that doesn't need much fixin to begin with?
The rest of industry (I mean A to Z, the *rest of industry*) has come to grips with building to such a quality level that the rate of recall and fixes under warranty is under control, they can still "do business" and "make money" at it. None of their stuff is 100% perfect,none of it, but they got to the point it is plenty good enough, because they got REQUIRED to provide a certain minimal level warranty, even though when it was finally imposed on them they all cried crocodile tears and claimed it wouldn't work and put them all out of business, it just wasn't possible, OMGBBQ we'd have to charge so much money no one will buy our stuff! And other such whines like we hear now from the digital bits vendors. The other industries managed *just fine*.
Software is the last major industry allowed to push snakeoil under the "caveat emptor" rules, way past time that got changed.
And I think for most consumers it would work like this:you charge us serious cash, we want a warranty, you want to give it away as betaware for freebies or cost of media and duplication or download, we'll take it for free and maybe pay a very low reasonable amount of periodic bug fixes.
But charging serious folding cash then no warranty with your "full stable release" stuff is the problem, it is not the solution.
As it is now, we have no consumer choice, pay money for bugs, or download stuff for free with bugs, where is the "very little bugs to begin with at a reasonable price" stuff? I would bet that is what *most* people would eventually go to if it was there to choose from.
Compare the volume of business at McDonalds to the volume at a fine steakhouse.
Movie theatres vs. Live performances.
most people balance quality and cost, they don't get the best, but they don't pay the most.
some people are willing to pay more for a better product; such as Steakhouses, Live Performances, Macintosh, cellular data; while some can't afford much; mac-n-cheese, broadcast TV, and library computers, landlines.
If you want better software, it'll cost money.
If you want better software for everyone, it'll end up like Healthcare in the US. Only those with money can get it.
Sure. Let the vendor be liable. For what is paid for the software.
Hows this, vendor will pay back the price of the software if the bugs are too much. Software = $0 support = $500 per month. The vendor will really be a front for OSS communities.
So if vendors are made liable, Microsoft will go bankrupt, while developers of Linux et al will pay back exactly what they received for the product in the first place.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
If you buy Windows (especially with a credit card), find out it doesn't work within 30 days, you have recourse to demand a refund from the place you purchased it from. Really, really. Most people don't follow up on this and just take it in the rear, and that's why this has been allowed to go on for so long. You actually do have a 'right' to a refund. There are ways to bring liability to bear, but no one does it! It's staggering!
I can tell you that if enough people actually did follow up and bring the BBB, or the FTC to bear on MS for their absolute excrement they call software, something would be done. No one wants to take the time, that's the problem. Me, I took a different tack. I just stopped buying their crap! And, if I get promoted to a higher level in my organization I'm going to do everything I can to stop them buying their crap too! That's the other way you punish them, through accountability. If they build crap, and they won't fix it, you stop buying it, or you sick the dogs on them. Consumer laziness is the only reason why these vendors are getting away with this. Plain and simple. The system is in place to stop this, no one seems to want to use it.
But with free software, there is no contract because there is no consideration (money) on the part of the user (you could argue that this nullifies things like the GPL, but that's another story). So, it would be impossible to claim damages for something when you never entered in to any contract. FOSS would be immune to liability laws.
Surely OSS developers would be able to give the software vendor a heads up on any bugs found in the code and even fix them before a lawsuit appears on the horizon. If the vendor did not open source the code, they would have to find the time and funding to locate all the bugs themselves.
People think accountability is good and I agree.
But liability in potential litigation is anything but. I feel the lawyers will have a field day on this like they always do for everything else.
Yes, I am heavily in favor of tort reform and think lawyers are the scum of society but I have never seen anyone sue anyone other than to make a quick buck at the expense of society.
I certainly would not develop any software available on the internet and would pull anything as someone could just incorporate my code, be sued, and then sue me claiming its my bug.
Its a problem for those who prefer to use BSD style licenses. THis means I have no legal recourse since I said in my EULA that they can use my software in their product. It was my fault that this vendor lost millions of dollars, shouldn't the company be compensated for, etc? PRetty hard to defend myself
http://saveie6.com/
What I don't understand is why anyone who isn't an engineer (P. Eng) would choose to insult those who are by using the title engineer for themselves.
:x
licenses. If your software is licensed including the requirement that you don't modify it and don't duplicate it, then a responsibility should be implied that they take care of said software.
If the responsibility of upkeep becomes too much, a vendor can always abandon the software.
Microsoft can't be expected to fix windows '95 bugs forever, but on the other hand, people have paid for a working product that they should expect to be able to use forever. Seems to make sense to me that when they abandon upkeep, they should lose the responsibility over that product as well as the ownership, it becomes public.
A law making it so could replace much of the copyright law system. We could use the same concept with products, music and books, once they are out of production, out of print or unatainable by commercial means, they lose their exclusive license to the product and anyone can distribute it.
The problem with liability isn't who the software comes from before bugs have been found; it's who is permitted to fix the bugs when they show up?
//they are the only ones allowed to fix them//. If you give me permission to fix bugs as they're found, then it's my own damn fault if I don't. But if you insist that I come only to you to fix bugs, I damn well better have some recourse if you drag your ass.
Vendors should be liable for bugs becuase
If customers don't have modification rights, then they should demand rights to damages in case of negligence. Whether those rights are secured through existing contracts, or through legislation is an optional debate.
This model would mitigate lock-in pressure by proprietary vendors while preserving the competitiveness of FOSS.
You don't need a contract to be liable.
If I damage your property, I'm liable for damages.
Doesn't matter that there is no contract.
I imagine such a law would result in people identifying the intended use of their software as something that "provides no function beyond consuming storage space" and other weasely BS to get out of it.
