Slashdot Mirror
Negligence and Open Source
icing asks: "With the story about the Melissa trial, some people argue that Microsoft is partly to blame. Negligence in making a product safe to use, cannot be excused. And again, software is compared to real world things like cars and how car makers could not get away with what Microsoft is doing. Does not the same argument apply to makers and distributors of open software? Could makers or distributors of Open Source be held liable? Under which conditions? Or do we have a double standard here?" Hmmm...a touchy issue. What are your impressions?
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
So no, no one can be held responsible for anything their GPL'ed program does. I don't know how the BSD license works, but I would assume some sort of similar constraint.
Jeremy
Looking for a Python IRC bot?
I think the best analogy to use in this case is something like kit airplanes. If you buy a whole, complete airplane from a manufacturer (closed source) and it blows up in midair, you naturally and rightfully blame the company that made it. However if you buy a kit plane, put it together yourself, and the engine drops out of the plane in midair, you have only yourself to blame.
So, following this analogy, closed source companies should be held liable, because some things are hidden from the consumer, and open source companies should not, because the customer is able to see _exactly_ what they're getting. This would encourage many companies to switch to an open source model, don't you think?
---- El diablo esta en mis pantalones! Mire, mire!
By selling the software to an individual, Microsoft should have a responsibility to make "safe" software. Comparing it to auto manufacturers is reasonable. Microsoft should hire "software engineers" who are professionally licenced and insured to sign off product as safe.
Open source on the other hand shouldn't have this responsibility because it is given out for free. The the responsibility exists with the individual who implements the systems. If I designed a car and left the drawings open source. I would never be held liable for the car if it proved to be a defective design. If I sold the designs, I would.
If someone else sells my free drawings, maybe they should be liable as well.
News for UW students
Free software is like air or water, it is just there, like a public good, and when you use it for something, it is your responsibility to understand its limitations and risks.
So if someone is harmed by a system involving free software, the responsibility doesn't lie with the author(s), but with whoever used it in a system. Red Hat, your sysadmin, your manager, whoever chose to use the software.
The more authors are involved in a free software project, the more like a public good the software becomes.
The initial problem is that no one will want to take the blame, but as software and computers mature, that will have to change.
Anonymity on Slashdot has become a haven for the ignorant and childish. I say remove it.
Couldn't agree more, except that if anonymity was removed, then previous AC's would register multiple (fake) names (so you still wouldn't know who the comment), and it would prevent the distinction between those who are prepared to stand by what they say, and those who aren't.
As in, anything you post un-anonymously you mean, because everyone else knows who posted it/has your email address.
SURELY NOT!!!!!
As for the issue at hand, I don't think anyone, even Microsoft, should be held responsible for such bugs. Cmon, all programs are going to have problems; just because one of the bugs happens to have more risky consequences doesn't mean that it is any worse than a bug that is relatively harmless. It shouldn't be concidered "negligence" - it should be expected by users of the program.
On the other hand, both Microsoft and Open source programmers should be prepared to either a) fix bugs or b) pubish them as soon as they are notified of them.
This is not the case with Microsoft's non-disclosed-source-code software - they don't give the customer the power to check or fix their negligence, thus the negligence is all theirs.
True Open Source in general declines warranties because the software is distributed gratis or at very low cost. Of course, you have the option to make a contract with a support provider who might provide you warranties against negligence. I don't think it's likely that a provider of gratis software, Open Source or not, would be found liable for damages he explicitly disclaims. I'd like to hear of any cases where this has happened.
Thanks
Bruce
Bruce Perens.
The difference between MS and Open Source software is that you don't pay for it. Remember the big piece of FUD from earlier this year?
"What if something happens because of the software? There's no one to be held accountable!"
You can look at it as either an advantage or a detriment, but there's no way someone who writes OSS could be held accountable for something like this. Now, there's a difference between the Melissa Virus case and something like UltraHLE (The reverse-engineered N64 Emulator.) I'm talking about legitimate software here.
If I use a car to hit somebody, i'm to blame, not the auto maker for "not making the car so it can't hit other people or cars". Even to the extreme this argument doesn't work. If I kill somebody with a gun, it's still my fault, not the gun maker's, even if I wasn't intending to shoot the person.
Cliff is right, this is a touchy issue. I am not a lawyer, but I do have have some thoughts in which I'm sure fellow slashdotters with more knowledge of the field/issue will expand on.
Law. Failure to exercise the degree of care considered reasonable under the circumstances, resulting in an unintended injury to another party.
Ok, hypothetical situation time. Company X makes this nifty toaster called the iToast. It can track user settings, adjust to hardware failure, and all sorts of nifty things to make you the perfect toast each and every time until the whole thing goes.
But I must mention that the iToast has a built in 3.5" floppy drive so you can apply patches, or isntall a whole different version of the software. Now, Company X ships the iToast bundled with its own software, but a nice little grassroots orginization creates their own OSS for the device. It's faster, and has a better isToastDone(args), which results in better output. Yum indeed.
Unfortunately, the OSS geeks overlooked a small bug which can, although rare (say 1:20000 uses) cause the toaster to burst into flames. Not good.
Now, the question is where can, if at all, the company become liable?
I say there is little chance that the OSS group would be held liable if they released a patch immediately upon discovery of the bug. However, if they chose to ignore the bug, the group would more than likely be held liable for resulting damages. Of course, there are some creative lawyers out there nowadays, so . . . =)
--
Does the MS EULA not have language about not being accountable for "features" (bugs), not intended by the manufacturer? A lot of licenses have been copping out like this, and I don't necessarily think it's a good thing. The GPL is slightly different, because even if the software author doesn't care, you can ask your buddy the programmer to fix it and re-release it. But I don't think MS can be held liable for macros being run by Outlook and Word.
xrayspx
--My magic 8-ball said "Outlook not so good" but they released it anyway...
I like music
Open Source liability? Hmm, isn't that what companies like RedHat are there for? I know some people don't like RedHat, but this question just brings the real issue to the front: most of us Open Source coders are here because it's fun to play around with code and invent new things. The last thing we want to worry about is whether we might get sued over somebody getting hurt by our latest invention. This is where companies like RedHat comes in -- they provide support, and act as somewhat the entity to point your finger at (read, sue) when things go wrong. We coders can't afford to be sued, hence the standard disclaimer of no-warranty in the GPL: we're not even getting paid (in most cases) for our contributions. We need somebody like RedHat as a "shield", so to speak, in case of major trouble.
But as to our responsibility in putting out quality products, I think the nature of Open Source itself lends very well to producing high-quality products. As hobbyists, we're definitely more concerned for creating the best software out there than how to stuff our products with features so that it's more marketable. Perhaps a few coders might be negligent, but with the vast diversity of coders involved in Open Source projects, each with their own needs, preferences, and biases, such problems surface quickly, and hence, get fixed quickly as well. I think I don't need to repeat past stories on how fast security holes in Linux are fixed, compared to MS offerings.
I suppose you can say there is negligence in the very fact that a security hole exists, but this is a little unreasonable because in a complex system, you don't know what the faults are until you actually put it to use. I think the more important issue is (1) whether problems like security holes are quickly fixed, and (2) coders care about their projects enough to make sure it doesn't contain obvious problems. I would say an Open Source project is stronger on both. On (2) particularly because of the coders' interest -- if your dinner depends on how well your code sells, you'd probably cut corners gladly so that you won't miss the deadline.
Anyway, to get back to the first point -- although we coders have enough interest to avoid obvious problems, and there are enough of us to quickly fix a problem when it comes up, there are still cases where major trouble might result. This is when a commercial entity like RedHat comes in -- it gives us dedicated workers, not just volunteers who could throw up their hands anytime and give up and leave the user in his own soup -- dedicated workers who are ready to accept more responsibility than hobbyists. We need both volunteers and dedicated people.
mikre he sophia he tou Mikrosophou.
Ok, lemme clear something up before this gets flamed into oblivion. =)
In case of said failure, the group would be prolly liable for damages, but I don't think the feds would be on their case or there would be any major lawsuits, if they immediately released a patch.
--
Comparing a design by Microsoft (or any other desktop/server software company) that has a flaw in it to a design by an automobile company that has a flaw is a poor analogy, in that a flawed automotive design has the potential to cause loss of life or limb. Desktop and server software doesn't put the customer at the same risk.
Christopher A. Bohn
cb
Oooh! What does this button do!?
While both open source and shrink wrap licenses disclaim liability, what about support contracts? When a security hole is known, especially when it is reported to the company providing the support by someone with a support contract, I would think that the courts would be much more likely to find that company liable if they made no attempt to remedy the problem or at least warn their customers of it.
The net will not be what we demand, but what we make it. Build it well.
When you tell someone, "Here are all the parts to build a car, its free if you can get it running!"
it is generally implied that that person is responsible for the car's functionality.
Not so if you sell the car.
Drop me a line at:
Key ID: 0x54D1D809
by pouring hot grit down Natalie Portman's pants.
---
This is not a first post, so they won't censor^H^H^H^H^Hmoderate it
Let history repeat itself. It took car manufactures well over 20 years to start incorporating saftey features into their vechicles, but until that happened, the only people complaining about how unsafe cars were were the people who cleaned up after the accidents (ie Doctors, nurses, etc).
This all changed with the Nadar report - and the publicity it generated in the media and the public eye.
What needs to be done is to increase people's awareness of how bodgy the Micro$ server code is, and how only the micro$ exchange servers were the ones that were affected adversly by the Melissa virus...
Since the design criteria for Java were published, there is a clear source available warning of the dangers of allowing arbitrary pieces of code to be executed without the knowledge and consent of the user. Setting the security switches that would prevent this to the choice that allows it to happen by default is only slightly better than providing no way to turn it off. In essence, designing a way for arbitrary pieces of code to be sent to a machine and executed automatically is designing in a security flaw. That is an error of commission, not one of omission.
The net will not be what we demand, but what we make it. Build it well.
As it stands with current licenses, I think you can't blame anyone, at least not legaly. However, maybe the 'we are not responsible' clause should not be allowed if you sell the software... Dunno the legal implications, but it seems reasonable.
If you are only selling the medium, I suppose you aren't liable.
There have been several posts claiming that Open Source software has less necessity for security, or safety. That the GPL somehow exonerates OSS in some way that the MS EULA does not. All of this is bunk.
If OSS software is really a general purpose solution then it must meet as stringent a security requirement as any other such solution. For all of those Linux evangelists out there, we can't claim security as an advantage in on sentence, and then claim less resposibility for it in the next without sounding silly.
What Linux does have is a better testing system, a more heterogenious and reliable user base, and a significantly better bug response method.
The concerns about safety, be they virus propogation, data integrety problems, or uptime/essential systems issues. Are the responsibilty of the system's administrator. Any system can be made secure by a careful admin, and any system can be made unsafe by running unknown (read closed) software.
The reality is that computers are so complicated that Admin's (for that matter developers) cannot go through the code checking all cases in some perverse proof of correctness. Making software engineers sign off just means that someone who really isn't responsible for having a buggy or defective piece of softwar can be canned for the zealous marketing and management of his company.
If a company claims that a system is secure - e.g. NT according to MS or perhaps Open BSD then the company could be considered liable if:
a) It fails to take reasonable measures to make sure that said product is secure.
b) Refuses to respond to security issues as they arrive.
The software you buy is always as is. Beware.
Meaning that if you get a piece of OSS for free and it doesn't work or causes some damage to your system then your pretty much out of luck unless you can prove that the faulty code was malicously placed. On the other hand if your purchase OSS software from someone who has repackaged it then you have an expectation of quality and the seller should be liable for it. Of course this isn't even the case for closed source commercial programs these days. Especially "shrinked-wrapped" software that often comes with disclaimers against liability should their software to really nasty things like burn down your house or trigger the apocalypse.
... you can't blame the manufacturer. But if your car suddenly exploded because you put in the reverse while the radio was on (a good analogy to typical Windows behavior), then you would blame the auto maker - I hope.
"I love my job, but I hate talking to people like you" (Freddie Mercury)
The liability should be on a product sold. With RedHat etc you paid for the pacaging not the develupment of the software. If something is wrong with the software that RedHat caused by the way the pacaged it or could have prevented by a small change in pacaging then they should be liable but if the problem is a flaw in the software RedHat did not develup (or develuped and gave away) they should not be liable.
If you buy a Compaq computer with Windows preinstalled you still paid Microsoft not Compaq for the software.. But if a defect in Windows is caused by the way it is installed then Compaq who installed it is liable.
The open source develuper who codes and gives away his software sold nothing and is liable for nothing unless he makes clames to the fitness of his software.
Basicly Microsoft might be liable for selling a defective product or a product with an unreasonable security defect. Sence open source develupers do not sell any product they can not be held reliable for that non-sale.
Giving away a defective product is (at this time) not subject to liable.
This may change over time with busnesses selling support instead of product but for now if Microsoft is found liable for selling a defective product it could boost open source a great deal..
Sell product and be liable for defects or sell support and let the userbase be responsable for the repairs.
But again even in open source your liable for clames so if you clame a product is bug free you could put yourself in a position of being even more liable than if you had sold the software to start with... Sold product can get away with a few defects so long as it can be shown to be reasonable.
I don't actually exist.
Ross Perot would call this "pie in the sky" argumentation. And it's just the kind of thing that hinders the open source movement. More so than graphics or limited apps or even setup/average user issues, the climate fostered by those who try to use weak, unproved theorems as postulates undermines the foundation of open source.
Icing's question of a double standard is moot. If someone breaks into your house, is it your fault that you didn't install just the right kind of alarm that would deter that criminal? Don't lose sight of who is malevolent.
It's important to note the fact that microsoft is a corporation and most open source developers are individuals, and there aren't many developers that have formed oprn-source based corporations, relatively speaking.
When you speak of liability I assume you mean money. If microsoft is held liable for whatever they have done, generally the only penalty would be monetary, at worst they might be broken up.
Since microsoft (and most corporations) are pretty big, the penalties don't do all that much damage. It is extremely rare for a government body to come out and say "you have been found guilty, your company will cease to exist, your assets will be liquidated."
When we get to individuals, however, monetary damages can seriously impede your ability to do anything, such as programming, and often times people are thrown in jail (fraud, malpractice, whatever). Bill gates is most certainly not going to do jail time, even if it were proven his company has broken numerous laws with him knowing it. When you have a number of individuals developing a certain product open source style, with no business relationship, who would be held liable anyway? Try to single out who wrote the offending lines of code? It's not that simple and our law system doesn't cover this very well to my knowledge.
Is there much software out there that has a warantee anyway? I haven't seen any...you basically accept it "as is" as far as I know.
Anyway, I think the bottom line is that open source software is much, much more accountable to begin with than microsoft will ever be for plainly obvious reasons: it's simple to determine whats causing the problem.
... at this time, they have other issues to worry about when they choose their software (other than small print in licenses). If there were competing products equivalent to MS's, but with a more user-friendly EULA and even with a slightly higher price, I'm sure that most people would choose those instead (as long as they knew about the differences).
"I love my job, but I hate talking to people like you" (Freddie Mercury)
You can be held liable for whatever you promise, which is why most open source software has a clause something like:
;)
:) This would probably not change the promises or the software, but it would make the general public aware of the lack of promises they actually get from spending huge cash on closed source software.
>> This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
If you read the EULA from Microsoft, I'm pretty sure that they have a similar clause, much to most people's surprise. Then what are you actually paying for, you might ask. Well, that's the good question
The car-makers have a responsibility of making cars *reasonably* safe, according to government regulations. They are not required to stop your kids from driving into brick walls using your car. They are however required to make sure your car doesn't fall apart or stops breaking when you want it to etc.
There are no such rules (yet) for software. The vendors make the rules, and the vast majority of customers/consumers simply neglect this fact and *expect* that there is some sort of reasonable agreement behind it all, just like when they bought their car.
Open source licences are usually very cautios to ``warn'' people of the possible dangers that lie ahead when using the software. And some people may even pay attention because ``there's gotta be a catch with gratis software after all''. I think this is a pretty good way to handle things.
