Examining Software Liability In the Open Source Community

snydeq writes "Guidelines from the American Law Institute that seek to hold vendors liable for 'knowingly' shipping buggy software could have dramatic impact on the open source community, as vague language around a 'free software' exemption could put open source developers at litigation risk. Meant to protect open source developers, the 'free software' exemption does not take into account the myriad ways in which vendors receive revenue from software products, according to a joint letter drafted by Microsoft and the Linux Foundation. As such, the guidelines — which, although not binding, are likely to prove influential on future lawsuits, according to attorneys on both sides of the issue — call into question the notion of liability in the open source community, where any number of coders may be responsible for any given defect."

Bug free software would be insanely expensive!

[onionman]

Bug free software is possible, it's just very very expensive to produce!

I've worked on DoD projects that required bug free software. It is possible, it just requires $150 Million to produce 100,000 lines of code.

Do you really want to force Microsoft or Apple to produce bug free operating systems? Who could afford them?

God damn you, lawyers.

[synthesizerpatel]

Another stupid babysitter law to protect idiots.

At a previous job I asked my boss why we used Oracle and he said that if anything ever went terribly wrong, the company would have someone to sue. Of course, suing someone doesn't restore customer confidence, data, or revenue. No verifiable technical reason, just that OUR lawyers got warm and fuzzy with contractual language that would never, ever get exercised and if it ever did try to sue anyone we'd have run out of money before they dipped into their free soda fund.

Anything that executes code is buggy. Applications, frameworks, libraries, protocol stacks, drivers, bios', FPGAs and microchips. Grow up and deal with it.

Re:God damn you, lawyers.

[TheRaven64]

At a previous job I asked my boss why we used Oracle and he said that if anything ever went terribly wrong, the company would have someone to sue

Next time you encounter this attitude, you should find the relevant clause in the EULA, which disclaims all responsibility for the software containing bugs. If a company like Oracle provides your software then, generally, the only response you have to bugs losing your data is to not buy from them in future (unless, of course, you've just built a large in-house application that depends on Oracle...)

Bad idea

[ShadowRangerRIT]

Vendor liability for software is a good idea only in *very* limited fields, with *very* strict parameters. If the problem domain allows for exhaustive testing (every possible input, every possible code path), then this sort of liability is reasonable. Embedded control software for vehicles is a good candidate. But to apply the law to general purpose computers like we would for mechanical devices is absurd. They aren't a monoculture; they can run anything, which means anything can break them. Every general purpose OS out there suffers from the occasional crash (Windows, OSX and *NIX included), and the very nature of the machine means that you can't always determine the cause. If one kernel level process writes into the memory space of another, overwriting pointers and code, the eventual crash will appear to be the fault of the innocent process (after all, it tried to dereference null). The forensics required to assign blame unquestionably would cost more than the lawyers would.

Much like patent law, this is one field where hardware can go that software should not.

Why should general liability even exist?

[fuzzyfuzzyfungus]

Other than the fact that people hate software bugs, which is fair; but insufficient reason, why should a general liability be presumed to exist?

For software purchased as a custom/customized enterprise type setup, with guys in suits, and contract negotiations, and spec documents and whatnot, surely the parties involved can settle any questions of bugs, liability for bugs, responsibility for timely fixes, etc. as a matter of contract between themselves. Perhaps it would be convenient for a de-facto standard set of terms to exist; but I don't see why any legally binding assumption needs to be made, beyond what was specified in the contract.

For the consumer/shrinkwrap/non-custom stuff, I'd be strongly in favor of a right to return for refund if defective(though deciding exactly what level of buginnes qualifies as "defective" could well be tricky, and settling the issue of whether or not "being able to run on joe sixpack's box-o'-spyware-and-rootkits or timmy the tweaker's bleeding-edge-super-nlite-professional-l33t-3dition-h4x0red-windows-box" is actually a reasonable expectation could be a nuisance); but liability beyond that, unless actual damages can be demonstrated, seems unreasonable.

Already, if software is being used as a component of a system(medical, aviation, whatever) where bugs matter, it is subject to those standards, establishing a set of liabilities for software generally just seems like a good way to encourage ever more onorous disclaimer contracts and quash free/OSS/cheap software.

Re:I believe almost every free software I use has.

[PolygamousRanchKid+]

So.....you're going to sue a developer for a defect, intentional or not, even though they said it was not warrantied and use at your own risk?

No lawyer will sue individuals developers . . . they have no money. They will try to sue a big company, um, like what SCO tried with IBM. Lawyers go after the money.

Some big companies even forbid their programmers from working on Open Source projects on their own time . . . unless they are approved by their employer, of course. Because the lawyer suing will try to twist it so that the employer is responsible . . . because only a big company has enough cash to make it worth their effort.

Re:I believe almost every free software I use has.

[Seakip18]

I can see it now....rogue programmers, up late at night working in secret groups on some highly illegal, highly explosive software. Their code may not be perfect but it's the illegal cool factor that makes it worthwhile.

Re:I believe almost every free software I use has.

[Greyfox]

Pretty much every EULA I've read states that you not hold the vendor accountable for defects in their software or any data loss of yours that occurs while using their software. I don't recall exactly what the Windows one says but I seem to recall that Microsoft is at most liable for $2 in damages if anything goes wrong with their software.

As the American Law Institute appears to not hold with that belief, lets see how far they get in their goals WITHOUT ANY SOFTWARE! Ha ha ha ha ha ha ha ha ha!