In many jurisdictions consumer protection law throws out liability or warranty disclaimers (waivers, whatever, go hire a real lawyer.)
It's all about intended use. If a program does not properly work for its NORMAL INTENDED USE and was purchased commercially, then vendors should be held liable. However, if the product was used in a way in which it was not intended to be used, then there should be no liability.
If you press your brakes on a new car and they don't work, then the car manufacturer should be held accountable. However, if you drive your car through a building and the brake line gets severed causing the brakes not to work, then the car manufacturer cannot be held liable.
Of course, however, comming up with the definition of "intended use" can be quite difficult. That, and there still aren't any solid definitions for computer industry best practices so there's no legal way to tell if a company has applied due diligence to adhere to coding standards (don't get me started about that).
OSS, I think, should not be held liable except for malicious intent since it is distributed "as is".
Faith is a willingness to accept something w/o complete proof and to act on it. Reason allows you to correct that faith.
Potential Compromise (which, since it is 150th something comment will probably never be seen):
Allow liability only to the amount of profit made from the product... or at most punitive to the amount the customer paid to the software creation company.
Additionally I think there should be a limit on the types of bugs... standard bugs should NOT be considered neglegence but SECURITY related bugs should.
Hard to sue an OSS group unless there is an org around it. the right wording in the law could result in more OSS software.. in order to avoid being taken to court corps could do OSS for key components of their software.
Democracy Now! - uncensored, anti-establishment news
if anyone has a problem with my FOSS programs, then I'll pay him all the money back, that he gave me for them...
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
I have long supported vendor liability for software. I believe that it would allow commercial software and OSS to coexist better. And by the way, for those of you who didn't RTFA, the author doesn't imply that open-source contributors should be liable for bugs. Here's my take on the idea:
1. Open-source software generally costs nothing, and no warranty is made on the function of the product.
2. Commercial software generally costs money, and no warranty is made on the function of the product.
As of right now, there seems to be little difference - except that someone gets paid for making commercial products, which may or may not function as the consumer is led to believe. So let commercial software companies voluntarily increase the value of their products by making certain guarantees on performance.
For commercial software to stay relevant, I believe that every product needs to include a basic guarantee of the functions that it must perform. Note that when I say "guarantee", I don't mean that the company ensures that there are zero bugs - this is unrealistic for complicated products. By "guarantee" I mean that when the product fails to perform its specified functions, resulting in damage, the company should accept liability for the damages.
This wouldn't kill open source software. It would enhance the ability of end users to choose according to their needs. The "software guarantee" would be like a form of insurance. Customers for whom a product failure might be very costly would opt for the commercial product, in a risk-averse fashion. Customers for whom product failure would cause small-claims damage would likely opt for a free, no-guarantee product instead. There's my two cents.
If you provide source code, then your liability should be reduced or eliminated, because you've given the users of your code a way to deal with bugs without relying on you. But since proprietary software vendors don't allow you to fix bugs in their software, then they should be held liable for those bugs.
How would this work in a software product? I would argue that any liability regulation as applied to software needs to make it very clear that liability is limited to the purpose for which the product is sold. (In other words, there would be a document which can be easily accessed by the consumer which states what the software is known to run on, what the software is known to do, and what the software is known NOT to do.)
Let's say there's a bug in the Linux kernel that prevents it running on processors made of swiss cheese (such as the Itanium). That bug is declared as part of the product. Part of the purpose for which it is now being sold is to NOT run it on processors made of swiss cheese. It would be absurd to hold a company or person liable for selling you a product that does what it says it does.
This means that developers would need to clearly document what they know FOR CERTAIN works, and what they know FOR CERTAIN does not. (IANAL, so how do I know that this is even vaguely plausible? Because people do stupid things with otherwise functional products and yet civilization is still essentially intact.) Clear, quality documentation will not kill Open Source. It stands an excellent chance of improving it, because others will have a clearer idea of what isn't working (yet) and why.
Now, what about all those people who sue for no obvious reason, just because they see a chance of getting some quick cash? Well, the documentation should prevent such people from actually getting said cash, because it is clearly stated what purpose(s) the product is usable for. Absolutely no use outside of those limits would count.
However, legal cases aren't cheap, so you'd probably want something extra in there. I'd suggest something along the lines of "developers are not liable for the consequences of abuse of the product" (just to make things clear) and "whereupon it is shown that the case is frivolous, malicious or criminally stupid, the plaintiff is liable for all legal costs by the defendant, plus damages to their reputation". This should limit the number of cases and might even help fund Open Source developers where court cases result from FUD or attempted robbery by the suit addicts.
(It might even force companies to tone down the anti-Open Source FUD - each case won by the developers would damage the credibility of FUD perpetrators. It would become too expensive to keep believing them.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Every one of his annecdotal examples deals with a punishment for dishonesty. Charging software developers could be punishing for incompetance. Also, a software developer, I couldn't even count the number of times a bug has cropped up within the operating system layer (both microsoft and linux) that made my application fail.
We have something like this with our mainframe that holds all our financial data. Thing is super reliable, I'm not aware of it ever crashing or losing data ever. However, cost aside, there's another major downside: We can't screw with it at all. Software isntallation isn't permitted, configuration changes aren't permitted. The support contract basically specifies that we will leave it the hell alone, and any changes have to go through IBM first.
Now it makes sense, you cannot predict the interactions between new programs. If we were just allowed to mess around with it, as we do with desktop computers, sooner or later we'd install soemthing that would conflict with something else and cause problems. The software can only be verified if it's a known system, so they just don't allow any new software to be added without prior approval and a lengthy and expensive verification procedure.
That's fine for the financials DB, but I'm not putting up with that for my desktop. I need to be able to install software on no prior notice from any source. Yes, this can lead to problems, but I'l take those problems to have the flexability I do.