There could be some sort of either regulations or at least some rule that software vendors should state LOUD AND CLEAR what they promise and what they don't. Pretty much like the warning messages on cigarette boxes
And for a good reason - the situation is different. MS can afford to do this sort of thing because Microsoft is a monopoly. Let's imagine for a second that qmail developers get really lazy or reckless and allow several scandalous security bugs to creep in their release. What happens next? I will switch to exim or sendmail or something else - and you will, too. This is not really a question of Open Source vs Closed Source, and I think guarantees and responsibility for your product are not important. If there's healthy competition, these issues are solved implicitly.
-- ATTENTION: do not read this sig. It doesn't say much.
You are confusing "Windows 98 is a buggy OS that doesn't do many things very well" with "It doesn't work". The fact is everything on the Win98 CD *does* work as it was designed, to a certain extent.
"This isn't very good, it sucks!", and "This is horribly defective and somebody owes me my money back!" aren't the same thing.
It's about the car being manufactured with an engine that self destructs and the hood welded shut. It's about the driver getting injured if some wiseguy puts a brick in the road with a hat on top of it. It's about being obliged to take the car to a Microsoft service center for any repairs, because nobody else can get any parts. (What do you do if your car breaks down in the middle of nowhere?) There are so many other parallels. Can't steer if the power steering goes out. Can't brake if the power brakes go out. When you blow a fuse the locks and windows won't work. You have to pay extra for more than one passenger at a time. As you drive along, more and more inexplicable grinding noises accumulate. And you have to do a full overhaul to get rid of them.
Hmm, there's probably more?
For me, the responsibility comes more from the system administrator or even the individual who chooses a non-safe {OS - Server app - Client app} than from the software designer, open source or not.
IMO, the software designer can sell or distribute, freely or not, any program, even if it is full of security holes. The license of any program (commercial AND GPL'd) has a clause which says that the software designer is not accountable for bugs their application may contain. That's really the job of a good system administrator to secure its system and to choose the right solution. That's a matter of choice and these clauses in MS EULA-like licenses protecting the software designer against legal attacks seem a Good Thing (TM) to me.
Of course, theses views apply less easily to the home user, but the user who don't protect himself against macroviruses or security holes in his mail client is responsible from his own negligence. There is enough talk about Melissa & others in the mainstream press for the average user to know theses problems.
Don't ever forget that the perfect, bug free, 100% secure software is a myth. Legal actions against software designers have no real effect against big software vendors, but would hurt little companies/individuals, resulting in less choice, since only big companies would be able to "take the risk" to publish software ! It must be harder to write software with the constant fear of a legal action if you make a mistake somewhere in your code.
With my reasoning, no double standard problem : the system administrator / the user is the first person to be accountable for his poor choices.
Just my thoughts,
Stéphane
Instant Karma's gonna get you, Gonna knock you right on the head (John Lennon, 1970)
You cannot examine the code on closed source software to make sure it is suitable to your purpose before executing it. With OSS, you can... at least theoretically. Of course it is arguably impossible to fully check out source for large programs (any linux distro, for example). You could check key areas that worry you though. This absolves OSS authours from lawsuits (IMO), but not closed source vendors.
One of the biggest conditions applied to liability issues in any product is intended use. You can't, for example, sue a knife manufacturer because you got stabbed by one, whether you did it, or someone else did.
That being said, what is the intended use of a general purpose operating system (as opposed to specific systems, such as life support systems)? No-one that I have seen will argue, for example, that Windows 98 is secure, or is even intended to be secure. Linux and NT are quite a bit more secure, and it is usually these that are placed in an environment where security is an intended goal.
However, a knife (or car, etc), are devices with a well defined, specific purpose, and the same cannot be said of operating systems, by and large. The intended purpose of any particular OS installation is entirely dependent on what it is trying to do, eg. be a webserver, transaction database, etc. Since it is quite possible for a badly behaved application to compromise even a very good operating system, you are then faced with choosing who to hold responsible for any failure, the OS vendor, or the app vendor (if they differ).
Admittedly, the better the OS, the less likely is the above scenario, but the only really secure system is a secure SYSTEM, in other words, if any part of the system is insecure, the entire system can be considered to be insecure, by extension.
Assuming that we allow the establishment of responsibility on the part of the vendor for security issues, one of the telling parameters that is involved is that of forseeability, or was the compromise that occured one that could have been reasonably forseen, and guarded against before the fact. And we haven't even addressed the issue of bugs.
Due diligence doesn't mean that the product must be perfect, it means that the manufacturer is required to make a reasonable effort to prevent, and / or correct, any issue that might arise. To use the Melissa virus as an example, it is not necessarily MS's fault that such an exploit can be made in the first place, but they could be reasonable held accountable if they failed to address this issue after the fact. I would also say that the same applies to Open Source products as well. It is disingenuous to apply a double standard, if MS can be held accountable, so can Open Source, and vice versa.
Notwithstanding the fact that both MS's EULA, and the GPL both contain warranty disclaimers, it is also true that such disclaimers are not protection against negligence or failure to exercise due diligence.
The above diatribe aside, when it comes down to the crunch, it is my belief that the architects/administrators of the system should be responsible for security issues on their system. And this is where OSS really works best, it places in the architects hands the ability to fully scrutinize the particulars of the system they create, and provides them with the greatest amount of control over the operation of the system. If the system architect chooses a closed system, they still must be responsible, since they CHOSE the system they provide.
Nunc Tutus Exitus Computarus.
If you use Micro$oft code as a basis for your product, and your product doesn't work (because of Micro$oft code) and you are sued, here's a clause:
(c) indemnify, hold harmless, and defend Microsoft from and against any claims or lawsuits, including attorney's fees, that arise or result from the distribution of the Redistributable Component
Think it can't happen? Anytime there is a loss, the lawyers take a shotgun approach. Sue EVERYONE who was involved. That means you, the software developer, Micro$oft, etc la.
We humans CAN make error free software. We have missles that fly through the air, make tight corners, fly through windows and blow up. As opposed to software that is on windows that just blow up. Yet, the 'market' won't 'buy' software that is bug-free. Personally, I believe the market won't buy it because it hasn't been convinced to buy it.
The second problem is software doesn't match the assembly-line mass production model, more of an artist crafting a work. So the relability we have come to expect of mass producted items *koff koff* doesn't apply to the software world.
And until we move beyond the lone artist and more assembly line, we will have bug-ridden large software releases.
Who's to blame for the 'virus'? I can say its not me. I don't buy M$, and don't write viruses.
The consumers (for buying insecure software), the writers of the insecure software, and the virus writers are all able to take the blame.
As OpenSource delivers what M$ (and others) can't, the consumers will make the demands of good software, M$ will have to deliver or die.
If it was said on slashdot, it MUST be true!
Another car analogy but this time nobody gets hurt.
1981 Caddy Eldorado with v6. These cars ping.
It is well documented that there is nothing you can do about it
This was an expensive car that has driveability problems. Got tons of bells and whistles but the only thing you can do when it's pinging (which can burn a hole in a piston, not a cheap repair) is turn the radio up. That or put in a different motor (also not cheap).
Let's face it, there is no such thing as a good analogy
but to nitpick because nobody dies from macro viruses
is delusional.
Ummm, auto makers DO "get away with it".
Ford Pinto -- A corporate decision was made that lawsuit settlements would be cheaper than re-engineering a known faulty design. Result? People were burned. Ford had to pay more money than they anticipated. Ford is still in business today doing pretty well (so much for consumer backlash).
Then there's the Chevrolet Corsair -- another known faulty design that hurt people. Today's obvious statement -- Chevy is still in business.
So now the "we hate Microsoft" group cries that the folks in Redmond are to blame.... for what? Locked-up mail servers? A lovestruck 31337 wannabe who glued together a VB script that had some nasty consequences?
Folks, if maiming and killing people doesn't put a company out of business, hanging their MS Exchange servers damn sure won't do it.
If you want to take out Microsoft -- make a better product (hint: you've already beat them in the server arena). Market it well. Make developers want to write on your platform (oh wait -- already did that).
Please don't waste time trying to put them out of business for making vulnerable mailservers. It won't work. As a professional, your job is to point out these shortcomings to the people with the checkbooks. If they don't ask you or (worse) ignore you, they have no one to blame but themselves. And if they offer you a ride a home in their Pinto, take the bus.
Mr. Perens has (as usual) an apt comment. Disclaimers:
1) IANAL
2) I am not directly associated with Open Source Software.
The concept of due diligence is hyper important. In fact, a finding of negligence is essentially a finding that due diligence was not performed.
What I have seen of Open Source indicates that the people who work on it are extremely "diligent" where bugs of all kinds, not just security bugs, are concerned. When one is reported, generally someone gets after it right away, to (1) confirm it's there (2) figure out what a fix should be and (3) fix it. This is an historical pattern, I believe, and could be substantiated by lots of testimony.
Note that the Law doesn't require that the bugs actually be fixed, or that the fix be better than the bug was. Due diligence simply means that all reasonable methods were used to conclude what the problem was and how it might be fixed, and to fix it if it seemed warranted.
Note that in the Pinto and GM Truck cases mentioned above, due diligence broke down -- the companies involved concluded that the problem existed, but that it wasn't economically justifiable to fix it, that is, the necessary fix would cost so much that it wasn't worth it. The Court, in general, is hostile to this view, to say the least.
There's also the matter of 'deep pockets' and political correctness. Even with all the malicious hacker stories in the press, you still wouldn't get very many lawyers willing to sue some 26-year-old nerd for negligence in fixing a software bug; defense lawyer starts telling sob stories, and it's likely to turn the whole thing around -- plus, how much are you likely to get? An Open Source programmer isn't likely to have much. Companies like Red Hat theoretically have money, although most of it's virtual, Stock Market valuations that probably couldn't be realized. With BMW payments to make, how many will chance it? Microsoft on the other hand is known to have a pile of real cash, easily converted to your Actual Folding -- just what a plaintiff's lawyer likes to see.
So no, I can't see open source being in much danger from negligence suits for software bugs. It isn't an attractive target for such suits, and a fairly strong defense is on hand. Bill & Steve might should sweat it.
Regards,
Ric
Personally, i don't think MS, or any software publisher, should take the blame for something like a virus.
Do we blame the carmakers for making unsafe cars when somebody plants a bomb on it?
Or do we sue the people who make windows when a brick comes flying through and hits us in the eye?
No, of course not!! It's not MS's fault....
The main difference is that most Open Source contributers are individuals and could not fork over the winnings of a major award. Many are poor (students!) and are spread across many countries; companies are insured and have assets.
Big Rich Company licence: "We are *not* liable."
GPL: "We are *not* liable."
Lawyers know where the gold is. Which will they widdle away at?
RedHat might worry, but the rest of us are safe.
-B
Microsoft is the scapegoat of the computer industry. Every problem which occurs in the industry is blamed on Microsoft, if the company was involved in any means at all; if there is a problem which does not involve Microsoft, it will be ignored by the media. Practically every element of the media, from the most non-technical columinst in the daily newspaper, to the editor of the most elite technical consultant publication, rats on Microsoft, and only Microsoft, continuously.
It is not an issue of open source vs. closed source. It is an issue of Microsoft vs. non-Microsoft. Companies such as Sun, Oracle, Apple, and IBM are primarily closed source, but are 100% immune to blame.
Blaming the Melissa virus on Microsoft was just an example of Microsoft as the scapegoat. Much more serious security problems have occurred in the past which should have been blamed on the appropriate vendor (e.g. the internet worm). However, since these didn't fit into the media's convenient definition of who is to blame for every problem in the industry, they received little press, and were blamed on "hackers", instead of the irresponsible vendors.
A prime example the media using Microsoft as a scapegoat was yesterday's Hotmail outage. Here, the problem was blamed on Microsoft since it owns Hotmail. The fact that the Hotmail servers run Unix was ignored. Had Hotmail been run by another company, but used Microsoft servers, the problem would again have been blamed on Microsoft, absolutely regardless of who really was to blame.
An excellent example of a problem being ignored because Microsoft wasn't involved is eBay's continuing problems with Solaris. eBay's market capitalization has dropped by literally several billion dollars because of outages which were caused by bugs in the Solaris operating system. However, this is never brought up in the media, because Sun is considered a holy company by the media, and the perception is that no problem could POSSIBLY ever be Sun's fault. (Ironically, since eBay uses Microsoft products as the front end for its servers, Microsoft received blame very early when the problem first appeared -- though the critics quickly shut up when they realized that in fact Sun was to blame and the Microsoft products were chugging along nicely. Note that they didn't switch to blaming Sun, they merely stopped blaming Microsoft.)
An extreme example of Microsoft as the scapegoat has been Judge Jackson's ruling that failed products such as Netscape Navigator and OS/2 all owe their failure to Microsoft. It is now commonly thought by many people that ANY product which fails in the marketplace owes its failure to Microsoft, and not lack of marketing, lack of quality, etc.
So, no, open source software will never receive blame if it fails or has technology flaws. At least not now. The media is having a field day blaming Microsoft. If ten years down the line, open source becomes the standard, then it will likely begin receiving the blame, as the media seems to be only pick on whatever is popular.
If the hammer I just bought happens to have the ability to smash my thumb it's my fault for letting it do so.
A software bug might not be as obvious but you are responsible for your own data. If you follow basic safe computing even the biggest problems are easily recovered from.
Now that all being said... For those people who feel the need to sue someone the choice is pretty simple. You buy the distro from company X (or otherwise you download it at your own risk) they are the ones who are selling you a product. If it ends up being defective they're the ones who will get sued.
Windows has many problems but with litte work, a lot can be patched up. This goes with most operating systems. I think the general public doens't have that many problems with windows being "unsafe". People do stupid things then blame the software. I think the software is very safe and over many many years of using each version, I, and many people I know, have not had a single problem with unsafe software. Is this all MS's doing? No, i think it's being half intelligent and using the software the way it should be. I know for a fact I'm not a exception. There are many examples of people not making a safe product, I think people like to go on witch hunts, and MS has recieved the brunt of this.
Just as many virii and trojands can affect Linux and OSS. The big difference is no one makes OSS & Linux the target. A virus or a trojan can be written for any OS, t just has to be in the scopes of the people creating them. Remeber the most famous of all, The Interner Worm, did not affect MS at all. Don't be so cocky about accusing MS code to be faulty, ans OSS to be so secure. It is much easier to crack a safe when you know how the safe lock works.
Just as many virii and trojans can affect Linux and OSS. The big difference is no one makes OSS & Linux the target. A virus or a trojan can be written for any OS, it just has to be in the scopes of the people creating them. Remember the most famous of all, The Interner Worm, did not affect MS at all. Don't be so cocky about accusing MS code to be faulty, ans OSS to be so secure. It is much easier to crack a safe when you know how the safe lock works.
green swamp water.
For roughly a decade, Bill & Co. could Do No Wrong. Darlings of the press, celebrated in every computer rag.
Once at the lake I was watching as a couple of drunk teenagers took daddy's boat around at high speed. Another boat got in front; the driver chopped the throttle -- and the following wave drowned the $5,000 highly chromed super duper engine. glug!
Or you might like Jeremiah better: They that sow the wind, shall reap the whirl-wind.
The word is schadenfreude. Look it up.
Regards,
Ric
The Melissa virus didn't exploit any security holes to do what it did. It exploited two things: user's willingness to blindly open documents and enable macros for them, and the power of Visual Basic for Applications.
Sure, there ARE security holes where no action by a user is required for the payload to go off, but as many people have pointed out, why bother? They're much more complicated to write, and you don't have be that sneaky. People will open documents, executable attachments, etc without thinking.
"Negligence in making a product safe to use"? Comparing software to cars? As long as we're talking about Melissa, let's do that. Microsoft (the car maker) enabled Person A to use his Word program (his car) to create destructive force that could be delievered to someone else's Word program (their car). Of course, they would have been safe, but they deliberately said, "Enable macros" (turn off my air bags).
Lastly.. could car makers do what Microsoft is/was doing and get away with it? How many alternatively-powered vehicles do you see in mass production? How many gas-powered? Why could that be?
