Slashdot Mirror

← Back to Stories (view on slashdot.org)

Would Vendor Liability for Bugs Kill OSS?

Posted by ryuzaki0 on from the code-clean dept.

Glyn Moody writes "Bruce Schneier has written an interesting column for Wired suggesting that vendors should be made liable for bugs in their software. But where would this leave open source developers? Would what seems like a great idea actually be the death of free software?"

11 of 377 comments (clear)

  1. No, if... by ivan256 · · Score: 4, Insightful

    It wouldn't kill OSS if the liability was limited to the purchase price. That's plenty of liability to keep commercial vendors interested in fixing flaws, and it doesn't hurt the little guy.

  2. I wouldn't. by Anonymous Coward · · Score: 4, Interesting

    I wouldn't contribute to OSS if I'd be exposing myself to a lawsuit because some dipshit found a creative way to exploit my code. They're the guilty party, not me.

  3. Would Vendor Liability for Bugs Kill Microsoft? by Anonymous Coward · · Score: 5, Funny

    "Bruce Schneier has written an interesting column for Wired suggesting that vendors should be made liable for bugs in their software. But where would this leave Microsoft? Would what seems like a great idea actually be the death of proprietary software?"

  4. Software with no bugs? by frogie · · Score: 5, Insightful

    This would not only kill OSS, but the whole software industry would go bankrupt in no time.

  5. Regulation hurts the small players by vijayiyer · · Score: 5, Insightful

    As usual, regulation increases the barrier to entry for a business. By making software vendors liable for bugs, they make it difficult for OSS and small shareware developers to compete. Keep in mind that the question is not whether the OSS developer will be found liable, but whether they will be sued in the first place. The legal fees alone are enough to hamper or even kill small scale software development.

  6. The only interesting part is the anecdotes by drinkypoo · · Score: 4, Insightful

    The simple fact is that this is too hard to police anyway. Where did the bug occur? Was it in the program, or some library it called? Now we have to establish whether the programmer could reasonably have known there was a security update to the linked library. Just proving where the fault occurred would be a huge legal SNAFU. Sure, such a thing would kill OSS first but it would effectively destroy the computing world. Only a luddite could seriously believe that this is a good idea.

    The only proper way to handle this is through contract - not an implied one, but an explicit document which clearly describes the areas and extent of liability. There is a market for this kind of software, and it exists already. This is the only reasonable solution - get a contract, and if you don't, caveat emptor.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  7. What a content free story... by geoffspear · · Score: 4, Insightful
    Probably not, but since TFA contains absolutely no information about how "liabilities" would work in the author's view and very little about software at all, I see very little reason for Wired to be publishing this column, let alone someone on Slashdot trying to use it as a jumping-off point to discuss the ramifications of the author's non-existent proposal.

    Here's a tip, Mr. Schneier: analogies can be good for illustrating a point, but going on for 2 pages about your anaology without actually using it to make a point is just dumb.

    My guess, since the story was posted at 2AM, is that he had a deadline to meet and wrote this piece of crap in 15 minutes while drunk.

    --
    Don't blame me; I'm never given mod points.
  8. You can add a multiply factor... by scsirob · · Score: 4, Interesting

    If you want things to really hurt, multiply the purchase price by 10 or so. That would actually constitute a penalty to distribute buggy software for commercial vendors while still not impacting those who give the software away for free.

    Large software products will never be entirely bug-free. To keep things reasonable, there should be a standard time-to-fix so commercial vendors also have a fair chance of cleaning up after a mistake.

    --
    To Terminate, or not to Terminate, that's the question - SCSIROB
    1. Re:You can add a multiply factor... by dgatwood · · Score: 4, Insightful

      Here's a better idea, then:

      • For the purposes of this statute, the term timely is defined as "within a period that a reasonable person would expect to have to wait for shipping and repair of a defect in a non-software product".
      • Liability is waived if any of the following conditions are met:
        • there is a workaround for the bug.
        • the customer is given a fix for the problem in a timely fashion.
        • the customer is given the materials necessary to allow someone of sufficient skill to fix the problem themselves.
      • All companies shall have a bug reporting mechanism that, at minimum, allows the person reporting the bug to obtain the bug's general status and to receive interim patched versions in a timely fashion.
      • Notwithstanding the fix for the reported bug, liability shall not extend to any bugs introduced in interim builds obtained as part of a fix for reported bugs.
      • All bugs reported prior to the release of a published update shall be fixed no later than the subsequent update unless fixing them is technically infeasible.
      • Upon reporting of a bug whose fix cannot realistically be fixed within this time frame, the customer must be given the option of a refund of the full purchase price in a timely manner. This offer may have two possible outcomes:
        • By accepting this remedy, the customer waives liability for this bug until such time as it is reported by another party.
        • By refusing this remedy, liability for this bug is maintained, but limitations on the timeliness of the fix are waived.
      • Source escrow shall be required for all software with a retail purchase price of $100 or more (in 2006 dollars, adjusted for inflation by the CPI). This source code shall be released by law should the company file for bankruptcy or deem it unprofitable to continue the development and maintenance of the software.