So yes, you cna have a rock solid system if you are willing to pay a lot for it, deal with slow development, and accept a very restrictive environment. If those aren't ok, then you takes your chances. Open, comoddity systems CAN be very stable, I've seen servers go years with no OS or app crashes, but they cannot be gaurenteed to be so.
Most software is non-critical, and the software that is critical (flight control systems) are developed with security and reliability in mind
Just becasue the failure of some software doesn't maim or kill people, or is not the direct cause of millions of dollars in losses, doesn't mean that consumers shouldn't be warranted against defects. Commercial software is notoriously lax in comparison to most other consumer goods--for example, about all Microsoft warrants against is damaged physical media. The law is significantly more stringent for minimum warranties on physical goods, even "non-critical" items. Your car isn't just warranted against safety-related problems for example (to bring up that tired "if Windows was a car" analogy, if Windows were a car it would not be covered under warranty if an engine flaw caused it to stall every 10 minuts because there are no performace guaranteed). The least they can do is give you a refund for the cost of the software.
There has to be a reasonable balance, and right now the software industry is "unbalanced". End users certainly don't demand "ciritcal-systems" reliability from their home computer's productivity applications--they just want value for their dollar. If I go to Home Depot and buy an electric drill that falls apart due to poor design or manufacture I expect I should be able to take it back because it cannot properly drill holes or drive screws. On average commercial software is more expensive than a drill, however I have a much harder time returning it for refund because it crashes my computer when I try to use it for the purpose it was meant for (say, I cannot e-file my taxes with the tax program or something, when it says right on the box it can do the job). It's not like we want millions in liability coverage included.
Does this jeopardise Free software? I don't think it does at all. If you download free install packages, and especially if you download source for free then compile it yourself, I can't see how any warranty at all can be justified--you take your chances because you get more than what you paid for (which was just your time). However, I'd expect a modest level of warranty for functional deficiencies for SuSE or Red Hat for their commercially distrubuted versions of Linux and other apps, just the same as I do from Microsoft. Is a full refund of purchase price on brand new merchandise really too much to ask for?
In cases where a consultant or systems integrator has made use of open tools, it it they--NOT the original code contributors--who should hold responsible, since it was the consultant who had the job of selecting, modifying and deploying the system (they should review for fitness of purpose). Basically this is the case already--where I work we are responsible for making sure our systems perform as expected, even though our software runs on a Microsoft platform and it is sometimes Microsoft's defects that are the root cause. The reason we are liable is because we made the decision to use the Windows platform and we were responsible for testing and making sure defects in 3rd party software were not critical.
Another poster mentioned the case of collapsing suspended walkways at a luxury hotel in the early 80s. The engineering firm and supplier of the walkway supporting rods were held liable and paid dearly. In the equivalent software situation the liable parties might be the IBM consultant or the designer/developer of a purpose-built, custom software component. Suing Linus Torvalds because a defective system failed due to a Linux kernel bug would be like suing the company that mined and processed the steel to make the rods--because it is one component in a complex assembly of diverse components and should've been adequately tested.
http://schneier.com/
g ning_intere.html
http://schneier.com/blog/
Schneier's column at Wired is about security decisions, not just software. It is a regular feature.
Go to his blog to read the comments from the well-informed readers he attracts rather than the Slashdot monkey mob. Some of the readers there also ask where the beef is on vendor liability, and it turns out the question is not a new one to Schneier's body of work.
http://www.schneier.com/blog/archives/2006/06/ali
The only thing I agree with in what you said is that the Slashdot article summary is misleading. Otherwise, you are at best grossly misinformed, at worst on a bit of an afternoon drunk yourself.
Q: What did the comedian say to the crowd?
A: If I knew, this joke would be funny.
And remember:
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Seems pretty airtight to me. "WITHOUT ANY WARRANTY" or "FITNESS FOR A PARTICULAR PURPOSE".
Regulating software is mornoic anyway. If dumb people buy bad software, that's their own damn problem. Sue the vendor, or something. That's why lawsuits exist, after all!
As for the, "but buggy software causes SPAM!!!!!!!!111" argument, I have a simple solution: if the user's poor choice sends too much junk traffic to the Internet, turn off their connection. Problem solved, and without any new laws!
My other car is first.
As pointed out by someone else there are not very many details to go on in this article but I would venture to say the author's use of the term "Software vendors" implies he is talking about commercial distribution of software. That would suggest he wants companies who sell or license software to be responsible for it not necessarily the authors of the code.
If so, OSS contributors would not be risking anything unless they were also somehow licensing or selling the code for money. I run an open source project at http://www.freeswitch.org./ If someone turned my free code into a commercial product and started selling it, I would certianly want to see disgruntled customers suing *them* and not me =D
Proof is not the same as possibility. Perception also needs to be taken into account. When it comes down to it, if something seems like it will be expensive, it may stop people from buying. Take a BMW. My experience shows that actual maintenance is about the same as an Acura or equivalent. People believe that the Acura (Honda) will be cheaper to maintain, when in my experience they're pretty similar overall.
It's called spin. Linux has value. You know this and I know this and many Slashdotters know this. If you can tell a decision maker that it's got a huge cost associated with it by showing only some information to them, then you can get the purchase.
Sometimes you have smart bosses, but other times you don't- and you're only as good as the Windows-loving bastard who is advising the upper manager, and the team of dollar-hungry Microsoft goons that come in to convince you to come to the dark side.
So? I'll tell you that California has a huge tech centre. A statement, made by me. Where do I get this idea? A few companies I know are there. The state and city and it's associated groups advertises and promotes this concept. Probably some studies support me. I'm sure some other studies may say other places are better as well. Use common sense and filter out information that works for you.
Bingo. Nothing is unbiased. I'll tell people Linux is handy as a server and much cheaper. It's because there are figures that you can't put money on. Like what beyond purchase price you ask?