--- Where's my X.400 protocol decoder?
ok... its not like MS products have virues themselves...no, somebody else plants it in there. Now, you can compare it to car blowing up if somebody puts explosive under it ... now thats a good one... you people just blindly attack MS - well damn it, I dont like them too much myself... However, best solution for it would be to include Antivirus with Windows... but wait, that would be bad practice and everybody would damn MS for unfair competition! Kind of double edged sword, dont u think? ;)
Microsoft should be held criminally liable for distributing an O/S (and I use that term guardedly) that permits these kind of violations. It's completely stupid, and it's their own damn fault. They mis-designed their system to make viruses rampant. This just doesn't happen on Unix. We're not idiots. Stop blaming the crackers when you leave your front door open with a loudspeaker blaring that you have expensive toys to steal on Christmas Eve.
In Clopen source, you email the world's software engineers the entire source code to your 1M+ LOC project. You then ask them to analyze your project and fix bugs, and do it all for free.
Then, if amazingly anyone actually cared enough to fix one spelling error in a sea of crash-and-exit bugs, you redistribute the source again, let Red Hat steal your code, let Microsoft steal your idea, and some foobar.com score an IPO with your idea *and* source, and then develop a drug habit.
Then after 5 years of killing brain cells, you go through drug rehab, earn an MCSE, make $100/hr modifying Visual Studio Wizard-generated code for an investment bank, and curse all Linux and Open Source users on public forums like /.
Yes, this is a double standard. Let's examine why.
First, the Melissa virus is possible due to the dominance of one specific piece of software on the average users desktop. The only open source equivalent to this kind of dominance -- that I know of -- is sendmail. It is not the same for a variety of reasons, but let's continue on for the sake of discussion.
Compare the closest open source equivalent "virus" -- again, that I know of -- that happened with sendmail to the Melissa-Macro Virus. You will notice two interesting things. First, the CERT advisory for Melissa states: "This macro virus is not known to exploit any new vulnerabilities." Second, note the options they give for correction: block the mail, utilize virus scanners, and encourage users to disable Word macros. The free software solution would be to fix the problem at the source -- pun intended. In a free software environment the option to: fix the problem, is available whereas in a closed source solution it is not. You have to wait for company X to fix the problem for you, and in the mean time, get by with blocking, anti-virii programs and the like. Since this problem is not new and any user that buys Microsoft products has to wait for them to deign to fix it, it would seem that there is a powerful argument for some culpability on Microsoft's part.
There are of course the issues that other people have mentioned here: no warranty, free software is not a "product" sold by a business (let us remember companies like Red Hat make money off the service not the CD), etc. However, I think this is the central point. They have different standards because they are not analagous. You are not comparing like things.
Or to put it another way: Sure, a "thief" is responsible for his own actions. However, if I entrust the security of my home to some company, it seems quite reasonable to say that if someone steals something because that company left my door open, the company is also at fault.
For free software, you use it with the understanding that you are not entrusting anything to anyone so the same standard does not apply.
Cheers.
I disagree... having the ability to look deep into the product to check for possible problems is not the job of the consumer. Do you open up the seatbelt mechanism to make sure there are no loose hinges? I doubt it. You take it for granted. Same goes for software. Software engineers are simply unethical engineers. We put little clauses about "No expressed or implied" this that and the other because we're too lazy to use tcov etc.
After reading couple of reply's I thought that the attitude is not too prevalent - but since continuing to read further posts show that none of us here believe / think that anyone should be responsible for a problem in OpenSource software because it is written for free and distributed for a very low cost. Instead of making a blanket staement that says whatever happens it is your fault - maybe it should say blame it on the person whom you paid your hard - earned money to.
As I pointed out elsewhere - this argument makes perfect sense if we decide that only people who know how to debug the kernel should be using free software - who I don't think are too many.
So if any of this opensource "stuff" should be mainstream, someone should take some responsibility for it. It does not have to be the developers who write it for free or distribution sites that store it in ther machines. If a person wants to get something for free - they very well know that they are responsible for what they do. But if someone pays some good money for it - they better get something that works.
I am pretty sure that most of the OpenSource s/w have much less bugs than the closed source ones - but nevertheless - before I run gcc - no one should expect me to go through the gcc source code and make sure that if I accidently pass a -P option it will re-partition my hard-drive.
As far as people who are buying a RH CD for $50 with all the OpenSource s/w are concerned only difference between Windows and Linux is Linux is cheaper by $40 and it is supposed to be a much better OS than Windows. But if we start telling them - yes we think the s/w you have there is perfect - but if your computer just happens to blow up because of one of those 1000 packages that got installed - its not our problem - its your problem because you did not go through the source code of the whole OS and all the 1000 OpenSource s/w that was in it to make sure that your machine won't blow up - I am not sure how many of those people who are trying to use Linux will continue to use it.
If a home user who pays $50 bucks feels this way what about companies that are dishing out millions of bucks - should we tell them OpenSource community thinks that along with those millions they should just put more to make sure all the things will work as expected.
I may very well be wrong - but just my 2 cents.
R
Does anyone know exactly what the extent permitted by applicable law is? (Maybe not, since a previous reply mentioned that much of this hadn't been tested in court yet)
Jack
The analogy to car makers (as given) is not valid IMHO. Car makers are NOT responsible for keeping people from tampering with the car and making it unsafe... Car makers are not responsible for keeping people from breaking in and stealing your stuff. Of course, the more secure cars tend to sell better to people concerned about security... but you can always (almost) break a window...
Now, arguing that the analogy DOES make sense (as I believe):
Microsoft (as a software development company) is not responsible for providing security. They ARE responsible for not intentionally giving a false sense of security. (How many people leave thousands of dollars worth of stuff in their car in plain sight over night? How many people leave their entire businesses on an unsecured computer? I think the numbers are VERY different, and MS does advertise its software as secure)
Now MS as a *support* provider IS responsible for admitting security flaws and fixing them as quickly as possible (if they make the claim that their software is secure). At the very least, they should post a "dangerous activities" list (such as opening certain files from e-mail), a list of known bugs and possible suggested workarounds, and possibly supply a security manual with the software. OSS developers are NOT responsible for providing support (generally), as that function is usually handled by a third party, so in a perfect world, they would be immune from 'flawed security' lawsuits.
All of you OSS developers should continue to include disclaimers, though... The world is not perfect, and you COULD still be liable for damage that occurs without sabotage from a third party... (assuming that there was no legally valid disclaimer)
Is Microsoft responsible because some guy wrote a little macro virus and loosed it upon the unsuspecting world by mistake? I mean really, if a plane is blown up, does the airline sue Boeing? If people are going to buy the software (board the plane, etc), they should understand that the potential for damage exists.
Closed source is important to certain entities (ie. the US Government) who need to know the exact product they're getting. Yet another incentive for Open Source software companies to make boxed versions of their products and put them in stores. |Offtopic alert| A certain percentage of computer users will never truly understand computers. Why try to force them to learn? Just make using linux as seamless as the Windows "one-click to aol" for them. Let them enjoy and support open-source without knowing what it is. -Andrew
Disclaimers don't really mean anything. Banks disclaim everything (I know I work at one) but if some one sues us, a judge has final say.
What needs to happen is someone big enough to sue someone big enough on software stability and have a precendent set. This won't happen because no one big enough wants the situation to change becuse any libabily created by the case would apply to them also.
It would be nice and we can dream that some day people/companies will be responcable for theirs own actions.
note: I agree companies should be more responcable but then should not be scape goats. eg Doom cause kid to kill
Citrix
Leknor
http://Leknor.com
"So many idiots, so few comets"
I'm paid to hack linux kernels and compilers. I've installed Redhat 4.2, 5.0, 5.1, 5.2, 6.0, and even 6.1, all in several different ways. I've even rebuilt entire Redhat installation disks with variants of the C compiler. Always, I was given the explicit option to specify which partitions to overwrite during an install, and which to leave as is.
Thirty minutes ago, or so, I attempted an install of Redhat 6.1. When it started installing, but before I noticed something was strange and CTL-ALT-DEL'd it, it had repartitioned the first disk completely, mke2fs'ing all the tiny little bizarre extended partitions (not even using the last cylinder [?!?]). The second disk now has no partition table, and a really strange looking geometry. The data on the first disk is probably mostly hosed, but hopefully the very very important data on the second disk is recoverable, though probably expensive.
I claim this is grosser negligence on Redhat's part than Melissa was on Microsoft's part. There was no apparent intent by Microsoft for there to be a Melissa virus, but there was apparent intent on Redhat's part to repartition and mke2fs ALL of my disks, something they have never done before. And a worse nightmare than I've heard of Microsoft doing to Linux partitions (never to me).
So, is it bad only when Microsoft screws you, or is it also bad when Redhat screws you?
PS. I'm taking the night off while my mind boggles. I'll look into spending serious money recovering what I can tomorrow.
Careful. Some states have an understanding of an implied warranty, and this cannot be waived.
If someone sells you a combo lock with only three possible combos ("pick an integer between 1 and 3 inclusive"), and you get broken into, then obviously the burglar is guitly of one thing, but the manufacturer for something else. Both are guilty. In this case, the cracker and Microsoft.
With Open Source software, there is typically no warranty as to the quality or fitness for a particular purpose. But that's OK because the user is not required to pay for the product and is permitted to inspect it and modify it should the quality or suitability be lacking.
The GNU license permits a seller (who is not necessarily the developer) to offer warranty protection. Which means that if you want someone to blame, you just have to find someone who is willing to sell such warranty protection for a given product.
The Microsoft model doesn't permit the user to inspect the software and make improvements. Nor does it create business model for third party vendors. What I mean is, you could sell warrany protection for Microsoft software but you would be crazy to do so, not having any power to actually resolve an emerging issue.
In other words, there is fairness in the Open Source world. I'm not going to guarantee that this program works, but neither will I twist your arm with a draconian license that doesn't permit copying, withhold the source code from you and charge you good money. If you are going to pay money to me, then, unlike say Microsoft, I'm going to stand behind the software.
This is like saying that if I developed a way to destroy a car with relative ease, the auto manufacturer would be at fault.
This is total crap, in my opinion.
--
Insert Witty Sig Here
IANAL. Liability(and negligence) is probably best described as "You knew about the problem yet did nothing(take resonable precautions)". So if I sell a piece of software and I do not take resonable precautions (for its purpose) then I would be liable(barring user negligence).
Let's compare heavy machinery. If I make plans and give them to you for Free(provided I don't make claims on it) then I am essentially liability free. I'm if deliberately malicious, then I might be liable.
However, if I assemble/build said machinery and charge for it then I must provide minimum assurance of the quality(afterall I charged for my services/expertise). If I make claims on top of that I am liabel for those as well(eg. Machine will operate indefinetely sans maintenance).
For example the plans contain an unlabeled/undocumented switch that when pressed instantly kills the operator and I put it there deliberately with no other reason than to cause harm. Then it could be said I was atleast partly liabel. I might be able to disclaim liability for negligence if I claim that is undested/dangerous and I was not malicious(eg. leaving warning labels off)
Another example. I build/assemble the thing and sell it. I take reasonable precautions to make it safe(warning signs,gaurds rails) and I don't make unreasonable claims on the machinery. Then my ass is covered if someone gets hurt.
You don't exist. Go away. --SysVinit Halt
who would be to blame if it were to happen? The whole open-source community? And besides if you provide something for free (so long as it is not an eye poker or something like that) how can you be held responsible. People are stupid :)
I need to do my laundry
Please send $3 to:
Jon Allen
p.o. box 308142
This doesn't make sense.
We spend hundreds of dollars a year keeping our car running. We get oil changes, tune ups, and "preventative maintance" done on our car. There are companies that do nothing BUT this sort of repair work for a something that cost about $30,000. Plus you need a license to use it.
Now how come I can't return my car for a full refund when the steering breaks? Or when the blinkers go on when I turn the radio on during some cold days? Can I blame Toyota or Ford when my car stalls? Is that their problem?
NO!
And it shouldn't be.
Otherwise our cars would cost hundreds of thousdands of dollars, if not millions.
So if you want to compare your computer to your car, think about it some more. My computer cost $3,000 and it's been through as much hell as my car. But my car I have to take to a authorized dealer for inspections and repairs every year. My computer has been working fine without that since the day I put it together.
"My mom doesn't know why her Windows keeps crashing. Hense Microsoft's standards are too low and Windows sucks."
Hello? Your mom wouldn't understand why your car stalls either. She'd bring it to a repair shop.
If her computer crashes, what does she do? She tries to fix it herself (making things worse) or calls you (making things worse).
We need:
- LICENSE to use a computer
- LICENSE to fix computers
- CERTIFIED comptuer repair shops
Or tell your Mom to buy a mainframe. Like a million-dollar car, it won't stall.
In the specific case of the Melissa virus, Microsoft's mistake was to make an e-mail client which by default makes it possible for anyone to execute arbitrary code on any Outlook equipped machine through an e-mail message. The question here is not liability, but plain bad design. It stems from the fact that the in the Windows environment security was added as an afterthought. Ideally, consumers should understand this kind of fact and demand better design by changing to a competing product. The only thing preventing consumers to do so is the monopolistic characteristics of the Microsoft business. Hopefully this will end up happening anyway as the computer industry matures, as has been pointed out by someone else here.
Or.. whatever the correct spelling of that is. Regardless, when it's software, let the buyer beware. These people should be making informed decisions, It's their own fault for compromising and buying a product they know to be flawed. Let me explain. In the role of a consumer, it's my role to make an infomed purchase. I would never buy a game without reading a couple of reviews from decent magazines, talking to a couple of people who had already played the game, and playing the demo (Where applicable). Only after all this is kosher will I pick up the box. This same tried and true method holds good for everything from restraunts and movies, to prostitutes and narcotics, pretty much anything where you can get burned. Of course... my life would become completely stagnate if I followed this course forever. So I often bypass all the reviews and whatnot and go on intuition. If it's good.. great. Maybe I'll do it again. If not... it's my own fault for not doing my homework. So in this situation, I think of microsoft as a hooker. Sure.. you could just walk up to it on the street, toss your 90 bucks at it, and do your buisiness. You'd get what you deserve, you filthy bugger. But... If you had taken the wise approach, you would have noticed that that that makeup cracks easily :), it covers up what is essentially rotten and ill crafted, your friend thinks she might be a narc, and the surgeon general wants you to know your chances of viral infection are high. So.. by taking the easy route and going after the glitz, you've wound up busted, diseased and disgusted. Not good. Now think of your nice little freebsd install as the girl next door. Sure, it doesn't look as good as the hooker does (From about 20 feet away anyhow), but she's open, not hiding anything. It's gonna take you some work to get her to do what you want, but after the inital learning period, you'll find that she's much more dependable, enjoyable, and ultimately satisfying than some cheap tramp. You can have an honest, meaningful, and most of all, secure relationship with her. Or for those of you who see things better in hardware terms, it's like this. I bought a cheap ide CDRW. I read reviews telling me to get SCSI. I had friends tell me to make sure it was supported by the burning software I wanted to use. I knew in the back of my mind that I'd be better off coughing up 50 bucks for an scsi controller and biting the bullet then, than having to deal with problems later. But I didn't. I bought a cheap, buggy, unsupported burner, because it was cheap and easy to learn. Now, when I spent a month burning a coaster every 4 good discs, and ultimately had to cough up the cash for a real drive and the controller, as well as all the cash I blew on those cds and the loss I took on the resale of the cdrw, who do I blame? Am I suing the company for making a crappy product? Hell no. I'm kicking myself, not them. I took the easy road, and I paid for it, just as all slackers eventually must. So.. Don't blame a hooker for being what she is. The guy who gets vd because he was to lazy to find a real woman deserves exactly what he gets. And the companies and consumers who got burned here did so because they didn't bother to find out about and learn a real os. Their own fault. =-=-=-=- l0de | =-=-=-=- "Duplicate id? BArgghHhHH!" l0de@hotmail.com
To me, the issue isn't that MS is the bad guy and OSS is the good guy, but rather the response to safety and security "issues".
I think that due diligence for software faults lies in a) acknowledging problems when they occur, b) fixing them rapidly, or if not possible, at least suggesting a workaround, and c) releasing the fixes or workarounds to the customer as quickly and publically as possible.
Open Source Software has a tendancy to do all of these reasonably well. More and more, OSS projects are having publically accessible bug tracking databases, reasonably fast turnaround for security bugs, and a fast enough release cycle (esp. for patches) to fix most security bugs rapidly.
