Slashdot Mirror
Examining Software Liability In the Open Source Community
snydeq writes "Guidelines from the American Law Institute that seek to hold vendors liable for 'knowingly' shipping buggy software could have dramatic impact on the open source community, as vague language around a 'free software' exemption could put open source developers at litigation risk. Meant to protect open source developers, the 'free software' exemption does not take into account the myriad ways in which vendors receive revenue from software products, according to a joint letter drafted by Microsoft and the Linux Foundation. As such, the guidelines — which, although not binding, are likely to prove influential on future lawsuits, according to attorneys on both sides of the issue — call into question the notion of liability in the open source community, where any number of coders may be responsible for any given defect."
I am sure hell is frozen now.
"NO WARRANTY OR GUARANTEE IS IMPLIED. USE THIS SOFTWARE AT YOUR OWN RISK" or some combination of that. Even my home server says that every time I SSH into it.
So.....you're going to sue a developer for a defect, intentional or not, even though they said it was not warrantied and use at your own risk?
import system.cool.Sig;
Bug free software is possible, it's just very very expensive to produce!
I've worked on DoD projects that required bug free software. It is possible, it just requires $150 Million to produce 100,000 lines of code.
Do you really want to force Microsoft or Apple to produce bug free operating systems? Who could afford them?
And so does every bit of commercial software. How do you differentiate?
Another stupid babysitter law to protect idiots.
At a previous job I asked my boss why we used Oracle and he said that if anything ever went terribly wrong, the company would have someone to sue. Of course, suing someone doesn't restore customer confidence, data, or revenue. No verifiable technical reason, just that OUR lawyers got warm and fuzzy with contractual language that would never, ever get exercised and if it ever did try to sue anyone we'd have run out of money before they dipped into their free soda fund.
Anything that executes code is buggy. Applications, frameworks, libraries, protocol stacks, drivers, bios', FPGAs and microchips. Grow up and deal with it.
I'd say that ye olde standards of gross negligence and recklessness should cover any profoundly careless bugs.
The trick is to get them to apply to corporations like MS.
First point, if someone working for hire at Red Hat, Novell, or IBM knowingly (how's that defined?) ships buggy open source software, why shouldn't the company be held liable, if they would be held liable for shipping buggy closed source? Second point, who is going to sue some no-name contributor who doesn't have any money anyway, especially if you have to prove that that particular developer knew there were bugs? I love open source, but I feel that if we as a community want to be taken seriously, we should be held to the same standards as closed source software.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Vendor liability for software is a good idea only in *very* limited fields, with *very* strict parameters. If the problem domain allows for exhaustive testing (every possible input, every possible code path), then this sort of liability is reasonable. Embedded control software for vehicles is a good candidate. But to apply the law to general purpose computers like we would for mechanical devices is absurd. They aren't a monoculture; they can run anything, which means anything can break them. Every general purpose OS out there suffers from the occasional crash (Windows, OSX and *NIX included), and the very nature of the machine means that you can't always determine the cause. If one kernel level process writes into the memory space of another, overwriting pointers and code, the eventual crash will appear to be the fault of the innocent process (after all, it tried to dereference null). The forensics required to assign blame unquestionably would cost more than the lawyers would.
Much like patent law, this is one field where hardware can go that software should not.
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
Other than the fact that people hate software bugs, which is fair; but insufficient reason, why should a general liability be presumed to exist?
For software purchased as a custom/customized enterprise type setup, with guys in suits, and contract negotiations, and spec documents and whatnot, surely the parties involved can settle any questions of bugs, liability for bugs, responsibility for timely fixes, etc. as a matter of contract between themselves. Perhaps it would be convenient for a de-facto standard set of terms to exist; but I don't see why any legally binding assumption needs to be made, beyond what was specified in the contract.
For the consumer/shrinkwrap/non-custom stuff, I'd be strongly in favor of a right to return for refund if defective(though deciding exactly what level of buginnes qualifies as "defective" could well be tricky, and settling the issue of whether or not "being able to run on joe sixpack's box-o'-spyware-and-rootkits or timmy the tweaker's bleeding-edge-super-nlite-professional-l33t-3dition-h4x0red-windows-box" is actually a reasonable expectation could be a nuisance); but liability beyond that, unless actual damages can be demonstrated, seems unreasonable.
Already, if software is being used as a component of a system(medical, aviation, whatever) where bugs matter, it is subject to those standards, establishing a set of liabilities for software generally just seems like a good way to encourage ever more onorous disclaimer contracts and quash free/OSS/cheap software.
That's the weasel word to generate extra lawyer business. Scumbags.
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
I'm not anti-FOSS in any way, I'm just wondering why it would be exempted...
Loading...
How about these for new liability guidelines: if the vendor knowingly ships buggy software, the customer is entitled to a 100% refund on the license cost.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
I suspect that in commercial software, there is an implication of warranty (because the customer paid for it), and that warranty can't always be signed away by a contract (because of things like consumer protection laws).
I would think that if a piece of software is free as in beer, it would be easy to explain to a judge that the project authors had no business relationship with the user, and thus could not be held liable.
It's sort of like the "I am not your lawyer, this is not legal advice" disclaimer--the person giving advice is less likely to lose a malpractice suit if he/she says "I have no business relationship with you, so don't take this with the same gravity that you might take my real legal advice."
A cat can't teach a dog to bark.