I'm sure they used some figures like this:
- training staff to solve problems in Linux- 52 weekend sessions at $2000/weekend by 10 administrators
- purchasing all new hardware that is certified compatible (because the current one only has a Windows sticker on it... which they already have... so $0) $20,000
- training users to use openoffice - $2250/person weekend seminar * 500 employees
See how I just spun those figures? $2,185,000 that you wouldn't have had to spend if you stuck with Windows.
In actuality? Many users would do fine with a day of inhouse training and the administrators will solve problems as they come and don't more than a few crash courses.
-M
when you see the word 'Linux', drink!
Even (theoretically) perfect software can be ruined by a buggy compiler.
As such, it seems to me any liability should be assigned to whomever compiled the software.
That would leave Open Source software developers liable only if they pre-compile their software. If they're just distributing source and allowing people to compile it themselves, they cannot be held liable for bugs the compiler puts in.
Shared source distributers would still assume full liability, since you can't compile that source sode. (Or, if you did, you assume the liability yourself.)
I think Stallman would love this.
The thing about things we don't know is we often don't know we don't know them.
Look. This keeps coming up. If you sell something, then you have an obligation for its quality. If you give it away you don't.
Linus Torvalds would not be held liable for bugs in the Linux Kernel.
Red Hat would be held liable for bugs if people buy their software from Red Hat.
If I was to sell Debian Linux, I would be liable for bugs in it. Debian would not.
Microsoft would be liable for bugs in Windows.
Microsoft would not be held liabble for bugs in software they give away.
If I sell you a toaster, then you should expect it to work.
If I give you a toaster, then don't.
Regulating software is mornoic anyway. If dumb people buy bad software, that's their own damn problem. Sue the vendor, or something. That's why lawsuits exist, after all!
Yeah, that's great if they can actually examine the software in question. As it stands, companies go to great lengths to conceal any flaws in their software.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
I write and sell software. Typically for $10 to $25. None of my software is perfect (bug free), but it is pretty good and keeps getting better.
I choose to improve the software with extra features all the time (upgrades are free). If I faced a penalty for any bugs, then I would
a) have to fix minor bugs rather than update features (that wouldn't generally be in the best interest of most users)
b) fret about adding features (they inevitably add bugs)
c) worry about being sued out of business
If you make it harder for people to create software, then the inevitable effect will be that fewer people will create software. That will mean software in general (there will be exceptions) getting more expensive and/or more boring.
Why not just try to create a more efficient market. E.g. how about a central site where users could report on the bugginess of software.
VLC Remote for iPhone and Android
One cannot legislate perfection in a field where perfection is not attainable. Did not Fred Brooks show that the essential complexity of algorithmic software cannot be avoided? But all is not lost. Switch to a non-algorithmic, signal-based, synchronous software model and the problem will disappear.
That sounds like an inherent contradiction to me. If vendors are liable for bugs, vendors must have restricted access to source code. Commercial software companies, such as Micro$oft, should be held liable since they rarely let anyone else see their code and they explicitly state in their license that they will take users to court for trying to reverse engineer the code. With open source, everyone can see the code, thus everyone knows or has the potential of knowing what possible vulnerabilities exist within a software program.
Sorry, but the fact that you don't issue a warranty does not mean that the government cannot pass a law regulating how much you are responsible when you sell something. So the repackagers (i.e. distributions) can be made liable. But the government cannot make you responsible for what you give away for free, especially not free "ideas". It has the power to regulate commerce -- not to regulate exchange of ideas or usefulness of gifts. But then again, ianal.
Any guest worker system is indistinguishable from indentured servitude.
I must be entirely missing the point here. I do not see why we would hold any of these companies liable for bugs unless they were contractually obligated to be bug-free, which is just about as far from reality as you can get.
The vendors always clearly provide an EULA among other documentation which states that they are accepting no responsibility for problems in this software, and that you use it at your own risk.
So if you are buying this software why are you then upset when it has bugs? If you want a guarentee that it is bug free then you should make this deal with the vendor ahead of time, or purchase some sort of insurance policy.
Why must people be constantly looking to government to protect them from their own short-comings. The vendor clearly tells you they are not sure the product is bug free, and clearly denies liability, and then you are surprised to find there are bugs? Perhaps these people should run to their mothers for a warm glass of milk to help them calm down.
Big ones, small ones, some as big as yer 'ead!
Give 'em a twist, a flick o' the wrist...
No, it's a feature - bugger off!
I mean really. Like corperations that spend millions a year paying off politicians are going to willingly open themselves up for lawsuits. Since laws won't be made that will enforce that kind of situation, who else will enforce that kind of rule? Certainly the software producers won't. After all they should be doing that now. The end user? Sure, as soon as they figure out how to get around the EULA. For that matter when they start reading them and not installing software with a EULA they don't like.
Nope, liable for software bugs will never happen.
Patently not -- the publishers of every imaginable work from cookbooks to newspapers would rise up in revolt, and the Courts would almost certainly find First Amendment grounds to shoot the idea down.
Well, software libre is no different. Fortunately, the current Supreme Court seems to have acquired clue on the subject (I remain boggled). Lower court decisions that "code is not speech" aren't given much of a chance by the oddsmakers, although they grant that betting on any court decision, much less those of the USSC, is unwise.
The "killer argument" from those who want a legal distinction is that "code" can be used to "make computers do things," as compared to "speech." Those whose courts have been relocated out of caves are familiar with the idea that computer capabilities are improving over time, and that we already have limited speech recognition. Thus, the "killer counterargument" is that the permissible scope of protected speech is shrinking as computer speech recognition improves, eventually to disappear entirely once we reach threshold levels of artificial intelligence.