With things like BUGTRAQ, CERT, and other mailinglists and security-advisory sources, most Unix-based systems (Linux, *BSD, Solaris, HP-UX, etc) are fairly good at reacting quickly to a known problem -- the RTM Worm woke them up to the foibles of ignoring security issues -- and they do do a decent job of alerting their customers.
Microsoft isn't entirely negligent -- a quick scan of BUGTRAQ showed a lot of MS-related security bugs, and many of them had MS patches. I think where MS fails is making those patches known to the public.
Another possible pitfall for liability is negligent design -- designing something that should be obvious is a problem. From a "real world" security standpoint, this would be like putting a dimestore lock on a bank vault.
This is where I think that fundamental differences between OSS and MS come to the foreground. A very large percentage of OSS software is designed to run on Unix-like systems, where underlying OS security issues have been considered, studied, and beaten on for nearly 30 years. It's very hard to accidentally code a general system exploit for a program designed to be run as a user. And if an exploit is discovered on purpose, it's a bug in the OS, and is treated as such. Among other things, this creates -some- inherent resistance to viruses. Unix security is generally good, but not perfect. Unix has a reasonably high-quality lock on the bank vault.
On the otherhand, MS Win95/98 isn't really designed with security in mind. At a fundamental level, the OS is open to any meddling that any program wants to do. On top of that, MS has added "features" that become reasonably trivial to exploit to creat security issues -- MS Word macros, ActiveX controls, etc.
For years, security experts have been telling people that the "Good Times" virus is a hoax -- that you can't get a virus from just reading an email, you have to run a program to do it. MS managed through their "features" and "enhancements" to make "Good Times" possible.
It's like MS, not content with putting a dimestore lock on the bank-vault, decided to put a plate-glass window on the vault so people could see their money from the sidewalk!
I don't think I have a double standard with regard to negligence, but I think that, in general, OSS software tends to meet my standards more than MS does.
It is a bad idea to make M$ laible for bugs in its software. Yes they will get sued and probably clean up their software a bit, but eventually someone is going to have something bad happen to their computer from open source software. Then, they will sue everyone that they can think of (aka the all the people who worked on the project) and open sorce hackers will be held responsible for their software too. Thus screwing everyone.
Never underestimate the power of stupid people in large groups.
when you buy a product or service you expect that the product perform as indicated or as promised. this goes the same for medical care that you recieve from a doctor or physician.
now contrast this to the service's given by non-profit agencies / people. for example, lets say that you drop dead in a mall and have a heart attack because you have been eating Big Mac's for decades. along comes someone who knows CPR. this stranger is protected under the good samaratin (spelling?) act, so he/she can try to help you without seeking legal council and signing all the proper documents, and not have to worry about a law suit as long as he/she tries his hardest.
this is the way that open source should be classified, unless someone (like RedHat) specifically binds themselves into an agreement where the entity promises a service.
also if anyone has ever bothered to read the documentation with alot of opensource software they would soon realize that the disclaimers often blatantly state that the programs are "use at your own risk" programs.
> ERROR: IEXPLORE caused an invalid page fault in module MSCONV97.DLL at 0137:01212d19. Stack dumped:
As you will be reading in the news in the next few days, Hotmail was down because passport.com went down (passport.com is used to authenticate users). Passport.com went down because (listen carefully) microsoft was late paying the $35.00 domain registration fee to Network Solutions Inc. and NSI removed the IP from the DNS. Even the big guys have to pay there bills.
We're not ragging on ms. They due a good enough job of triping on there own feet(read:msbob). We're just around to point it out when they do.
_________________________
It's possible to have a powerful macro language that also has a good security model. Microsoft failed in it's due dilgence by ignoring security rules that have been observed in computer science for decades when they made the decision to deploy VB into an application it wasn't designed for.
_________________________
If I sell you a bill of goods but don't misrepresent it - and give you opportunity to validate my claims - well buyer beware.
That is counted as your stupidity.
If I sell you a bill of goods but I did misrepresent it and you really had no chance to validate my claims - you have me to rights.
That is counted as my taking advantage of you.
OSS is no different than selling used cars. I can sell a used car without telling you about some problems and it is your problem if you buy it from me. What? You are not competent to identify those problems? Sorry - that is why you have the right to get the car inspected by an independent mechanic or to bring in a friend. If you didn't do that, that is your problem.
So whether or not you have the skills to evaluate software, you can hire someone with said skills, so failure to do so is your problem, not mine.
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
I have had three different mass-produced alternatively-powered vehicles. They were all 100% ethanol powered cars made in Brazil.
Generally to prove negligence you have to show that the accused new the product was unsafe, or had the problem was obvious enough that they should have known.
So, I think what is the point is that peer review should work out all the obvious problems. That is the point of beta releases, and opening up the source. If I miss something obvious, then hopefully my peers will be able to find it and correct it.
I also don't really think that Microsoft, or any open source developers can really be held liable for mis-use of a software package. It wasn't negligence on their part. In fact it was a misuse of desired funxtionality.
The actual argument, as posed, is akin to trying to hold a car manufacture liable for negligence, because their car was a 1 ton bullet in the hands of some psychopath. Nothing mechanically was wrong with the car, it functioned exactlly as intended, but the guy in the car wash heard voices, and sped across the street, smashing his car through another store front. This actually happened, and it would be ludicrous to think that the specific car manufacturer was to blame.
Microsoft Outlook isn't specifically dangerous or harmful, it is just easily abused. The next thing the original poster will call for is prohibition, since it is obvious that alcohol is harmful to the public as a whole, using evidence of all the drunk driving deaths, domestic violence, and other social ills of its abuse.
You gain the right to redistribute my software.
I gain the guarantee that my wishes are respected regarding the distribution of my works.
Read the GPL closely, you don't need to agree to it to use the software, only to distribute it. In other words it isn't the act of downloading that is the point of agreement, it is the point of putting it on your ftp site.
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
What is this word "consumer" you use... the whole point of GPL and other such licenses is freeness. If software is free you're not buying it. And 99.9% of computer usage is not quite as important as a life, which could be put at stake by this loose seatbelt. The other 0.1% generally writes their own software. The writers of those pieces of software are always held accountable, they lose their jobs if their software fails.
Restating the obvious since nineteen aught five.
Computers are nice little distractions; however, they are not center of the world, nor are they the kind of tool to be used in a potentially life or death application.
Ask any programer. Bugs are. It's a simple fact of life. Ask any mathmatician. Proving programs correct in the context of human use is next to impossible. Ask any user; they think Microsoft code, tools and products are fine. Ask Microsoft:
"Uh, we seem to be making money hand over fist and that's alright by us". Ask Ralph Nader. Prosecuting software companies for negligence is like trying to get a fat man through the eye of needle.
Good enough code rules the day.
It will always be that way.
When computers are used in an application that kills people (in such a way that it is provable that the computer code is directly to blame), the tool integrator should be the one held responsible. So, if WinCE controlled elevator mangles some 3 year old because the code doesn't take into account a 3 year old's body heat, shortness, body weight, etc, don't blame microsoft; blame Otis, Shindler or whoever was stupid enough to integrate a computer into a life and death application.
The analogy between automobiles and computers is assinine. Let me tell you where that bad habit is headed:
In 20 years, the government will start witholding internet2 development funds (obtained from the USPS e-mail tax), from states that have not yet implemented a 16 year old age limit for uncensored internet access.
Stupid, right? Keep talking in analogies and it (or some minor variation on that theme) will happen.
Moralists and philosophers seem to like using analogies with computers and networks (don't go around door knob twisting and what not). Hopefully, in 20 years or so, all the young ones will be running around spouting anti-analogies like "computers are not like houses because... " just to piss off the old folks who tried to brainwash their future. Every era has a period marked by a distinct lack of wisdom and we are currently stuck there. This will change and you will not like it, but that's what getting old is all about.
Open Source computer products are probably best thought of as a "Consumer Reports" method of product development. Namely, put your shit on the street (including the ability to change your shit) and see if quality blooms from your philosophy. Should Open Source developors be help responsible for bad things that happen because of their model? No, in the same way that if consumer reports flips a Samari while doing product testing they don't sue Hundai. (oh shit... I just made an bad car-computer analogy... so, sue me).
But, I digress... Let me get back on track...
So, what I think we need here is a catch-22, 69ish , common sense rules involving darwinistic elimination (something which lawyers and government seem so very intent upon removing from our daily lives; which is funny because they can't... but it gives them something to do, eh?):
To computer and code manufactures:
Don't worry about about quality. Churn out the crappiest code the market will bear. If possible, staff projects with third-world developers in sweat-shop environments with impossible delivery schedules so they just don't give a flying shit about usability or quality in general. You're essentially manufacturing a product who's only cost to make is the monitary ability to create the illusion amongst the workers that, without you, their ideas would never see the light of day and they would be digging ditches in some hunter-gather based culture.
To manufactures of teritary products:
Thout shall not use a computer in a product that could adversely affect human beings. If one does, then one accepts full free market responsibilities for the consequences of human use of that product.
To Users/Consumers:
Thout shall not use a computer or product that utilitzes a computer in such a way that your very life or any other important aspect of your life becomes dependent upon it. If you do, you accept full and ultimate responsibility for bad things that happen to you while using said product. If you are killed in some particularly ignorant and spectacular application of computer technology to your daily life, we will think about giving you a darwin award as a consolation gift.
To Open Source developers:
Don't give a flying fsck what the Moralists and Philosophers (and layers and politicians) think. When they start paying for their code, they can have some input (ha! I like that little that little bit of irony). Until that time, they're just a bunch of annoying flys attempting to distract you from what's really important: code or die. If society (lawyers and government in particular) starts getting stupid on your ass, then stop putting your name in the comments. I mean, like what are they going to do? Shut down the internet? I don't think so.
Every contract, license, and waiver have this sort of clause in them. They are useless and meaningless in the area of negligence.
I can not sign away my rights ot operate in a reasonably safe environment. Even if I sign a waiver like this, because I am going to be doing something particularly dangerousr (i.e. Like paintball), and the course owners have dug a pungee stick pit, and covered it up with leaves etc, and not bothered to tell anyone, when I fall in that pit, even though I signed that waiver, they will get sued, and I will have my medical bills paid for. (Other people might also get rich, but I wouldn't sue for punitive damages, against my ethic)
That is the way "APPLICABLE LAWS" part of that clause protects you, the consumer, because there are consumer protection laws, as well as tort injury laws in every jurisdiction to keep non-lawyer consumers from signing their life away.
Also, I think the whole point of negligence is a bit overblown to begin with. Microsoft shouldn't be held responsible for a bug that was exploited. Everyone brings up the car analogy, but what this is really equivilent to is if GM knew that their gas tanks were vulnerable to people shooting at them. They are may be safe in ever other way, but if someone attacks the gas tank directly, it will explode. No one would ever think of holding GM responsible because someone shot at the gas tank. If someone finds a bug and attacks it directly, they may make it through, yet we want to hold MS partly responsible? It seems to me if something is exploited, it's the exploiter who is at fault. If MS had point the bug in there on purpose (as a backdoor or something), then they could be held responsible, but if it's a bug someone exploits I don't see how they are responsible.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
Don't you ever get the urge to tell the license lawyers to stop shouting? ;)
Linguistic games, I love it. :)
There is no "proprietary source code"... only non-disclosed-source-code. No bad, just ungood.
Disclosed source-code, however, sounds so ugly. Open is such a pretty, pleasing pair of syllables, so fitting to name a company with....
No disrespect intended, of course, I just personally think that the negative spin implied by "non-disclosed-source-code" is pretty nice. Of course, using disclosed source code to refer to open source would even that playing field nicely, i suppose.
No software, no car, no bridge will ever be built without errors. But that doesn't mean those errors are okay and no one should take the blame.
The problem is the software industry, and the unwillingness of software engineers to act as other engineers do.
** The virtually identical idemnity statements in Microsoft and GPL licenses
** The practice of issueing serious error patches which are the users responsibility and expense to find and obtain.
** The severity of known errors that many software products ship with.
all show that time (money) is valued over quality.
Often, quality means safety. Aircraft engineers at Boeing know lives depend on the quality of their work, and their engineering reflects it. Lives depend just as much on many software programs.
Open Source encourages quality - mostly when the community on a single product is large enough to create an environment where engineers value the reputation of the code they produce. Such an environment is also quite possible in closed-source, and there are plenty of quality closed-source products to prove it.
Another aspect necessary for quality is liability for errors. Have product liability lawsuits enriched lawyers and led to ridiculous awards? Yes. Have they also improved the quality of medical care, consumer products and so on. Yes.
Open Source needs to stand up and say, yes, there is someone to blame when the software engineering has been negligent. Hopefully companies like Red Hat will do this.
As the importance of software in the world increases, inevitably society will wake up. Something like Ralph Nader's "Unsafe at Any Speed" will be published, and the software development model that triumphs will be the one that produces the highest quality software.
I had hoped the Y2K error would cause society to look harder at software industry practices; instead quite a bit of lobbying was done to create a political solution.
I'm actually not an Anonymous Coward, I'm Peter Carlin (peter_carlin@hotmail.com).
Open Source developers can not be held accountable for the simple reason that we are not saying "This works... trust me". Open Source developers give every chance, and in fact encourage people to look at the source code, see that it does what I say that it does. Then YOU run it. This is very much akin to saying "I didnt build this car, but I was given the chance to tear it apart down to its last bolt and make sure it worked like I want it to, and if not I can change it"
Damn straight! When someone buys Microsoft products, they know what they are getting into. All this whining about Microsoft products executing arbitrary code sent to them has been going on for years. When these products first came out, it was Microsoft's fault. But it's old news now. If you buy a known defective product with the expectation that when (not if, but when) it blows up, you can just sue the maker, then you are the negligent one. These products all come with a warning label in huge letters: the Microsoft trademark. How can a person possibly pretend they were ignorant of the danger?
I bet more people know about Microsoft these days than even the Ford Pinto.
The best way to improve software quality is for people to start taking responsibility for their decisions. If you buy an Internet product for your company from Microsoft -- a company with an established reputation and a known and consistent track record of repeatedly making horribly defective product after horribly defective product -- then you should get fired. It's as simple as that.
For people to keep blaming their problems on Microsoft is immoral. It's 1999 and if you're still using Microsoft products, then you deserve what's coming to you.
It's like you buy a '74 Ford Pinto, and it blows up and kills your son. That's bad, and it shouldn't have happened. You go to the pub to drown your sorrows in beer, and everyone else is also talking about how their Pintos also blew up and killed a loved one. Then you buy another Pinto. It blows up and kills your daughter. You buy another one, and it blows up and kills your wife. Who is your wife's ghost going to haunt: Ford, or you?
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Something just dawned on me.
Doesn't the claim of inclusion of patented technology in a software product elevate that product from mere 'publication' to the status of 'mechanism', and bring down all of the various liability scrutiny that any other 'machine' would fall under?
GPL software uses no such spurious patent claims and would thus be immune.
I wonder if this liability argument could be brought to bear in regard to the whole software patent controversy. It would seem that if I claim patent protection for my software, the I MUST assume consequential and incidental liability for it's failure, since, by having patented it, it's no longer *merely* software. It's a full blown *product* like a toaster or an automobile.
If it fails, I should then be liable for any damages or losses such failure causes.
If I were in charge of risk assessment for a large software concern, the LAST thing I would want would be a bunch of patents hanging about making 'claims' about our products that then could be used against us later in court. We'd go down in flames, fueled in part by our own public documents and hubris.
IANAL, but I've seen legal arguments like this hold a lot of water in the past.
Critiques of my reasoning are welcomed.
Brak: What's THAT?
Thundercleese: A light switch.. of TOTAL DEVASTATION!