Oh, and I'm not a lawyer. And if I were, I probably wouldn't be you lawyer. In which case this would not be legal advice...
A cat can't teach a dog to bark.
Just add a stipulation for software that has source code available as exempt.
Or add an exemption to any company that gives a list of known bugs at release. If they blatantly say they know something is buggy, then that would be fair to me.
-SaNo
This comes up every time warranty issues are raised. The problem is that for that warranty to be effective, the parties had to agree. Hence, those that say open source software is not an agreement (or that one does not have to accept the terms of the GPL etc.) have a problem. I've said it before, certain of the terms of the GPL are not merely license language. The community cannot have it both ways.
Either this clause in unenforceable because their is no agreement (one party did not agree to it), or the GPL requires every user to accept the terms of it.
Put the chair down, Steve.
Free Martian Whores!
But if I just give away my leftovers from my restaurant to some soup kitchen free, would I still be liable? May be. If I give away left overs from my home to a passing vagrant would I be held liable? What if I brown bag my lunch and in the work place they order pizza for some reason and I give my brown bag to the homeless guy on the way to the trolley stop without even opening to check if the sandwich has spoiled, would I still be liable?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
So.....you're going to sue a developer for a defect, intentional or not, even though they said it was not warrantied and use at your own risk?
No lawyer will sue individuals developers . . . they have no money. They will try to sue a big company, um, like what SCO tried with IBM. Lawyers go after the money.
Some big companies even forbid their programmers from working on Open Source projects on their own time . . . unless they are approved by their employer, of course. Because the lawyer suing will try to twist it so that the employer is responsible . . . because only a big company has enough cash to make it worth their effort.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
"NO WARRANTY OR GUARANTEE IS IMPLIED. USE THIS SOFTWARE AT YOUR OWN RISK" or some combination of that. Even my home server says that every time I SSH into it.
There is no reason that a legislature cannot pass a law saying that this disclaimer is contrary to public policy and won't be respected in the courts.
For instance, in my State, contracts to purchase a car that are "AS-IS" are not legal. You can write those terms into the contract and the buyer can sign it, but if she turns around and sues you the Court won't give effect to that part of the contract.
Another example, I cannot rent an apartment or house "AS-IS", I am required by law that my rentals conform to a general standard of habitability. It doesn't matter how many times in the rental contract I disclaim any warranty of habitability, I still have to provide a habitable dwelling.
Consumer protection statutes are full of these sorts of provisions that forbid the use of certain kinds of terms and conditions. You can't sell food without a warranty of non-contamination or edibility, you can't sell children's playground equipment without a warranty of safety, .....
TL;DR version: the law does not have to respect your right to contract under whatever terms you see fit (I'll leave the normative argument of whether it should for another time & place).
I can see it now....rogue programmers, up late at night working in secret groups on some highly illegal, highly explosive software. Their code may not be perfect but it's the illegal cool factor that makes it worthwhile.
import system.cool.Sig;
Not all Open source software is free and in beer.
I should think not. The last time I tried to download FOSS from a server that was in beer I kept losing the connection, and the time I drank beer with FOSS in it, was even worse.
As the American Law Institute appears to not hold with that belief, lets see how far they get in their goals WITHOUT ANY SOFTWARE! Ha ha ha ha ha ha ha ha ha!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
The article quotes the requirement as being "contains no material hidden defects".
That idea would superficially (I am not a lawyer) appear to allow any open source off the hook as long as you have a public bug tracker.
Of course you can - I can happily sell a device that looks just like a car, with wheels, can be driven, but make it clear that this is not intended to be driven on roads. If you do so, that's your problem.
If it's a model that was road-legal, no you cannot. That is you can't sell your old beater Honda Civic if the seatbelts are broken, even if I want to use it as a bird house.
But I can damn well sell a substance that would be inedible, and it's your own fault if you eat it.
You can't sell rotten apples as "non-food-substance" no matter how many disclaimers you put on it.
Yes, you can't sign or agree away rights allowed under law, but since these disclaimers aren't contracts or agreements, that's not an issue. They're disclaimers - no different to the disclaimer that says that the "car" you bought is not intended to be driven on roads. If that's allowed for physical products, why should software be held to a different standard?
I should have stated it this way: there are some warranties that the legislature will not let you disclaim. The legislature is not required to respect every possible form of disclaimer.
A business relationship does not require money to change hands. I suspect that like contracts all that is required is that both parties receive some sort of "consideration", http://en.wikipedia.org/wiki/Consideration [wikipedia.org]. Consideration is obvious for the user(s), they get the software, but consideration for the author(s) could be quite varied. Passing along the author's work (as the GPL requires), reporting bugs back to the author, mere use of the software enhancing the author's standing in a community (or maybe just stroking the ego), ... I'm sure a real lawyer could get quite creative, as they have successfully done with consideration under contract law. Unless of course the legislation gives OSS authors a special status which they currently do not have.
These is no contract involved in using software provided under the GPL. The GPL only covers distribution, not use. If no consideration was provided to the author from the end user, no business relationship exists. A distributor of GPL based software has a contract with the author, but that contract only involves distribution, not use of the software. Since that contract states pretty clearly that the software is provided for distribution only if the distributor disclaims that it is fit for any specific purpose the author is pretty much covered against legal action. The distributor, on the other hand, if they don't disclaim warranty they can be held accountable by both the user of the software, and by the author for failure to follow the licensing terms. IANAL, so this ain't legal advice.
Support SETI@home