Don't try to tell a Federal Judge that the First Amendment was a quaint and transitory historical fashion, to be obsoleted by technology.
Thus, liability for "code" falls, in the end, under the same law as liability for any other writing. Which judges really do understand, and are very unlikely to impose in any way that materially threatens software libre.
Sleep tight.
Lacking <sarcasm> tags,
for free ("as in beer") is what...um...let me get out my calculator...
As an Independent Software Developer whose business is contracting with a corps to develop their application, this would put me out of business.
Essentially, this could mean not only developing for free, but being held liable to PAY BACK the money to the client paid and a good portion of which I paid to my developers.
And over what? Some minor errors? I've never released code with critical errors, but minor ones do spring up and get fixed free of charge.
But to be held liable would mean it's no longer a "just fix it" issue, it's hoping your client doesn't unleash the lawyers on you to get the application for free and put your ass on the streets.
Seriously. An unethical client could engage in a software contract with the sole intention of finding ANY bug at all after delivery in order to try to sue me for the cost of the development in total. And at that point, I've already lost.
At that point, the lawyers have one because my money will go to lawyer fees now.
This is the most assinine idea of heard in some time.
But a great way for everyone to get their software for free... but then who'd have time to write software, since you'd have to give it away for free to not get sued, but still had rent and bills to pay. And those working in software would lose their jobs since even MS would have to leave software due to no profits in selling code.
Great idea asshole.
Question to Wired: Why do you accept and publish articles written by people who have absolutely no FUCKING CLUE as to what the fuck they are talking about?
Seems too complicated to make something like this fair to me, and I'm somewhat technically literate. Just imagine how useless a law like this would turn out after our friends in Congress got their stink all over it.
Instead of incouraging progression, congress sometimes hinders it. Congress shouldn't do any more than it is authorized to do!
FalconShould there be a Law?
Is it a 1:1 ratio? so if Windows corrupts millions of customer accounts and doesn't report it and I end up backing up corrupted data I can only ask for $199 in damages? Or would a 10:1 ratio make more sense? ask for $1990.. 100:1 ? 1000:1 ?
What is reasonable would be compensation equivilent to the loss times some multiple, say if you lost $1,000,000 then you should be compensated say $2,000,000. Of course this would apply only if the vender/creator didn't try to produce a fix within a reasonable tyme period. However congress should stay out of it and let the courts handle it.
FalconShould there be a Law?
The software reliability soapbox is getting tired. The economic reality is that the price of the software is subsidized by the user's acceptance of bugs. Change that subsidy and the cost will go up. Increasing the cost will make software less affordable to some current purchasers. If OSS is held to the same standard, innovation will be stifled. If not, OSS will truly thrive at the cost of commericial software.
All this proposal would do is to create a software vendor liability insurance industry. Software vendors would buy liability insurance policies (just like doctors buy medical malpractice insurance policies), and pass the costs on to the customers.
-- "I never gave these stories much credence." - HAL 9000
Uhhhh, just how accountable is the corporate software? Seriously, when was the last time anyone say MS or any of the other companies held liable for their creations?
Let's be fair now; OSS shouldn't be held accountable to a degree that is different than what current software creators are held accountable to.
How did we get to this state of affairs?
Whether or not a software vendor should be held liable for bugs in their software depends on what they promised to the customer. They should be held liable for no more and no less than that. It's the same as with a vendor of any product, not just software products.
If you go to solutions provider X, and hand them a list of your requirements, and they agree to provide a solution that satisfies those requirements, and you both sign a contract that embodies that agreement, then of course they should be held liable if they fail to meet their burden under the terms of the contract.
If you buy a box of software from Vendor Y that says that its purpose is to enable you to write letters to your grandma, that is an implicit contract, since you are exchanging your money for the product's functionality. Depending on where you live, you might have legal recourse, if the product fails to live up to its stated purpose.
The obvious escape from this, which all software vendors take, is to not state that the software enables you to do anything specific, and to explicitly disclaim fitness of use, for any purpose, in the software EULA. They can then say that the name "Grandma Writer(tm)" was merely meant to convey that the product is so easy to use, that even your grandma could use it, and not that it is guaranteed to facilitate communications between you and your grandma.
So, for example, if you download gcc and your airplane crashes because gcc generated incorrect code for your embedded processor, then you're shit out of luck if you want to sue the core gcc dev team. The license agreement for gcc explicitly states that the software is not guaranteed for any purpose whatsoever, so use it at your own risk. By accepting the licence, you shoulder the responsibility for any damage that results from your use of the software.
In the case of the Vendor Y, the EULA is to cover the vendor's ass, so they can make some profit, instead of spending all their time and money in court. In the case of gcc, the license is to cover the developers' collective ass, so they can continue to develop gcc, instead of spending all their time and money in court.
Vendors: Do what you promised you were going to do. You have a contract with the user. Live up to it. But don't expect users to rush to buy your product if you don't actually promise that it will do anything.
Users: Vendors are responsible only for what they agree to be responsible for. If you need the software to do more than that, then renegotiate your contract, certify it yourself, or get a third party to certify it. The vendor is passing the buck, and it's up to you to either walk away, pass it on or accept the responsibility. You are the solutions provider here. You have to decide who's going to be first against the wall when the revolution comes.
A republic cannot succeed till it contains a certain body of men imbued with the principles of justice and honour.
All that would result from something like this would be extremely specific running conditions. ie, "Must run on Windows XP patched to date X (and no later) running no other software, not connected to the internet, and only using the software specifically as directed in the manual."
Such software could be exactly what's on the market now.
"Software vendors are in the best position to improve software security; they have the capability. But, unfortunately, they don't have much interest."
The article argues that the onus for dealing with insecurities should lie with the entity which has the capability to deal with them. With proprietary software this would fall on the vendor but with Open Source and Free Software anyone that owns a copy has the capability to improve security. There is no reason why the liability should fall solely on the vendor in the case of Open Source and Free Software.