Keep in mind that the more secure a system it is, the less usable it is and visa versa. The most secure system in the world is one that is not connected to the Internet, guarded by a steel cage, and turned off. But of course we wouldn't want to use a system that we're not permitted to even turn on. The reason why Microsoft was vulnerable to the e-mail virus is because Microsoft had included a number of features in their e-mail package and in their word processing package to allow end-users to write simple macro scripts, and execute them as they open a file. These are considered features that make the software more flexable, more adaptable, and potentially more powerful. Combine this with the fact that Microsoft products for good or for ill are so wide-spread, and this flexability and adaptability opened the door for an e-mail virus. Lest we think that Microsoft is somehow "evil" in taking the "more flexable" approach over the "more secure" approach, keep in mind that the fundamental design of TCP/IP also suffers the same shortcommings and for the same reason: security was not added at the IP and UDP levels, or even at higher levels at first because researchers were more interested in making the system flexable and usable than they were in making the TCP/IP protocols secure. Thus, things like DOS attacks and Spam e-mail...
Is Microsoft responsible because some guy wrote a little macro virus and loosed it upon the unsuspecting world by mistake?
I could almost agree with you on that one. Almost. Except, why would you allow code to be executed automatically when an e-mail is read from ANY unknown source? And provide no way to either say "Ok, I don't want these auto-execute macros to EVER be run" or "Only run auto-execute macros if the messages are from one of THESE addresses" or similar. It's really an invitation for stupid things like the Melissa worm (worm, not virus) - it facilitates such stupidity so as to make it ridiculously easy to do. Isn't this a poor design choice?
A certain percentage of computer users will never truly understand computers. Why try to force them to learn?
Well, wouldn't it be nice if things were so simple. Unfortunately, to ever be able to make real use of a tool like a general-purpose computer, you must have some understanding of what it does, and how it does it. (IMHO.) There are those who skate by without it, but they can never really master any skills. They'll always be at the mercy of the software vendors. Linux is about (IMO) getting away from being at the mercy of the vendors. Not catering to the lowest common denominator of the computer-using world - those are the kind of people who need to be spoonfed information, and who'd be better off using a Mac. (Once again, IMHO.)
You may think I'm being too hard on the general public - but the general public needs to wake up and learn to be independent again. People are getting too dependent on businesses and other people to take care of everything for them. Many of them couldn't use Linux - because they'd never take the time to read the directions and understand what they're doing, they'd much rather have everything spoonfed to them. And as I said above, for those kind of people, the Macintosh is perfect. You lose flexibility and some stability, but you get a pretty GUI that does all the "hard" stuff for you.
For me, however, I'll stick with Linux.
</SOAPBOX>
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
Legally, I doubt either Open Source programmers or Microsoft can be held responsible, provided that both of them release their software under licences and user agreements that absolve them of any responsibilities. Morally, Open Source programmers cannot be held responsible because they give you the source code, so even if they release crap (yes yes I know crappy OSS is unheard of) it's up to you to ensure that it works correctly. MS on the other hand sells you a product that you cannot fix, so they are completely, morally, responsible for any problems caused by poorly designed software.
Disclosed source-code, however, sounds so ugly. Open is such a pretty, pleasing pair of syllables, so fitting to name a company with....
Not being Mr. Perens, I can't say for sure, but it seems to me that he used "Disclosed source-code" rather than "Open Source ode" purposely, since there is a difference between the two. His arguments apply to any situation in which the source code has been disclosed. This source code, however, is not necessarily "Open Source." For example, code licensed under the SCSL (Sun's not-quite-Free license) is disclosed to the user, but not Open.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Of course it's virus/virii, just like radius/radii. It's a Latin thing, I think.
Sometimes it makes sense to talk about that without licensing coming in to the picture.
You are correct that all cases of non-disclosed source code are probably proprietary. But my argument didn't rest on the license being compliant with the Open Source Definition, so there was no point in bringing Free/Proprietary into it.
I hope that makes it easier to understand.
Thanks
Bruce
Bruce Perens.
Difference: A combination lock claims security. Microsoft win98 doesn't.
Restating the obvious since nineteen aught five.
And you, of course, are a Microsoft user.
If the software was running as the only task on the system...yeah that might be a valid point. Is microsoft responsible when a 3rd party driver colides with another? Most of the stability problems of windows have to do with 3rd party drivers. Of couse, any application problems usually stem from the app developers first, and then OLE's implementation and easy corruption second.
Command-line Linux is as stable as a rock, but have you run KDE, GNOME, or Netscape? If software developers are going to be liable, you better believe all software will fall under the gaze of lawyers. In those instances, it's going to be the project maintainer or named coders who will lose their homes. Then we'll have licenses and malpractice insurance....
Just open the door a little and it cannot be shut again. It is the litigeous nature of the American beast which make me secretly hopeful the UCITA will pass.
Depends really. If a plane blows up because of a flaw in Boeing's design, they are liable. If it is blown up by a terrorist bomb, then aiport security is liable. What we are trying to say is that there is not enough security in several expensive products. Why should a virus in a word processor be allowed to screw around with your system? The user should be given some measure of protection from malicious individuals. Win95/98 have no protection against them, and NT isn't a great deal better, despite having been 'designed from the ground up with security in mind'.
Of course, the failure to pay the $35.00 registration fee has little to do with Microsoft's core business, producing software.
But that won't stop the Microsoft haters from adding this to their arsenal. They will just see the headline on slashdot and assume Microsoft released some faulty software.
Sort of like how the APPLICATION which ran the naval ship crashed because of a divide by zero error, and Microsoft got to take the blame because the application happened to be running on Windows NT.
Or maybe it will be placed alongside the "fact" that Microsoft attempted to move Hotmail to Windows NT servers, but failed because Windows NT couldn't handle the load (a myth, which never happened).
Or maybe this will be right next to the Melissa virus in the Microsoft Hall of Shame, when a security bug in Microsoft products caused a minor security problem (though completely dwarfed by the internet worm, a hack which exploited a bug in sendmail, and literally brought the internet to its knees 10 years ago...and only exploited Unix clients).
But, most of all, I'm certain that this new Hotmail failure will go down as being far, far, far more signficant than the $2,500,000,000.00 which eBay lost in market capitalization due to a bug in the operating system it is based on (Solaris). Since Microsoft was to blame and not the saintly and meek Sun Microsystems, we can be sure that this will be added to the never-ending list of Microsoft failures, while MacOS, Solaris, Oracle, Linux, and all othe non-Microsoft software enjoy their 100% bug-free, 100% crash-free reign.
The main differences between open source and commercial software on this matter is cost and claims. Lets look at a few points:
It's akin to claiming to make an impenetrable door. Selling the customer a version with a doggie-door and plastic hinges instead. Then strong-arming the contractor into installing it with built-in plate-glass Windows. Then charging the customer for shutters, metal hinges and, oh yeah, a lock.
Linux is the alternative. It's free, and everyone knows (and keeps repeating) that it's written by the community. The quality disclaimer is implicit - it's written for fun, in spare time, by people who know (and love) what they're doing. You can look inside the door jambs and see how reinforced it is. You can put in a steel plate if you want - and there's plenty of people willing to tell you, and help you, get it done. For free.
Not only are you able to do this, but you are encouraged to do this. And, if security matters to you, you are given the means to take responsibility for the security of your system. This way, the responsibility is divided. You can check that the developer did his job, and if not, or if your needs differ enough to make it a special case, then you can remedy the situation.
With closed software, you are not given the choice of taking responsibility. Logically then, the full responsibility rests squarely on the shouders of the people who made the product.
If you don't like Linux, you can go out back, drag home one of the reinforced BSD doors, and hoist it into place youself. The cost? Your time.
The cost of securing an OS, be it from a big closed-source shop or from some freak in a Bazaar, is time. In the case of the former it's also money. And you don't get to see why it needs securing in the first place so you end up guessing or taking a priest at his word.
In the case of the latter, you can pore over the code to find the flaw, fix it and take it back to the freak. He won't give you money for your efforts, but he'll give your suggestion to his freaky friends for review - and you might get a free beer out of it.
-- Did anyone notice that the latest security innovation in NT2k is Kerberos security?
-- What you do today will cost you a day of your life.
(They didn't always say that. I wonder what incident caused the introduction of this verbiage. If you know, you probably can't say because of settlement terms, right?)
In addition to Bruce's comment about the code being open, I think it's important that the process is (usually) open too.
A typical closed source product gets developed behind closed doors and then unleashed on the public - we don't really know how decisions were made about what problems to fix. It's easy to imagine (even if it's not true) that people behind closed doors might conspire to conceal problems rather than fixing them.
An Open Source project typically has a public mailing list where problems are reported and discussed. Somebody might still make a decision to release the product with known problems - but there's no question of it being a secret.
I make it a practice to subscribe to development lists for products that are important to me. It allows me to get a great sense of how the product is doing - even if I have no intention of modifying the code. I would think that any company large enough to have a few million dollars worth of damages should be able to have somebody follow the development of essential software.
It is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail. - Abraham Maslow
And you, of course, are a Microsoft user. Nope, all of these posts are made from Slackware 7. If you read my userinfo you would know that (but who reads userinfo anyway... I know I don't.) I wasn't advocating microsoft, I was pointing out that they know they aren't secure.
Restating the obvious since nineteen aught five.
You bring up a very good point. Lack of safety in automobiles results in injuries and deaths. On the other hand, lack of safety in desktop computers could result in loss of money, but not deaths. This is a major reason why safety in computers hasn't been as much a concern as safety in cars.
I recently received a message from some idiot claiming to report the vMac Project to "GNU Public License HQ" because our code is "sloppy". This guy was obviously an idiot because vMac isn't even under GPL, and we have a disclaimer saying that vMac is "use at your own risk" software (like many other free software projects.) I sent a pretty vulgar reply to the idiot, which clearly explained why he was an idiot. This was the only threat that we have ever received, so I don't think we (the Open Source community) have anything to worry about. Now, I'm just waiting for this idiot to try to threaten me about the Mace Project. The recently created Mace project is a LGPL compatibility layer similar to Wine, except that it brings Macintosh compatibility to Linux (and Windows, ick).
This double standard can be seen on Slashdot daily: Simply witness open source advocates boasting that "all bugs are shallow" because so many people review the source code. Then, when an embarrassing bug is pointed out, witness the same advocates chiding us to pity the poor programmers who work for free -- if we really cared, they say, we'd join the project instead of critizing them.
Feh.
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
Open source software developers should indeed be culpable for the code they write. They should answer to whomever has paid them to be culpable. But should culpability be automatic? Of course not. Who in their right mind would write open source software if it were possible that someday, out of the blue, someone could sue them because the software didn't work as expected?
The inevitability of bugs is one of the reasons OSS makes so much sense. Just about every open source license I see includes a clause that obviates culpability of the authors for any unintended features. I don't have a problem with that. Hey, it's free! What bugs me is that more or less the same disclaimer can be found in the EULAs of commercial software packages. It is the norm for commercial software vendors to sell goods which are not claimed to be suitable for any particular purpose (or similar wording). That, I have a problem with.
Who in their right mind would pay money for something not guaranteed to be suitable for any particular purpose??? A lot of people, amazingly. Hell, I have to admit I did, before I wised up. Software with no warranty isn't worth paying for. But software warranted to work? Now that's a valuable thing.
Yes. Any you will never pay consumer-level prices for mission critical software. That E&O and malpractice insurance costs a bundle.
Firstly: I do have a law degree, but I am not a practicing attorney. Take this for what it's worth. :) With regard to the original question of OS vendor liability for damage caused by viruses, I think it's highly unlikely that such a claim could ever be sustained. In the law of negligence, one of the elements that must be proved is causation, which consists of 2 prongs. There must be both actual (or physical) causation and proximate (or legal) causation. Actual causation is pretty straightforward. Proximate causation, however, is an altogether different thing. It means that the action being claimed as negligence must not be so far removed from the actual damage that no one could reasonably be expected to forsee it. It all hinges on the degree forseeability. One of the things that people are NOT legally expected to forsee is a malicious and intentional act by someone else. Example: there is a huge gasoline spill, and a guy standing on a street corner throws a cigarette on it and causes an explosion. If it was an accident, the tanker company is still on the hook, because they should have forseen somebody smoking on the corner who didn't know the gas was there. But if it was intentional and the guy just wanted to see some fireworks, they're off the hook because the act was a superceding cause (i.e., it is more proximate than the tanker's negligence). It is well established that people are not bound to anticipate the criminal acts of others. So...... unless you can say with a straight face that people are accidentally writing viruses, their criminal act is a superceding cause that breaks the chain of causation from the vendor. With regard to the broader question of product liability for software in general, there is a proposed addition to the Uniform Commercial Code currently in the drafting stages that would address a lot of the questions raised here. Proposed Article 2B deals almost exclusively with software issues, including warranties. I think it's only a matter of time before Article 2B it is ratified and adopted in all 50 states, so everybody might do well to look over it and lobby your legislators accordingly. You can read the latest draft at http://www.law.uh.edu/ucc2b/080198/080198.html Pay particular attention to part 4.
hold Borland responsible for viruses written in TASM? I think not
granted VBA is more powerful than the needs of 99% of Office users, in the end, it's just a language, mainly used for automation... limiting VBA functionality limits it's uses as an automation language, and the point of that would be...? if VBA isn't up to the task then automators will find a language that is: can you imagine, instead of an "enable macros?" dialog, perhaps an "enable perl module?" or "enable c++ plug-in?" dialog?
more and more end-users are getting savvy to the fact that opening unknown email executables is a bad idea -- can a general wariness to macro-fied spreadsheets and documents be far behind?
Let's not confuse these two terms.
Negligence is criminal carelessness or recklessness, and liability is responsibility arising out of breach of contract or trust. (I'm not a lawyer. Corrections welcome.)
To prove negligence, you have to show that someone should have done something that they didn't do, or that they did something that they shouldn't have. The shoulds and shouldn'ts are decided by a judge or jury based on (probably) what a reasonable person believes constitutes negligence.
Therefore, it's gonna be pretty hard for a judge/jury to expect that Windows should never crash, (since people see it crash alot and consider that normal) but it would be much easier to expect that the software controlling your doctor's x-ray machine shouldn't fry you with cancerous levels of radiation the next time you get a mammogram. It's not that cancer couldn't result from a procedure, it's that a reasonable person would require that the software would absolutely prevent it.
The liability issue doesn't apply (usually) because license agreements typically provide an escape hatch. Custom written software is probably another issue, because you have to program to custom specifications.
Finally, (if you're still reading this) consider that it's been shown that no piece of software can be proven to be bug free. (Read it in some Scientific American article.) So eventually you're gonna have some X-ray machine fry somebody, or some mid-air collision, or some criminal released accidentally, etc. because of buggy code. Then the lawyers get to argue whether the bugs should have been foreseen and fixed.
Hmm.. searching Google, I found something interesting about how Ralph Nader is still behind car safety.
Is that the same Ralph Nader who's running for president with the Green Party? I was surprised when he was ranked as agreeing with me more than any of the other major candidates in the US 2000 election, since he is not running with either of the two major parties.
Btw, people on Amazon can't spell Nader's name correctly either
--
The shareholder is always right.
Software is inheirantly irreliable. By imposing implistic regulations the notion of security is loosly upheld. The point of the whole situation is that there is no sense of professionalism or liability to coding and in my opinion there should not be either. Government and society only want scapegoats when things go wrong. Naturally certificiation is their venue. In order for a skill or trade to become a profession it needs both autonomy and naturally a governing body. The IEEE or CIPS are examples. Neither organizations aid the cause of coding. In fact they hinder it. When one are forced to bide by a code of conduct you had no input in creating one is limiting one's ability and knowledgebase. Now I am not saying that certification is wrong what I am saying is that certification shouldn't be the blanket an external government should use to indemnify themselves for bad management. Software only sucks because the management doesn't want to take the time to make sure the software works in the first place. Certification grants one a sense of accomplishment and reliability at the cost of politics.
Well that's my 3.234213412342 cents. But then again I'm just a lowly coder,
So, what if it IS Microsoft's fault for making their software so "dangerous" to use?
They may well be to "blame", but that doesn't mean that they can be dragged into court over it.
Anyone who has actually READ the Microsoft EULA should know that they take no responsibilty for any use or misuse of their software, and do not guarantee it to be fit for any particular purpose.
Open source is in exactly the same position. There are NO guarantees on quality, and no-one (who has the sense to include a disclaimer) can be dragged into court over it failing to perform.