      Under such a scheme, open source/free/libre software would have zero liability (as it should be) because the customer would have access to the source code, and therefore would be able to (assuming sufficient skill) fix it themselves (or get someone to fix it for them). Closed source software would be liable unless there was a satisfactory workaround or the company could prove that they made a fix available within a timely manner of the bug being reported.

      The logic is this: most bugs do not take years or even days to track down. Most bugs can be fixed in minutes. Most companies want to do a full bake cycle on fixes to make sure they don't break anything else. This sort of law would simply require that they make the interim build available to the person running into the bug so that they can get past it. It would also require that bugs continue to be repaired after a product is replaced with a newer version.

      This protects against liability for unknown bugs, but sets limits on how long a company can drag their heels at fixing frequently-seen bugs, provides the customer a way out for obscure bugs that only three people in the world care about, and prevents abuses like companies abandoning products with major known bugs or requiring customers to pay for the next version to get critical bug fixes.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  9. God-awful submission! by Proteus · · Score: 5, Informative

    The article is horribly misrepresented, here. The core of the article is about the security principle of aligning capability with interest -- that is, when you want something done, you find out who can do it and take steps to interest them (offer them money, the potential of something free, a fine if they *don't* do something, etc.).

    Near the end, Bruce mentions the concept of "software liability" as an example of how interest can be aligned with capability. Bad on Bruce for not defining how he uses the term, but bad on the submitter for not researching it before sending in this FUD. Anyone who has followed what Bruce has done knows that he's a huge supporter of OSS.

    When Bruce talks about software liability, he's talking about making software makers liable for their marketing claims about security, not for "bugs found in software". OSS would be safe, as long as those project don't say "we're secure" when they aren't.

    And on this point, I agree: if I buy a security product that claims "secure file storage", and I find out that they implement this single-DES encryption -- and espeicially if my data is compromised as a result -- the vendor should be liable. They made a false claim!

    --
    We may not imagine how our lives could be more frustrating and complex—but Congress can. – Cullen Hightower
  10. Getting Ridiculous by aquabat · · Score: 4, Insightful
    Oh for crying out loud...

    How did we get to this state of affairs?

    Whether or not a software vendor should be held liable for bugs in their software depends on what they promised to the customer. They should be held liable for no more and no less than that. It's the same as with a vendor of any product, not just software products.

    If you go to solutions provider X, and hand them a list of your requirements, and they agree to provide a solution that satisfies those requirements, and you both sign a contract that embodies that agreement, then of course they should be held liable if they fail to meet their burden under the terms of the contract.

    If you buy a box of software from Vendor Y that says that its purpose is to enable you to write letters to your grandma, that is an implicit contract, since you are exchanging your money for the product's functionality. Depending on where you live, you might have legal recourse, if the product fails to live up to its stated purpose.

    The obvious escape from this, which all software vendors take, is to not state that the software enables you to do anything specific, and to explicitly disclaim fitness of use, for any purpose, in the software EULA. They can then say that the name "Grandma Writer(tm)" was merely meant to convey that the product is so easy to use, that even your grandma could use it, and not that it is guaranteed to facilitate communications between you and your grandma.

    So, for example, if you download gcc and your airplane crashes because gcc generated incorrect code for your embedded processor, then you're shit out of luck if you want to sue the core gcc dev team. The license agreement for gcc explicitly states that the software is not guaranteed for any purpose whatsoever, so use it at your own risk. By accepting the licence, you shoulder the responsibility for any damage that results from your use of the software.

    In the case of the Vendor Y, the EULA is to cover the vendor's ass, so they can make some profit, instead of spending all their time and money in court. In the case of gcc, the license is to cover the developers' collective ass, so they can continue to develop gcc, instead of spending all their time and money in court.

    Vendors: Do what you promised you were going to do. You have a contract with the user. Live up to it. But don't expect users to rush to buy your product if you don't actually promise that it will do anything.

    Users: Vendors are responsible only for what they agree to be responsible for. If you need the software to do more than that, then renegotiate your contract, certify it yourself, or get a third party to certify it. The vendor is passing the buck, and it's up to you to either walk away, pass it on or accept the responsibility. You are the solutions provider here. You have to decide who's going to be first against the wall when the revolution comes.

    --
    A republic cannot succeed till it contains a certain body of men imbued with the principles of justice and honour.