I see many here saying that only those that sell software should be liable, while those that give it away for free should not. If such a law were passed, you can bet that FOSS would be killed off in the corporate world, as corporations would gadly rather work with software vendors that can be held liable than those that cannot, as the former have something to lose for having bugs while the latter is free to produce bug-infested crapware. It makes no differnce if the "free" software is actually good; corps would feel safer using software produced by someone that could be held liable.
And as I said in another post, large commercial vendors would survive, as they'd simply buy software liability insurance (ala medical malpractice insurance). Smaller vendors would be hurt if they couldn't afford such insurance.
So FOSS is hurt (corps won't use it because FOSS "vendors" can't be held liable for bugs), small commercial vendors are hurt (since they can't afford software liability insurance), and large commercial vendors thrive since FOSS and small vendors are eliminated.
-- "I never gave these stories much credence." - HAL 9000
No, but it would put commercial software companies out of business.
Lawsuits are lottery tickets that are ruining society and nothing more.
Are you talking about lawsuits in general or specifically buggy softwear lawsuits? I ask because almost 10 years ago I was hit by a moving van driven by a diabetic who had a history of causing accidents and fled one state to another because an arrest warrant had been issued with his name on it. While I was in a coma the docs told my family it'd be a miracle if I survived, NOT!!! The accident left me with a TBI, Traumatic Brain Injury. Because of the injury I spent more than a year in therapy with three different groups and I still have many problems. Especially with memory, my short term memory is almost shot and long term memory isn't much better. My communications skills are bad as well, I've had to use my dictionary which I keep at hand a few tymes while typing this (and it took about half an hour typing this). The hospital stay and initial therapy I got at the hospital ran to more than $100,000. And the last tyme I was in therapy, about 6 months in therapy 7 years ago, was $1500 a week. I evidentually had to stop the therapy because I couldn't afford to pay for it and insurance wouldn't pay. If it weren't for the fact that while I was in the coma my family got an attorney to hold the company the driver was working for when he hit me responsible there's no way they could of paid my medical bills. As it turned out the company's insurance decided to settle before the case ever went to trial as there was plenty of evidence the driver was responsible and the company was negligent in hiring him. At the tyme I was hit I was a college student majoring in Computer Engineering, but I came to realize while living in a rehab house after leaving the hospital that if I wanted to continue with it then I'd have to start all over again. And that's if I could understand and apply it. Now I don't know what to do.
FalconShould there be a Law?
This issue isn't restricted to OSS. If I buy a copy of Windows at Best Buy, should BB be held accountable for the bugs in Windows? If I resell my copy of autocad to a student, can I be held responsible for the bugs?
I think it becomes clear that it doesn't make sense make the retailer responsible for the mechantability of the products they sell, with the exception of false advertizing.
So if you sell copies of LaTeX, with the claim of it being withought flaw seen or unseen, only to have someone eventally find a bug, then you are liable for false advertizing. But otherwise you are fine.
Would OSS be so popular if customers were able to hold (closed source) vendors accountable for their bugs?
This is nonsense. You are obviously not a developer.
This discussion misses one central point:
[1] It is possible to develop good software.
[2] Quality costs money.
[3] If software is priced (high) to reflect its cost and quality, it will be pirated, and the developers will not cover their expenses.
[4] There is a ceiling to the cost of software, and it is the equivalent of the nuisance value of duplicating the CD.
Not everyone can afford a Porsche, yet Porsche continues to stay in business. Those who can't afford a Porsche, don't whine that Porsches should be free.
You want the software equivalent of a Porsche? Show me how the developer can be fairly compensated and then maybe we can entertain this silly notion of liability.
Slashdot entertains. Windows pays the mortgage.
alot of vendors would go out of business if that were the case. Including MS! MS has bugs in it that are critical.
Only 'flamers' flame!
Does slashdot hate my posts?
What if you could magically replicate the bridge, and not pay the engineers for the 2nd, 3rd, clone etc.? Ignoring the fact the the terrain and other circumstances vary, how would you feel, Mister Engineer, if you sat on your derrière,, unpaid, as your design was copied with no compensation for your efforts?
Don't confuse the economics of tangible goods and services, with the new economics of digital media, which can be copied at no cost. You don't get what you don't pay for.
I don't know what the answer is. Show me a way I can receive consistent compensation for whatever I chose to charge for my software, and I will accept liability. You don't like my price? Don't buy. You think I'm not entitled to charge what I want? Please tell me what language you write and what applications you have developed.
I don't have the iron wring on my pinkie. I am no more qualified to judge your work, than you are to opinionate on software.
Slashdot entertains. Windows pays the mortgage.
>Uhhhh, just how accountable is the corporate software?
Let's see the contract and let a jury decide the level of performance to the contract, and you will have an answer for a specific instance.
-fb Everything not expressly forbidden is now mandatory.
Should self-proclaimed security experts, like Bruce Schneider, be liable for bad security advice?
That is, if Mr. Schneider tells people that a certain thing is secure, and then it turns out to not be secure, should he be liable for it? For example, if he had told me to use MD5 ten years ago, could I sue him now that MD5 has been discovered to be "insecure"?
Yes. Any number of things would kill OSS, but if you really wanted to kill it right now vendor liability for bugs would be a very good way to do it. I say give it a shot. ;)
The alternative is to believe a truely distributed system, such as the internet, is impossible to kill. But that's only a theory.
Does anybody else here find that that's the only common use for them? The external parts of the ears normally get caught up in the rest of the face washing. I'll admit that one time I poked too far and my hearing went funky for a couple of days, but I don't see that as enough of a reason to explicitly state you should never use them in that way...