The best thing that could happen over this is that people become more aware of just how flaky the "license agreement" is that Microsoft offer for software that they have sold to you. Maybe some people will wake up and realize that Microsoft aren't the dependable solution that they make themselves out to be...
just me
smash
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
im not sure where this originally came from, but:
:P maybe it would be because you can do a lot of damage with a car, and learning to drive is the most effective way of preventing that.
"A certain percentage of computer users will never truly understand computers. Why try to force
them to learn?"
hrm.. this is like saying "A certain percentage of automobile drivers will never know how to drive. Why try to force them to learn?"
gee i wonder
same thing with a computer. if you want to be ignorant, expect people to take advantage of you. applies to everything in life really..
smash
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Think about it, given that the only secure system is one that can't be turned on, do you really want to start the precedent that laymen can decide that software you write was responsible for a security flaw? There is no such thing as perfect security, and choosing how far to go toward a secure system is a judgement call. Go too far and the system is a pain in the ass to use (rotating passwords every 30 seconds, have to re-login after 5 minutes of use, that sort of thing). Don't go far enough and every script kiddie out there ca ruin your day. Microsoft chooses to not go very far at all, and because of that I won't use their stuff, but I won't sue them over it.
About the only thing you *could* sue them over is false advertising when they make *claims* that they have good security. There's nothing wrong with selling an insecure system as long as the buyer isn't conned into thinking he is getting a secure system. (Remember how we all used to be happy with home computers that had no securty whatsoever - C64, Tandy, Amiga, Apple //e, etc.)
A lot of home computer users don't really *want* security. They want the computer to act like an appliance - no logging in. No time-consuming virus checks, no messing about with having to explicitly say an action is okay (like sharing drives), etc. Yes, those people are being stupid, but they should be allowed to be stupid. I'm getting tired of the way people in our society try to put off the blame for their own incompetence onto manufacturers. It's the reason products have all those silly labels on them these days. I even say a label the other day on a food product that said, "Warning: contains peanuts". Now I understand the need to warn people with deadly nut allergies about this in a lot of products, but this particular product was a glass (transparent) jar of...Peanuts. Anyone who can't figure out that there might be peanuts in a 22 ounce jar of Planters dry-roasted peanuts should to be removed from the gene pool, I'm sorry.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
Buggy, Crash-prone, Slow, all this I accept, but 'without anyapplications'
Ok, what is wordpad? What is outlook? What is Internet Explorer (M$ newspeak aside, IE is an application), Paint and a heap of other things.
Actually, 9x is pretty feature rich, applications-wise.
Knowingly selling a bad medium would of course be fraud, and intentional defects likewise might not be indemnable (word?). For instance, an INTENTIONAL backdoor in login, or an intentional time-bomb in a life-support program or something of that nature definitely could certainly be grounds for redress, even criminal redress. But equally severe flaws that cannot be shown to be intentional should not cause liability to the author of free software, because it is the users choice to judge the quality, and he doesn't have to pay a cent, and he has full access to the source code.
Proprietary software is a different case. You pay for a license for the code. Therefore there are certain expectations, as the user has virtually no means of divining the quality or discovering bugs until he encounters them, or discovering security problems until a breach happens. Microsoft is SELLING LICENSES to software for certain functions--it SELLS LICENSES for OPERATING SYSTEMS--so if the operating system fails due to extreme negligence, it is not doing its job.
The sticky question is whether this is grounds for litigation or legislation. In the case of Melissa, I would say No. I thoroughly agree, the macro mechanism and defaults in Windows is terribly bad design. In fact, the problem is far more fundamental than that--Windows has a poor, even non-existent security model. The buyer knows this, or can know this. The buyer can know about the macros and the defaults, and the potential for abuse in the form of viruses and trojans. Therefore, this is not a case of negligence so much as a case of bad design, and even terrible design, when manifest as it is in Windows, is not grounds for suit. If anything would be, it would be something more like the exploit of the week with Explorer or Frontpage or the like... Certainly the Hotmail hole stands out, though that's not exactly the same issue. In any event, I would be hesistant as to what I would ask Uncle Sam to intervene in.
Pardon the bad English, I've got that post-holiday lethargy...
Nate
For example, I've purchased several official Linux distributions as well as several copies of FreeBSD. That is open-source software. Open source and payment are not mutually exclusive concepts.
--
-Rich (OS/2, Linux, BeOS, Mac, NT, Win95, Solaris, FreeBSD, and OS2200 user in Bloomington MN)
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
This entire discussion seems to be missing the point. Everyone is pointing the finger at Microsoft for being negligent, and that they don't provide adequate security for their products and are thereby liable, but what do we really expect of this company??? The burden of responsibility in the cases does not fall upon the company who initially wrote the software, but instead against the individuals who exploited the product in the first place.
The actions of most of these individuals is, quite simply, illegal. Producing a flawed product is not. In fact, considering the complexity of modern software (what, Win 2K is clocking in at 35 MILLION lines of code now) perfection is impossible. Nor, might I add, was it ever possible... I don't remember anyone in the past whining about how easy MS-DOS was to exploit... but, hey, nowadays MS is just a big target.
If we directed all of the energy in these posts towards discouraging the propagation of malicious code, the world of computing might be a different, more user friendly place... no, I'm sorry, this is not an issue of MS's culpability in not providing airtight code, but instead about personal responsibility and informed use of software...
Unfortunately, personal responsibility is not one of the more popular American values...
Tell that to the computers that control the behavior of traffic lights, or that control various pieces of medical equipment. :-)
Not all computers are desktop computers, and while this discussion is mainly being done in a desktop PC or server context, don't forget that people who wrote software do so in other contexts as well.
--
-Rich (OS/2, Linux, BeOS, Mac, NT, Win95, Solaris, FreeBSD, and OS2200 user in Bloomington MN)
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
I do not necessarily agree with the views stated by the "I" below
Let's say I'm responsible for a corporate computer system. I have a network, some servers, a web server and 'bout a hundred users with varying comuter knowledge. I do not necessarily want the best system there is. "Good enough" will do. I do not necessarily want a cheap system. I want a Fair Price. I don't want fuzz. I want the job done. I want to be able to take holidays without taking support calls.
Now I have the choise between MS, OSS and a mix.
For my servers and LAN it does not really matter. I will have to fix many things myself, so I will use a system I am comfortable with. (and believe it or not, there actually *are* some good NT admins out there) Liability is not a great issue, since it is *my* skill against all bugs, hardware faults and h4x0rs. Sure, my company might like the ability to sue MS, but they are more likely to fire me if anything goes horribly wrong.
For my web services: again no big deal. Being a company, I can afford to pay MS-licenses. I will probably pay some server hotel to babysit my web server anyway, and they will probably charge as much for a linux/apache as for a NT/IIS. I will probably just stick to whatever environment was used first. I want the hotel to guarantee my uptime, regardless of server platform.
Then comes the tricky part: My own users. .doc and .xls files. (and expect us to do the same). The users will complain when they have to learn this "new hard system". And when something goes wrong, they will *not* look for the answer on the net, they will call *me*. And when my boss (or a dozen angry users) sais "There is a bug, We can't work" Guess which of these answers will sound better:
Most of them will not be very computer savy. They will know how to use word and excel. They think it's nice to have mail and a web browser at work. If all of them gets a mail attachments that says "Open me!", at least one will.
I could put linux on their desktops, configure it nicely and (probably) get less security trouble. However: Our clients will send
a) I know. I allready asked a coupla questions on the net, and I'm sure some answer will come up.
b) I know. I have all the source and if you just give me a day or two (or three) I'm sure I'll fix it.
c) I know. I allready contracted an expert, He is working on it right now.
Now for my point. When you work for a company you *want* someone to be responsible for the products you buy. If you can't *name* that someone, its *YOU*. "Bugs like these tend to be solved by someone" won't cut it.
Wether or not that responsability is worked out in a court or in a contract is not the point. If someone doesn't guarantee a product, the "I" above will never get it except for personal use.
All opinions are my own - until criticized
I have the same "feeling" about the EULA, but as IANAL I could not be sure. Do you mean that if the EULA would be challanged in court then it would not hold up really? Why anyone had not tried that before, I wonder?
Furthermore the legal authorities do not have a responsibility (say in the US) that if such a contract is used (in very large numbers!) then that they could act against it (without a user actually filing a lawsuit)? Why it did not become an issue on the MS trial, for example?
I seem to agree with your point regarding GPL'd software. In that case I see it more of as if you were buying parts, material and instruction for building an automobile and so you are mainly responsible for the result. (You can actually compile and configure your system as you wish and if say you use a tampered with compiler then that is not the compiled source's responsibility. Now we can start musing about gcc etc.) And taking the automobile analogy further: you do not allow home made vehicles to be used on public streets right out of someone's garage, you use some certification, same should work with i.e. e-commerce software I guess: to set up and use a system it should be proved/certified to satisfy certain requironments. (It is not enough to inform the user that it is not secure for example, I might not even know what that means.)
So for this reason I rule out OSS developer responsibility. But I would not rule out the responsibility of a DISTRIBUTOR! So I think RED HAT should be held liable if their system is not configured as could be expected from a professional etc., just like MS, and they should act on discovered exploits in a timely manner like the car manufacturers with calling back autos if needed.
This is not any different after all from a proprietary system. You would not blame the MS employee for using this or that insecure encryption, but would hold MS as a company liable instead, right?
Matyas
The internet worm brought to us by Morris was a wake up call that led to greater internet security. Very few businesses were dependent on the internet at that time, over ten years ago. Now there are much more companies that greatly rely on the internet. How many stock values were dependent on the whims of the internet ten years ago. The stakes are higher now.
The Smartship debacle has other roots of failure other than your divide by zero example. Most OS's handle NaN rather gracefully; some application don't. Some OS's don't. IIRC, the blame game in this case can/has go around in circles until one pukes. I always wondered why ppl don't follow/check the IEEE or POSIX or ANSI standards.
The loss of market capitalization suffered by eBay was justifiable and also a knee-jerk reaction. The price of eBay stock was overvalued at that time. As you know, if a relatively small number of investors all sell their stock, then the value of the stock goes down, big time. Furthermore, if MS screws up and their stock price goes down by a mere dollar, the capitalization goes down a lot because their is a lot of MS shares.
Let us say that I do not care (as I do) that whether the software I use is closed or open sourced. I purchase only service from MS or an OSS distributor: the services of the program and some form of maintanance from the maker. (Helpline, patches, return policy, etc.)
This is simply not an open source/closed source issue. With open source I CAN get the source too, an added benefit! But this is mainly the distributors decision how they plan to provide the service. An OSS distributor thinks that having the source open makes their life easier, good for them. A proprietary system maker thinks otherwise, their choice.
As for the kit plan analogy: If someone puts together planes from kits and sells them, would you hold them liable or not? I certainly would. I would even expect them to make sure to some extent that the material they use is flawless etc.
The OSS developer is not responsible the same way as an employee of a closed source company is not. (He can face retribution from the company that employed him/her but that is a different issue.)
Furthermore if a PC distributor/manufacturer sells the computer with a system preinstalled then I think that they take responsibility for the software! So if say they download a LINUX distro and install it then we can expect that the set up is reasonable professionally done. Therefore they will probably contract a company which specializes in this work, my understanding is that this is the way LINUX distributors want to make money. And so to sign a contract either with RED HAT or MS that they are not liable to any extent appears to be the same foolish thing to do.
What do you think?
Matyas
In response to the responses to my original post, I propose an alternative analogy. A refrigerator. If the refrigerator has a flaw such that, if abused, the door would fail to seal, then the manufacturer would really tick off a lot of people and could cause a lot of companies to lose money (especially in the food service industry). Yet, we could come up with a scenario in which this could threaten life or limb, such as if the refrigerator is used as temporary storage of blood in a surgical ward. Or if someone failed to notice that the refrigerator was no longer cold and then failed to properly cook the food inside. Or when someone opened the freezer, all the melted ice spilled out and that someone slipped on the floor. Or someone who cannot travel outside the home and must rely on someone else to bring the groceries, and the new groceries aren't due for another week.
But by its nature, by its obvious intended purpose, such a flaw is an inconvenience and a cause of lost money, but is not a direct threat to life or limb (unlike a 1000kg collection of steel, aluminum, and plastic travelling at 100kph).
And that last bit really is the crux of this discussion -- the suitability for any particular purpose. And that's been discussed sufficently elsewhere in this article.
And, yes, I realize a different flaw in a refrigerator could cause it to topple over, but that isn't my point ... I chose a refrigerator because it was easier to come up with a flaw with similar results to a flaw in Microsoft's OLE than if I were to suggest a flaw in a book (besides something so obvious as misprinting) that could, in certain scenarios, threaten life or limb.
Christopher A. Bohn
cb
Oooh! What does this button do!?
Because you get the source, you can make any modifications necessary..... thus you are given the tools needed to make your system safer
The sad fact is, unreliable software -does- cost lives, every year. The difference is, you can -see- the cause and effect from a motor accident, it's usually a lot messier, and it's usually a lot more direct. This isn't true for deaths or injuries relating to computer software errors.
However, that's almost by the by. Software companies claim that the Turing Halting Problem gives them exemption. As they cannot prove fitness for use, they argue that they should be exempt from any and all quality legislation.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Let's take a look at the typical EULA.
The fact is, software companies have got it made. The EULA's are getting legal protection in the USA, which gives software houses total immunity from prosecution for any reason, whatsoever, for anything and everything.
That's not the only scary thing. You think it'll stop there? Car manufacturers are -big-! If the software companies get immunity from prosecution and immunity from consumer protection laws, do you think the larger manufacturers are going to just say "oh, well, that's them"? Or are they going to say "hey! Give us immunity too!"
How long before no consumer protection exists in the US, and you are literally taking your life in your hands every time you use the microwave or toaster?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Here is the argument I would make about Linux liability. A distribution sets its own warrenty, though one may be considered implyed. So if RedHat's current distro, for example, has a giltch that formats your non-linux partition, and the instructions don't tell you that that will happen, then RedHat could be held liable. On the other hand, if you home brew, modify, add to, or any thing else that is outside the distro's warrenty, you are on your own. If you download something that has a line in the help file "No warrenties expressed or implied" your only recourse is to find someone to fix it. This is where support comes in. I was always under the impression that the idea of how to make OSS work in the economy is to sell support and development. OSS is to give us jobs by making the tools availible to anyone whom has a use for them. Why is SGI paying some of the Samba developers? because it helps sell their servers. Why should one develop a secrure, web enabled project mangement tool kit? So some company that needs it can pay to have the features they need developed and to maintain the system. The nice thing is (idealy) that not only do you get yourself a job but by making OSS more versatile and valuable you give others in the OSC a job also. Warrenties, support contracts, are what the OSS economic justification are all about. The thing we as a community need to be most wary of is making OSS deliberately more difficult than it need to be. It has been proven that no matter how simple a system is, support for it becomes vital enough to dedicate professionals to maintain it i.e. Windows NT.
Spyder
After seeing this I want to expound a bit on what
someone else said in response.
> I disagree... having the ability to look deep
> into the product to check for possible problems
> is not the job of the consumer.
This is exactly why I think Free Software
programmers should not be held liable.
Free Software does not follow the standard
Capitalist model. The standard model is, Party 1
makes the product, party 2 pays money to party 1
for the product.
Free software is "Party 1 makes the product.
Anyone is free to take the product". Rather than
"Hey here it is, the one thing you need"
its
"Heres what I did, use it if it fits your needs,
don't use it if it doesn't"
Its about being open and shareing. The whole
purpose of negligence and similar things came
about because capitalism inherintly rewards
cutting corners and making products as cheaply
as possible, whether its safe or not.
It is because of this that negligence laws and
similar responsibilities of product producing
companies exist.
In Free Software, there is no incentive to cut
corners. A person working on a piece of software
is usually writting it first and formost because
he needs it. As such the incentive is in getting
it to work and fill his need.
As such, there is no "Consumer". A person who
needs the same need filled can take his code and
use it if they like. They are the ones that seek
it out, and they are the ones who put it in place.
Ultimatly they should be responsible for making
sure it meets their need before they put it in
place.
> Software engineers are simply unethical
> engineers.
I disagree emphaticaly. What is so unethical about
disclaiming any warrenty? Other engineers
generally work for hire or for a company. This
means they are getting money to design something
for someone else, as such they are liable to the
person who is paying them.
However, if an electical engineer designs his own
TV remote control from parts he can buy at radio
shack, completely at home and on his own. Then he
releases the plans on how to build it...
should he be liable if someone builds it and it
doesn't work for them?
He didn't charge them for the plans. He just said
"Here is how I did it, this works for me"
Should he suddenly be liable if it doesn't work
or causes harm to someone elses TV?
If that is to be the case, then free exchange of
information may as well be a dead idea. It would
make it much to costly.
"I opened my eyes, and everything went dark again"
- effect: To bring about (an event, a result); to accomplish (an intention, a desire). [The existence of obstacles or difficulties is, in mod. use, ordinarily implied in this sense of the vb.]
- affect: To have or display a natural tendency toward, to tend to assume or put on.
And here's the more complete explanation:- effect e'fekt, v.
- 1589 Warner Alb. Eng. vi. xxxi. (1612) 154 - And nothing else I did affect but to effect my sute.
- 1593 Shaks. 3 Hen. VI, ii. vi. 98 - Ile crosse the Sea To effect this marriage.
- 1635 Quarles Embl. i. vi. (1718) 25 - Let wit, and all her studied plots effect The best they can.
- 1718 Free-thinker No. 90. 244 - At first they only wish to be secure; that effected, they endeavour to grow Powerful.
- 1792 Anec. W. Pitt III. xliv. 196 - Peace..would never be effected.
- 1833 Lardner Manuf. Metal II. 227 (Cab. Cycl.) - This reciprocating movement of the carriage is effected by a pinion fixed upon the end of a vertical spindle.
- 1837 Disraeli Venetia iv. i. (1871) 203 - Just effected his escape as the servant announced a visitor.
- 1850 Browning Easter-Day 5 - Effecting thus, complete and whole, a purpose of the human soul.
- 1875 Jowett Plato (ed. 2) I. 13 - The cure..has to be effected by the use of certain charms.
- 1878 Huxley Physiogr. 105 - The most skilful chemists have hitherto failed to effect such decomposition.
- 1596 Shaks. Tam. Shr. i. i. 86 - Sorrie am I that our goodwill effects Biancas greefe.
- 1655-60 Stanley Hist. Philos. (1701) 135/1 - The concurrence of Pleasures which effecteth Beatitude, is very difficult.
- 1791 Smeaton Edystone L. Sect.75 - The Lighthouse happily effected by Mr. Rudyerd.
- 1884 Stevenson New Arab. Nts. 317 - An enormous window..had been effected in the wall.
- 1866 Rogers Agric. & Prices I. xxiii. 598 - The earliest purchases are effected in immediate proximity to the mines.
- 1883 Manch. Guard. 17 Oct. 5/4 - Nominee life policies are often effected which are altogether invalid.
- C. 1590 Marlowe Faust. v. 95 - Faustus I swear..To effect all promises between us made.
- 1606 Shaks. Tr. & Cr. v. x. 6 - You heauens, effect your rage with speede.
- 1660 Marvell Corr. iii. Wks. 1872-5 II. 20 - We shall be called upon shortly to effect our vote made the former sitting.
- 1592 Warner Alb. Eng. vii. xxxiv. (1612) 164 - But that Cadwalladers Fore-doomes in Tuders should effect Was vnexpected.
- 1603 Knolles Hist. Turkes (1621) 1330 - The petard having effected as we have said.
- 1655-60 Stanley Hist. Philos. (1701) 161/2 - Elements, of which Air and Fire have a faculty to move and effect.
- 1817 A. Constable Let. 16 Jan. in J. Constable's Corr. (1962) 153, - I..hope you will..endeavour to make all right with the Doctor, even tho' as by this time you know I dare say that your first letter did not effect.
- 1494 Fabyan vii. 371 - The Albygensis..had ben effected wt dyuers poyntes of herysy.
- 1652 Wadsworth tr. Sandoval's Civ. Wars Spain 301 - The Abbat of Santa Pia..whom the earl particularly esteemed and effected.
- 1729 T. Cooke Tales, Prop. &c. 135 - His words effected much the Laureat's Mind.
- 1772-84 Cook Voy. (1790) IV. 1279 - He effects to preserve an entire silence about Kerguelen.
- affect <e>'fekt, v.[1]
- 1483 Caxton Gold. Leg. 263/1 - Roch affectyng no mortal glorye hyd his lignage.
- 1593 Shaks. 2 Hen. VI, iv. vii. 104 - Have I affected wealth, or honour?
- 1605 Bacon Adv. Learn. i. vii. Sect.27 (1873) - Cæsar did extremely affect the name of king.
- 1615 Sandys Trav. 105 - Elated with these beginnings, he affected the empire of the world.
- 1655 Fuller Ch. Hist. ix. 192 - He with more earnestness refused a Bishoprick, then others affected it.
- 1675 T. Brooks Gold. Key Wks. 1867 V. 21 - Gracious hearts affect that which they cannot effect.
- 1721 Strype Eccl. Mem. (1816) II. 200 - Was beheaded on Tower hill for affecting the kingdom.
- 1725 Pope Odyssey xi. 386 - The Gods they challenge, and affect the skies.
- 1794 Paley Nat. Theol. xxiii. 390 - How should the blind animal affect sight, of which blind animals..have neither conception nor desire?
- 1589 Bernard Terence Ded., - I have affected to make knowne the good will I doe..beare to you.
- 1611 Bible Ecclus. xiii. 11 - Affect not to be made equall vnto him in talke.
- 1776 T. Jefferson Autobiog. Wks. 1859 I. 22 - He has affected to render the military independent of, and superior to, the civil power.
- ? A. 1550 Robin Hood in E.E.P. Rom. (1858) II. 91 - He, whom he most affected..was called little John.
- 1580 North Plutarch (1676) 43 - Their favourers and lovers, which did affect and entertain them.
- 1601 Shaks. Twel. N. ii. v. 28 - Maria once told me, she did affect me.
- 1623 Bingham Xenophon 39 - Alwaies soure and cruell, so that Souldiers affected him as children doe their Schoolemaster.
- 1627 Feltham Resolves i. xvi. Wks. 1677, 28 - It learns him in his patience, to affect his Enemies.
- 1633 Bp. Hall Hard Texts 223 - Those that affect me shall be sure not to lose their love.
- 1690 W. Walker Idiom. Ang-Lat. 13, - I do not affect you, non amo te.
- 1760 Sterne Tr. Shandy (1802) VIII. xxxiv. 192 - All the world knows that Mrs. Wadman affects my brother Toby.
- 1593 Drayton Eclogues v. 45 - Nor things so base doe I affect at all.
- 1639 Fuller Holy War i. xv. (1840) 25 - Who never cordially affected this war.
- 1656 Bramhall Replic. i. 71 - Persons..who doe passionately affect Episcopacie.
- 1720 Shadwell Timon i. II. 302 - No man can justly praise But what he does affect.
- 1735 Pope Donne Sat. ii. 76 - Takes God to witness he affects your cause.
- 1875 F. I. Scudamore Day Dreams 5 - Nor do I greatly affect the early thrush.
- 1589 Nashe Alm. for Parrat 15 a, - As in garments so in gouernment continually affecting new fashions.
- 1642 Fuller Holy & Prof. St. iv. xiv. 319 - She much affected rich and costly apparell.
- 1646 Sir T. Browne Pseud. Ep. 373 - The Turkes without scruple affect the name of Mahomet.
- 1660 T. Stanley Hist. Philos. (1701) 85/2 - Socrates little affected Travel, his Life being wholly spent at home.
- 1665 Wither Lord's Pr. Pref., - They who superstitiously affect this Form of Prayer.
- 1704 Hearne Duct. Histor. (1714) I. 416 - Dionysius affected Plato's Conversation.
- 1718 Free-thinker No. 75. 142 - The little Genius affects Wiles.
- 1854 Thackeray Newcomes I. 126 - That peculiar costume which he affected.
- 1862 Lond. Rev. 23 Aug. 168 - He affected the back Ministerial benches.
- 1660 T. Stanley Hist. Philos. (1701) 28/2, - I affect above all things to live under a Democracy.
- 1699 Evelyn Acetaria (1729) 180 - Some affect to have it fry'd a little broun and crisp.
- 1751 Jortin Serm. (1771) V. viii. 172 - The greatest monarchs have affected to be called Father of their country.
- 1606 Shaks. Ant. & Cl. I. iii. 71, - I go from hence Thy Souldier, Seruant, making Peace or Warre, As thou affects.
- 1643-5 in Sel. fr. Harl. Misc. (1793) 301 - His malady increased or diminished as he [his man] affected.
- 1616 Surflet & Markh. Countrey Farme 285 - Iuniper affecteth the tops of mountaines.
- 1793 G. White Nat. Hist. Selb. xviii. (1853) 210 - Here and there a bird may affect some odd peculiar place.
- 1849 Mrs. Somerville Connex. Phys. Sc. Sect.27. 305 - Groups of algæ..affect particular temperatures or zones of latitude.
- 1873 Browning Red Cott. N.-Cap 1076 - Tessellated pavement,-equally Affected by the scorpion for its nest.
- 1612 Drayton Poly-olbion v. notes 80 - Their tongues did naturallie affect..the British Dialect.
- 1664 Power Exp. Philos. iii. 158 - A contrary posture to that which it naturally affects.
- 1756 Burke Subl. & B. Wks. 1842 I. 57 - Any body..affecting some regular shape.
- 1850 C. Daubeny Atomic Th. viii. (ed. 2) 269 - Why the same body should sometimes affect one crystalline form, and sometimes another?
- 1605 Shaks. Lear ii. ii. 102 - Who hauing beene prais'd for bluntnesse, doth affect A saucy roughnes.
- 1663 Butler Hudibr. i. i. 94 - A Babylonish Dialect, which learned Pedants much affect.
- 1715 Burnet Hist. own Time (1766) I. 17 - He affected the grandeur of a regal court.
- 1735 Pope Hor. Ep. ii. i. 97 - Spenser himself affects the obsolete.
- 1781 Gibbon Decl. & F. II. xxxiv. 283 - He at first affected a stern and haughty demeanour.
- 1796 Morse Amer. Geog. I. 781 - They affected the appellation of patriots.
- 1855 Macaulay Hist. Eng. IV. 135 - To affect the character of loyal men.
- 1866 Rogers Agric. & Prices I. xiv. 250, - I am not botanist enough to affect any judgment on the subject.
- 1595 Shaks. John i. i. 86 - The accent of his tongue affecteth him.
- A. 1616 B. Jonson Discov. (T.) - Spenser, in affecting the ancients, writ no language.
- 1729 T. Cooke Tales, etc. 27 - Her Sire, affecting now the tender Man.
- 1865 Carlyle Fredk. Gt. II. vi. viii. 217 - He affected the freethinker, and carried libertinism to excess.
- 1720 Waterland Serm. 56 - Some of late have affected very much to say that all things were created through the Son.
- 1724 De Foe, etc. Tour thr. Gt. Brit. (1769) IV. 273 - The Lochs..which some affect to call the River Aber.
- 1853 Maurice Proph. & Kings viii. 123 - He affected to restore the idolatry which Aaron had sanctioned in the wilderness.
- 1856 Kane Arctic Expl. I. xxviii. 363 - Every one who affects to register the story of an active life.
- 1661 Barrow Serm. I. i. 4 - He affects commendations incompetent to him.
- 1723 J. Sheffield (D. of Buckhm.) Wks. (1753) I. 290 - Who..would soon have shewn A real rage, which now he but affected.
- 1813 Scott Rokeby v. xvi. 209 - Each look and accent, framed to please, Seemed to affect a playful ease.
- 1837 Disraeli Venetia i. viii. (1871) 40 - He had ever affected a haughty indifference on the subject.
- 1603 Daniel Defence Rhime 13 (1717) 12 - We smooth up a weak confused Sense, affecting Sound to be unsound.
- 1679 Sheffield & Dryden Ess. on Sat. 70 - How that affects to laugh, how this to weep.
- 1753 Smollett Ct. Fathom (1784) 138/1 - Although Fathom looked upon this proposal as an extravagant symptom of despair, he affected to approve of the scheme.
- 1816 Scott Antiq. (1879) II. xxv. 52 - He tired, or affected to tire.
- 1848 Dickens Dombey (C.D. ed.) 33 - "Oh you beauties!" cried Susan Nipper, affecting to salute the door by which the two ladies had departed.
- 1879 M. Arnold Irish Cath. in Mixed Ess. 100, - I have never affected to be surprised..at the antipathy of the Irish to us.
- 1631 Cornwallyes Ess. xxiii, - Affectation begets Extremities: Man is allowed onely the middle way, he strayeth when he affects.
- 1692 Lady Russell Let. 21 July, - I take some care not to affect in these retirements.
- affect <e>'fekt, v.[2]
- 1606 Shaks. Tr. & Cr. ii. ii. 59 - And the will dotes that is inclineable To what infectiously it selfe affects.
- 1722 De Foe Plague 77 - The inward gangrene affected their vitals.
- 1782 F. Home Clin. Exper. 283 - Affected with pain in his loins, which affects the thigh-joint.
- 1881 Daily Tel. 27 Dec., - The returning pilgrims..were the means of affecting the people of the districts through which they passed.
- 1726 Ayliffe Parergon 59 - She shall have alimony..unless you can affect them with Fraud.
- 1662 Fuller Worthies (1840) III. 159 - A passage that affected me with wonder.
- 1667 Milton P.L. v. 97 - The trouble of thy thoughts this night in sleep Affects me equally.
- 1722 De Foe Moll. Fl. (1840) 238 - When once we are hardened in crime no feaus.
- 1780 Burke in Corr. (1844) II. 354, - I do not think I have ever on any occasion seemed to affect the House more forcibly.
- 1832 Ht. Martineau Life in Wilds vii. 99 - The honour paid to her husband had affected her.
- 1876 Black Madcap V. xviii. 161 - The sportsman was not affected with all these taunts and jeers.
- 1631 Sanderson Serm. II. 6 - Oils and ointments..affect three distinct senses.
- 1667 Milton P.L. x. 653 - The Sun..so to move, so shine, As might affect the Earth with cold and heat.
- 1667 Boyle Orig. Formes & Qual. 26 - External bodies being fitted to affect the Eye, others the Ear, others the Nostrils.
- 1764 Reid Inq. Hum. Mind v. Sect.2. 121 - The effluvia of bodies affected our hearing.
- 1817 Malthus Population I. 360 - Causes, which affect the number of births or deaths, may or may not affect the average population.
- 1840 Macaulay Clive 70 - This system..might affect the amount of the dividends.
- 1846 Prescott Ferd. & Isab. I. Introd. 17 - No person could be affected in life or property, except by a decision of this court.
- 1855 Bain Senses & Intell. (1864) ii. i. Sect.11. 93 - Bodily exercise indirectly affects all the r can affect organs of the body.
- 1611 Cotgr., - Nantir, to consigne..to tye fast; affect, appoint, or point out, one thing for th' indemnitie, or assurance, of another.
- 1807 W. Taylor in Ann. Rev. V. 296 - Broker is become a nobler designation than formerly, and is now affected to agents of exchange.
- 1847 Thackeray Van. Fair iii. viii, - One of the domestics was affected to his special service.
- 1868 M. Pattison Academ. Organ. Sect.4. 108 - Of our total endowment fund, one, and the smallest third, is affected to the promotion of science and learning.
Looks like you're using definition #4 of `effect'; that is, a confusion with `affect'.Etymology: f. prec. sb.
1 a trans. To bring about (an event, a result); to accomplish (an intention, a desire). [ The existence of obstacles or difficulties is, in mod. use, ordinarily implied in this sense of the vb. ]
b To produce (a state or condition). Obs.
c To make, construct. rare. arch.
d Comm. to effect a sale, an insurance ; hence, to effect a policy (of insurance).
2 To give effect to (a resolution, a feeling); to fulfil (a promise). Obs.
3 absol. and intr. To have an effect, be effectual; to accomplish its purpose. Obs.