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
Actually, I took a stupid and obvious question and pointed out how stupid and obvious it was by giving it exactly as much of an answer as it warranted. As Dr. Johnson said, "brevity is the soul of wit."
So, since more idiotic mods would rather waste their points on bitch-slapping me rather than elevating comments, I'll give you another opportunity by repeating it a third time. Anything which takes mod points out of their irresponsible hands is a good thing, so enjoy slapping the "Overrated" ratings on it again, bitches!
*repost*
Would what seems like a great idea actually be the death of free software?
No.
That was easy.
Oh, by the way, it doesn't really seem like that great of an idea, either.
Information wants to be anthropomorphized.
It would kill *ALL* general purpose comnputing.
The only safe language to code in would be assembly, and you'd have to write all the code yourself, unless you wanted to be liable for the output of the compiler or the libraries you linked to.
Shared libraries and loadable modules couldn't be trusted, since if your application had them, someone else could substitute a different library or module, and your code would never know the difference. If you added checking mechanisms to *for sure* know the difference yourself, you'd have to trust the FS.
All applications would have to be embedded applications, since you couldn't trust an OS vendor - what would happen if the system call behaviour was changed by the OS vendor? What if it wasn't by the OS vendor - what if the OS vendor trusted third party companies to write drivers?
What about firmware? The OS trust the firmware to load it! What if the firmware changes, or isn't exactly the firmware you expected?
What about the hardware? What if the instruction set on the CPU changes? You'd have to tie your software to particular hardware; historically, for example, 6502 processors were mask-programmed, and had "in between" op codes - they'd do something, but what the side effects were depended on the chip stepping. Your code could work in testing, but not in production unless you guaranteed the same chip lot, since it might be working as a result of a serendipitous error that was fixed in the next chip.
Down this road, you'd only ever have software sold by people who made the OS sold by the people who wrote the firmware sold by people who built the hardware... and maybe the components of the hardware themselves.
So basically you'd have... what... nothing left, but IBM from the 1950's?
-- Terry
Since M$ doesn't seem to be able to produce software without a plethora of critical bugs, let alone the odd incidental bug. Legislation like this would have a far bigger impact on them than anyone else for two reasons: 1. their software is as buggy as a bee hive 2. Everyone used their software. They'd be screwed!
"I wouldn't pay $2000 for a home OS, because it wouldn't be worth my money. "
Why pay money, when you can contribute to FOSS yourself? You said you were a graduated software engineer. Go ahead and download Ubuntu (hell, they'll ship you a CD for free, no strings attached), plug it in, and enjoy it. If you fix 1 bug a year, you're doing far more for the community than you would if you spent $2,000 on Microsoft products. Even just helping people who can't write software to tell the maintainers (as an abstraction layer, if you will) would be of great benefit.
Thanks in advance.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Vendors would simply put the Mother of all Warnings on software:
WARNING: This software may kill your dog, girlfriend, and business in a giant explosion that may melt houses for miles and miles and trigger avalances, mudslides, diseases that make your face melt like hot wax in Pheonix in July, and a losing streak for your favorite team that spans longer than the history of shelled sea life. It may also mis-calculate your taxes and trigger a giant bankruptcy bigger than Enron. It may also result in you going to hell and be butt-raped by Satan himself. You have been officially warned. Otherwise, enjoy your new software.
Table-ized A.I.
....Holding software vendors accountable for bugs in the software they sell/support would do wonders for improving the quality of software in general......
It would also do wonders for the cost of software. So you would hold the developer of some stupid game, or even a word processor to your vaunted "professional" standards of expensive testing? Give me a break! Nobody has yet AFAIK come up with a foolproof mathematical way to certify that any program of even moderate complexity is bug free. The only way to be reasonably, but never absolutely sure there are no bugs is to test, test, test and then test some more. That gets very expensive. To make such an expensive testing a legal requirement for all software and to certify so called engineers, who may have more degrees than a thermometer as the only ones to be allowed to write "normal" software is ridiculous. When MS Word crashes or Windows BSOD, so what? Nobody gets hurt and if you save your work often, there is usually little economic loss.
All this would do is make more work for lawyers and make software as relatively expensive as small private airplanes, the exorbitant cost of which is largely due to liability issues. Keep regulators and lawyers out of this, but let buyers of life critical systems pay for the testing of such software.
Don't make it a requirement that any and every software meets any particular, government mandated standards. I have heard of a lot of extremely stupid, unworkable ideas in my lifetime, but this one is one of the worst to surface in a long time.
All theory is gray
.....Sorry, but the fact that you don't issue a warranty does not mean that the government cannot pass a law regulating how much you are responsible when you sell something.....
How can a warranty be put on software, any more than on a fictional novel? There is no way to certify mathematically that any non-trivial program is error free. Testing all possibilities of a large system, such as Windows and its apps to ensure any given level of reliability and functionality is very time consuming and therefore expensive.
The constant comparison between software and automobiles or any other material good is very flawed. Fundamentally, software is NOT a material object and cannot be be subjected to the same rules. If the same design methods could be applied to software, as to building bridges, then demanding warranties would be justified. As it is, writing software is an art, more than a science, akin to writing a good recipe book, not for food, but for instructions to a dumb machine that has to interact with an (presumably) intelligent human being, in order that this human may achieve a certain purpose. A good software "engineer" is as much more like a gifted artist. After the engineer has designed the program, a coder has to compile this design into a source program, which in turn is compiled by a mechanical "compiler" into the actual instructions that the computer hardware finally executes. Perhaps, someday in the future, the human coder will be replaced by a mechanical one, like today's compilers. This may result in more reliable programs, but a flawed design can still cause problems.
All theory is gray
Lots of comments around mention how it would be impossible to make bugless code, and that it is hard to find the source of the bug (libraries etc.)