4 Confused with affect (? and infect).
Etymology: a. Fr. affecte-r (15th c.), ad. L. affecta-re to aim at, aspire to, endeavour to have, pretend to have; freq. of afficere (f. ad to + facere to do) to put to, hence refl. (se facere ad) to put or apply oneself to, to aim at. See also affect v.[2]
1 trans. To aim at, aspire to, or make for; to seek to obtain or attain. a a thing. Obs.
b to do a thing.
2 To be drawn to, have affection or liking for; to take to, be fond of, show preference for; to fancy, like, or love. a a person. arch. or ? Obs.
b a thing. arch.
c a thing touching one's own practice: To like to practise, use, wear, or frequent.
d to do a thing. ? Obs.
e absol. To incline or like. Obs.
3 Of animals and plants: To frequent naturally or habitually, to haunt, to inhabit.
4 Of things: To have or display a natural tendency toward, to tend to assume or put on.
5 To show ostentatiously a liking for; to make an ostentatious use or display of; to take upon oneself artificially or for effect, to assume.
b To assume the character of (a person).
c with inf.: To `profess,' take upon one.
Hence, by imperceptible gradations,
6 a To put on a pretence of; to assume a false appearance of, to counterfeit or pretend.
b with inf. (or gerund).
7 absol. To assume artificial or pretended manners; to put on airs. Obs. rare.
Etymology: f. (directly or through Fr. affecter) L. affect- ppl. stem of afficere to do to, act on, influence, attack with a disease; also, to put to, attach to; f. ad to + facere to do, make. The L. frequentative affectare (see prec.) had also rarely the sense of `attack as a disease,' whence sense 1 might be taken, merely as another branch of the preceding verb; but the others can be referred only to afficere. Though all the senses are in mod.Fr., our 1-4 are not in Cotgr. (1611-50), who has only to `fasten or tye on; destinate (or bind for); assigne or appoint unto;' whence our sense 5, though this is also a less common use of L. afficere (aliquid ad aliquem). It corresponds formally, and in sense partly, to the earlier afaite, which was obs. long before the introduction of this.
1 To attack, lay hold of, act upon contagiously, or attaint (as, or after the manner of, a disease). Rare in the active voice in earlier usage.
2 To attaint with a crime or offence: `a phrase merely juridical.' J. Obs.
3 To lay hold of, impress, or act upon (in mind or feelings); to influence, move, touch.
4 To make a material impression on; to act upon, influence, move, touch, or have an effect on.
5 To apply specially; to assign, to allot; to attribute. (Only in passive voice, as in mod.Fr., though in 17th c. Fr. active, as in L.)
I have always wondered why the laws regarding merchantability of products do not apply to commercial software. I believe most locales (at least in the US) have an implied warranty of merchantability of goods sold. That means that if you sell me something I have every right to expect it to work in the manner it is intended. The only way to avoid that is to sell something "as is". I didn't think that a company could just decide that it is going to sell their entire product line "as is" without getting into some legal trouble. The GPL specifically disclaims the warranty of merchantability and says that the software is provided as is, but this is usually acceptable in things that are given away. Any lawyers out there that can give us some insight?
As acrtually bought win95 back in, er, 1995, I happen to own a 30-page booklet entitled "Limited Warranty". The interesting section follows:
NO LIABILITY FOR CONSEQUENTAL DAMAGES --- TO THE MAXIMUM EXTENT ALLOWABLE BY LAW, MISCROSOFT AND ITS SUPPLIERS SHALL NOT BE LIABLE FOR ANY OTHER DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR OTHER PECUNIARY LOSS) ARISING OUT OF THE USE OF OR INABILITY TO USE THIS MICROSOFT PRODUCT, EVEN IF MICROSOFT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN ANY CASE, MISCROSOFT'S ENTIRE LIABILITY UNDER ANY PROVISION OF THES AGREEMENT SHALL BE LIMITED TO THE AMOUNT ACTUALLY PAID FOR THE SOFTWARE.
Melissa is an auto-run macro virus in Word doc's. It only runs if you open the document, and let the macro run. The default in current Office installations is to warn if you are opening a document with auto-run macro's.
The problem w/ Melissa is that it has significant *social* engineering in it - you *think* that the document is coming from someone you trust, so you go ahead and open it. And either you are running an old version of Office, or you have (foolishly) set your Office software to not warn you about auto-run macro's, or you (foolishly) go ahead and let it run because you think you trust who it came from.
So how has Microsoft *not* taken reasonable steps to protect users from things like Melissa?
Think of the difference between .exrc in your home directory (ownership test) and the evil modelines abomination. BSD removed modelines because they are EVIL AND WRONG. Microsoft should do the same.
The way I see it is like so:
... and within every 3 to 4 days or so, the car will suddenly stop running all together, mid-trip, and have to be restarted.
/. readers) obtain the far superior vehicle, for free.
You have automobile company A (~microsoft). They sell a lot of cars because they are easy to drive and maybe a few other reasons (which I cannot fathom), however unless you are living in a cave, you have heard that parts of the car can suddenly and randomly stop functioning. "Whoops, looks like the power steering and ABS went out again honey."
Now, can you really yell and scream at company A? I do research when buying a car... don't you? Well after my research, I found company B. They're not so well known, but their car is free. PLUS, they give you unlimited, free, parts for repairs and upgrades. The controls are a bit tricky, but the car is over-all, better. (Kind of like a Mercedes CLK-GTR)
When there are other options, can you really hold one company responsible? If you don't like the limitations, unreliability, and looks of one car, you can always buy another, or in my case (and I suppose a majority of
(... of course, no car (or software) will be perfect)
-- Charles
IANAL, but...
The disclaimer in the GPL works for most instances but if someone breaks the law, with or without knowledge of it, they can be held responsible.
For example, a clause stating that the author does not take responsibility for any patented algorithms doesn't make it okay to distribute even if there are.
Another example is where the author may willfully commit some crime by releasing the software. The GPL does not protect you from this.
You have to be responsible for your actions to a certain extent. If it can be shown that you willingly release software that is harmful to others, and you have foreknowledge of this, GPL or not, you could be in big trouble.
John
finish learning your latin conjugations.
[singular] virus
[plural] virii
you show rudimentary knowledge already. by declaring the poster a member of the illiterati, you prove yourself an illiteratus.
I can understand people complaining about bugs and security holes in Microsoft software, but in the case of the Melissa virus (unless I've got it confused), their software acted as it should. In a default-setup Windows computer with Outlook Express and Microsoft Word, the user is warned, not once, but twice that the file they are opening could be dangerous. First they are warned by their e-mail client that files transmitted by e-mail may have viruses or trojan horses. Then, Word's macro virus protection warns them that the file they are opening runs a macro on startup, which may be a virus. If they go ahead at that point (or if they had turned off the warnings), it's their own fault.
If you are warned against something in life, you are accountable for the results. If you drive a car off a cliff because you didn't realize it was dangerous, you can't sue the car company. Why should software be any different?
... "Give me a woman who loves beer and I will conquer the w
I've always thought it was quite amusing that companies print that sort of stuff, even though it's not true. The most mind boggling example of this I've seen is actually from the court system itself. Here in Massachusetts if you appeal a speeding ticket, you are sent a letter notifying you of your court date. Stamped on this letter, in red ink, is "THIS DATE CANNOT BE CHANGED" however this is a blatent lie! They have to let you change your court date, but they faithfully stamp it on every single one of them.
Drink! OHBC >O+
In his essay "In the Beginning was the Command Line" (look at www.cryptonomicon.com), Neal Stephenson discusses UNIX in term of tools for contractors, specifically the "hole hawg", a serious drill for serious drilling. It was heavy, hard to use, ugly, and absolutely brilliant for drilling. OSS tends to be like that -- it assumes that you know what you are doing. As a result, it tends to attract the form nfollows function crowd, and they tend to a)find the bugs, b)be less affected by them due to inherent paranoia (the BSDs more than Linux, because they tend to be used in mission-critical applications), and c)deal with them like adults. For people who cannot (or will not) understand the reasons for things, faulty software is potentially a big deal, because they will almost certainly be operating without a net, so to speak. The difference is that people who work with OSS tend to make sure the net is up and in good shape before they do anything -- and a lot of that is not innate skill or brains, just experience.
The licence will only bind the parties to it.
Otherwise the general law of negligence applies.
So, for example, if my program to control robots goes beserk and kills a child who did not themselves have a licence, there is no protection.
Okay, if the car analogy is unacceptable, how about this? Suppose you buy chocolate chip cookies at the store. You eat a few and have to be rushed to the hospital. This is the cookie producer's fault.
Now, imagine you clip out a cookie recipe from a magazine. You notice that it calls for 2 teaspoons of arsenic. You prepare the cookies according to the recipe, eat them, and have to be rushed to the hospital. This is your fault.
Non-life-threatening version:
The store-bought cookies taste like crap.
The recipe calls for 1/2 cup of cow manure.
One of the reasons that I became a lawyer was to avoid ever having to hire one. -SPYvSPY
TheCarp said: if an electical engineer designs his own TV remote control from parts he can buy at radio shack, completely at home and on his own. Then he releases the plans on how to build it... should he be liable if someone builds it and it doesn't work for them? He didn't charge them for the plans. He just said "Here is how I did it, this works for me" Should he suddenly be liable if it doesn't work or causes harm to someone elses TV?
If it simply doesn't work, the person trying to use it isn't harmed (they didn't have a working remote before, and they still don't) so there is nothing to have a liability suit over. But if the remote I build from the guy's plans causes my $500 TV to catch fire and burn my house down, you bet I want him to be liable. I have no way of knowing whether he intentionally published plans that claim to be innocuous but are actually harmful (like an email virus, for example) or whether he just recopied the value wrong on a crucial capacitor. If it's the first, he deserves to pay for my house. If it's the latter, as an engineer he is supposed to build stuff that meets a certain standard and I am trusting that his engineering products, paid for or not, meet that standard. But if I know that I have legal recourse and that I COULD sue the pants off the guy if his device causes damage, I'm more likely to trust his plans because he's aware of this legal recourse too. I'm not just putting my faith in his engineering ethics, I'm also trusting his self-interest (and let's face it, self-interest is more universal than ethics). It's in his own interest to check those capacitors thoroughly before he releases anything, and that liability might make him do so instead of just scanning his scrawled notes and putting them up in PDF form.
Liability is just a legalistic term for "forcing people to take responsibility for their own actions," and that's not a bad thing. Part of the reason open source code is good is that people take responsibility for their own work. The only problems arise when damage awards exceed reason--but usually that requires genuine stupidity by the negligent party. Damage awards that appear outrageous are often sparked by outrageous actions by the company being sued, or else are reduced on appeal.
JennyWL
I'm a registered /. user, but also work for one of the companies that has its own category graphic here. If I see a discussion about a product I've worked on, I can post anonymously and add some info to the discussion that very few other folks would have available (and I've noticed other members of my team doing likewise). If anonymous posting weren't allowed, none of us would jeopardize our jobs, we'd just shut up and the discussion would continue with guesses and misinformation and none of the facts we could have provided. So when you talk about eliminating nuisance AC posts, remember you will also eliminate some posts that ARE of value.
JennyWL
Oestensibly, no _one_ person owns the source code, however, some group (i.e. a company) will want to use the source code embedded in a product. I assume this company will take the source code on the understanding that if something goes wrong, _they_ are liable.
But say that my company does not want to take this risk (drawing from the "free" market)? Well, then I purchase linux from a company the likes of Cygnus -- an intermediatary, say I call them X -- who promise -- by virtue of their whole purpose of being in business -- to provide the software "bug free" (or, some kind of agreement about my company upholding to use the product within defined parameters, and their company upholding to ensure that the product never [or very low MTBF] within those parameters).
Naturally, X charge me money, and they charge other people money, and I pay them money because they front the risk -- this is exactly why they survive. Within X, they do all they dammed do to make sure that their packaging of linux is such that it is bug free, and probably they negotiate some liability insurance for the company as well.
This is just one of the ways that intermediatries make money from free source! Not sure linux, but any free source. Different companies may specialise in different end uses (i.e. embedded systems, different processors, different variants, etc).
matthew.gream@pobox.com
IANAL, but I think it might have something to do with the intended use of the 'product', what it is sold for.
If you buy a car, the intended use is to drive it on roads. Thus you have cause to sue if the brakes stop working or the wheels fall off. If you decided instead to use it as a foodstuff, you couldn't sue claiming injury because of indigestion. It's your own fault for using it for
a purpose it wasn't designed for.
You can apply this to software too. If you bought a web browser and found that it wouldn't display web pages (and you could prove that this was the browser's fault, and not badly-behaved site, broken networking or whatever else), you would have a legitimate grievance. (Although IMHO the most you should be entitled to is a refund of what you paid, unless you have agreed different warranty terms in advance.)
However, if you used the browser for a mission-critical information display, in a hospital or whatever, you wouldn't have a legitimate complaint if memory leaks caused it to crash after two weeks of use. A browser is not designed to give that kind of reliability, and it doesn't claim to. (Some things such as Java explicitly say that 'X is not designed for use in safety critical applications'.)
So I think that you have to ask: is the user just being stupid by trying to use the software for something inappropriate?
-- Ed Avis ed@membled.com
One important facet of Open Source that appeals to me is that I feel I can trust the software MORE than a commercial product. As Gurlia states, most Open Source coders are hobbyists. And most of these hobbyists make this software for THEMSELVES, or for a friend/occasional client. This means that the coder trusts the code on his/her machine and is going to make sure it's stable. No programmer wants to claim a program that crashes "occasionally."
what's irritating about micro$oft is that they claim they care about security. Closer to the truth: they have no concept of security.
e.g., the "security patch" for office '97, as lame as it is, won't install if (like I have) you have explorer 5 installed. Well, I was forced to install ie5 when I installed w98. Of course, M$ doesn't mention this anywhere. So do I spend the extra $ for office 2000? what added problems would I be buying? If the main advance of office office '97 was the stupid paperclip, I must assume that M$ has come up with something even more annoying in the latest version.
I agree with other points well made by other contributors on this page. You can't just tack security on as an afterthought.
Once metrowerks comes out with the new java IDE for linux, I hope to ditch windoze for all my work projects... but I still need it for my sound card, since EMU doesn't support linux yet. (hint hint!)
I'm replying to this a bit late, so there's the distinct possibility nobody will read this. So what.
:-).
A couple of points. First. Software is *incredibly* IMPOSSIBLY difficult to make bug free. IMPOSSIBLY difficult. In other words, it is a practical (possibly even a theoritical) impossibility to prove that a given non-trivial program is bug-free. (on the other hand it is generally trivial to prove any non-trivial program is not bug-free
Second. With commercial software, you typically pay some money for a binary which purportedly serves some purpose (though the license probably states that its suitability for *any* purpose is questionable or non-existent.)
With open-source software, you typically pay *nothing*, and, are given the source, and are told that whatever it is, is *as-is* no warranty, etc.
As a user of CVS, (see http://www.sourcegear.com) a GPL'ed source code control system, it does not bother me one bit that there is nobody to sue should things go wrong.
On several occasions things *have* gone wrong (only slightly, no real damage) or gone slightly differently than what I would have preferred. ON those occasions, guess what? I had the source! Instead of calling up some company and complaining, or instructing lawyers to make threatening phone calls, I posted a query to the relevant mailing list, or fixed the problem myself and posted the fix to the mailing list, and bang! everybody's happy. And as ESR's Cathedral & Bazaar paper pointed out, I was probably even happier having found and fixed the problem myself than I would have been in the bug-free case!
Just my thoughts.
-- Metalhead
Bang the head that doesn't bang!
I can agree that in almost all cases what the customer is buying when they purchase a Red Hat product is the packaging (sorry, sucker, buy it from Cheapbytes next time...) but Red Hat claims (in their feeble attempt to justify $70 for a shrinkwrapped box full of stuff that can be downloaded for free) they provide support with their rather pricey product.
:) I was trying to go with a "Generic Destrobution" example.. RedHat seemed as good as any... ha.. Forgot they charg more than everyone else and offer tech support...
Yeah that dose put RedHat in a diffrent position...
Ok well.. umm QuickFix.. swap "RedHat" and reaplce it with a distrobution that charges just for pacaging...
I don't actually exist.