:-)
To me this sounds a lot like "We're inapt to program. Please don't punish us for that".
Right, it's hard to make a product without flaws, but guess what - it's being done everywhere for almost every product!
You think your computers hardware was a piece-of-cake to manufacture? (Think CPU, memory, cards, etc.). Yet if any of them failed, wouldn't you expect liability? This means replacing the product with a better one (fixing bugs), and paying for whatever damage the flaw has caused (if it has). You don't care if the flaw was in one of the many parts that compose that piece of hardware, and you don't care if that part wasn't even made by the same company (think code libraries).
Why should software engineering be any different than any other kind of engineering??
On a personal note, my job is to program software. Yes, I produce bugs as well sometimes. My "clients" are other programmers within the company. Whenever a bug is found in my code, I immediately try to fix it, and offer an update to all of the users. I also compensate whoever found out that bug with chocolate bars
|| Geshem ||
B) If you have no idea what you are talking about, as is clearly the case here, then simply STFU
-- just call me Colmes
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Re: your sig:
:)
For units with bitlength a multiple of 4, (0x2B | ~0x2B) == 0xFFFFF.... So there. (Revision 4 and counting...)
What about: (0x2B | ~0x2B) == ~0
Pavlov. Does this name ring a bell?
nope.
:p
people would just mark down that the software can contain bugs. make some juridic foo-bar around it , write it into the license that you buy.
flagship of designers, photoshop has bugs. do you really think people would stop buying it if they label it with "can contain unexpected bugs, we're not liable" ? no they wouldn't. same goes for smaller and bigger software, if there is no better alternative, people use what they get.
nice idea, but for another planet with other beings. or maybe india
I'd tell you the chances of this story being a dupe, but you wouldn't like it.
that kind of approach can be used for purchasing software; however, it flushes the whole software-as-a-offsehelf-product idea down the drain. maybe this idea's implementation can be started with a target group and slowly expanded based on the usage/feedback
* lon3st4r *
I think that more goes back to Godel.
Switch to a non-algorithmic, signal-based, synchronous software model and the problem will disappear.
Along with your productivity!
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
I't not my understanding that people use OSS because of fewer errors, but rather because it either suits them better politically or because the OSS software they're using is just better than the rest.
...and of course it makes me feel better :)
I'm running several Linux distributions on the PCs at home, and it's not because of fewer errors I'm doing it. I like not having to pay for my software, but rather have the option to donate money to the programmers instead.
A proud member of the Onion-in-Hand alliance
This is one of the stupidest ideas ever.
If the client finds a way to break my sofware, I owe him $1000???? MORE?
Even if it was $10/bug per client, I would never sell software for less than $10000, and I would want all customers to undergo a credit check.
It would kill all software, not free software. If one country in the world exempted from the treaty or exempted OSS from liability, then all software would be produced in that country.
Possible, yes. Necessary? I have to say that legal solutions to non-issues are part of the problem. Is the fact that there are bugs in software such an enormous problem to the industries that choose to use them enough to warrant the warranty? The fact is that the AS-IS, caveat emptor contract only only seems to bother those who've been burned by it and now are looking for someone besides themselves to offset their losses. There's nothing inherently broken about it that requires fixing
From your link, you say: No matter how you slice it, bugs (software or hardware, Microsoft or General Motors) *will* cause real financial (and otherwise;health, property, whatever) damage Yes. It will. It doesn't mean that the person who wrote the software should be liable for that loss. Seems to me that if you put a piece of code out there, and by out there, I mean anywhere that it is accessible, a person has a choice to use or not use a piece of software. That person can choose to use it for mission critical affairs even if the design of the software is inappropriate to that purpose. When you're dealing with software, you are relying upon the user to exhibit a certain level of expertise to avoid damage. If you give the onus of liability to the developer, you've just shifted the burden from the end user back to the developer, making the developer responsible for the end user's behavior. I don't think there are many developers who are comfortable with that arrangement, regardless of how you limit the tort possibilities. Ergo, less motivation to develop software.
Suppose the OSS community managed to lobby for and have passed a liability law that was based on the customer's (software buyer's) ability to have the problem fixed, i.e. you're liable only if your software is buggy and your product by its nature presents technical obstacles to the customer's ability to make any needed "repairs" to make it work properly.
Such a statute would be a huge book for open software and DRM schemes, since it would essentially free open source from any liability, and at the same time it would discourage software companies from using DRM since it lets them out of any "grey area" argument about excuse from liability due to the customer's ability to fix software by disassembly and/or reverse engineering.
STOP . AMERICA . NOW
With the current state of the art, we can only conclude that bug free software is beyond us. Even the space shuttle's avionics software after millions of dollars and a decade of work is not bug free.
Considering that the software is much smaller and does a lot less than a typical desktop machine (imagine if you had to load a new tape to go from email to IM) I think it's safe to say if vendors are made fully liable for bugs there will be no vendors. How many people want to wait 50-100 years for the next release of their favorite OS? How many are ready to spend $100,000 for it?
Even partial liability would do a great deal of harm to the economy. Given tremendous potential liabilities, vendors will be obliged to charge tremendous prices to offset them (either directly or to pay for insurance).
Now, for the article itself. It didn't necessarily say vendors should be held liable for bugs, not even security bugs. It just said we need to align capability with interest. It even made clear that we must be careful HOW we do that or it won't work (the Italy example).
There are many ways to align interest with capability. For example educating consumers to demand security or go elsewhere (yeah, right). Perhaps require the number of bugs in the previous version to be prominantly displayed on all trade dress and marketing materials. If too many security bugs are found (or if they are not patched promptly), the package must display Mr. Yuk for the next few versions.
So, yes vendor reliability could hurt OSS. It would also likely destroy the industry and any others (that is any business larger than mom and pop) that depend on it.