I cannot distribute my code (and it's changes) without being tried for treason
Are you distributing your executables? If you use the OSS for a specific system and only on that system, you are not required to distribute source - everyone that has the binaries (the military) will have the source.
You're assuming that missiles travel in an arc. This is not necessarily true. They may level out at a given altitude and cruise. This requires less precision during launch, and allows the missile's guidance systems to correct for environmental differences while it's in flight.
Take a world map. Choose any one location. Draw a line from this location to a location in a non-adjacent country. See how many other countries you pass through.
I don't see any legality issues with basing fines on bug severity. I'm not sure about the legality of basing it on company size.
Of course, we all know that any punishment will just waste court time as large companies spend more on their legal department than they would for proper fixes.
What if a fix is not immediately obvious and takes a week or two to fix?
Show people that you're working on it. Post updates to the bug report. Let people know why it's taking so long (eg bug is actually in another module, trying to eliminate it without bugging something else).
Forcing people to write perfect code their first try is a pain.
s/a pain/impossible/ I know that it is impossible to write perfect code. However, it is not impossible to keep track of bug reports and to fix them, or to reply stating the reason they don't get fixed.
My bad. I had completely forgotten the original purpose of this thread, being fines for failure to fix bugs. Of course, with these fines, there's incentive for companies to fix bugs.
Of course, the fines will need to hurt the corporations for them to be effective. Maybe base the fine on a combination of bug severity and company's net worth? Probably not legal, but probably effective.
Thank you for explaing this. I agree with most of what you said.
However: Exploits can only be made publically available after a patch is available
I would change this to be either after a patch is available or after a given amount of time has passed since the bug report. If the vendors don't fix it, put a fire under their asses.
Does it allow file access to someone without permission?
In the first case, your recipe database shouldn't be doing this. Very few programs should have to suid, although some may need to sgid.
File access is a bit trickier. If the app runs as user X and grants access to files that should be viewable only by user Y, that's an OS problem. If the app runs as user X and allows anyone on the network to view files only readable by user X, that's an app problem.
BTW - OS crashes, even when triggered by application programs, are usually considered OS bugs.
I'll grant you that. Any way that an app can cause an OS to crash is an OS bug, and should be the OS vendor/maintainer's liability.
Do you fix security bugs immediately? If you re-read my comment, you'll notice that I mentioned penalties for insecure software. Period. If the software you write allows a hacker to crash the operating system or get access to personal data, I would say that you are liable if you don't fix it immediately.
Although I am only human, I would like to believe that I would feel the same way if I were the one who was liable.
Well, you're pretty much trolling here, but what the heck...
This was not my intent.
What you are proposing would even wipe out something like a recipe database.
If the recipe database causes a security hole, or can cause an entire operating system to crash, yes, I believe it should have liability attached to it.
For every active open-source project, there is a maintainer. It is the job of this maintainer to ensure that released software is bug-free.
I think that, if we're going to have penalties for insecure open-source software, we should:
hold the maintainer liable
Only have penalties for release-level software. No alphas, betas, or cvs nightly builds.
I also believe that a vendor or maintainer should be given a reasonable amount of time to fix a bug. There shouldn't be a penalty for a security hole that exhibits itself at one second after midnight on a full moon if the year is divisible by 7 when an attacker uses the root password as a user name. However, if this combination is discovered, and isn't fixed, then hold the maintainer/vendor liable.
The human race is not close to being eradicated by nuclear weapons. Maybe Pakistan is, but not the world.
It is my belief that the launch of a single nuke will be the end of civilization as we know it. You may ask why.
Country X launches a nuclear weapon. It doesn't matter who launched it, it doesn't matter who's targetted. Every country in the world sees a nuke going up. Let's say, for the purpose of this example, that the nuke is flying in an eastern direction. Now everybody to the east of country X will start launching counterattacks at country X, as none of them know for sure whether they're the target.
Country Y, to the west of Country X, sees Country Z, to the east, launching nukes. There are hostilities between these two countries. Y sees Z launching in their general direction, and so launches their own counterattack. Repeat ad nauseum.
Don't forget, also, that the world is round. A missile targetted to the east may well alarm a country to the west, especially if the target is on the other side of the planet. And don't think that any non-participating countries will be unaffecated. The amount of fallout caused by the participant countries will be more than enough to cause severe problems for the non-participants.
Re:GPGME - GPG Made Easy
on
How to Save PGP
·
· Score: 4, Insightful
Compiles fine on most Linux distributions. It needed a small amount of help to compile on Mac OS X
Yes, but in the Real World we still need to support Windows.
Note that GPGME isn't really a GPG library. It uses the GPG command-line behind the scenes, so it is inherently unportable - you can't get IO from another running process in ISO C.
When I suggested creating a PGP library, I meant a true library. Make the code ISO9899 compliant, then the only issue is linking it to the front end.
Re:Why save PGP?
on
How to Save PGP
·
· Score: 4, Insightful
Um...because NAI doesn't want to? They own it now, I believe. And they want to profit from it somehow.
Re:GPG, OpenPGP, and what needs saving
on
How to Save PGP
·
· Score: 3, Interesting
How 'bout putting the algorithm into a library? If there's one library for PGP (written in ISO-standard C), front-ends could be written for it for any platform. One back-end to watch for major bugs, and front-ends that allow the interfaces people are used to.
As funny as it would be to see RMS trying to explain it to the judge, the FSF has better judgement than that. They're sending their General Counsel, Professor Moglen. Being a lawyer, he's probably better suited to being in a courtroom.
Slashdot Mirror
I cannot distribute my code (and it's changes) without being tried for treason
Are you distributing your executables? If you use the OSS for a specific system and only on that system, you are not required to distribute source - everyone that has the binaries (the military) will have the source.
I don't define immediately. Lawmakers do. And I don't believe that immediately only applies to Microsoft, or to any corporation.
You're assuming that missiles travel in an arc. This is not necessarily true. They may level out at a given altitude and cruise. This requires less precision during launch, and allows the missile's guidance systems to correct for environmental differences while it's in flight.
Take a world map. Choose any one location. Draw a line from this location to a location in a non-adjacent country. See how many other countries you pass through.
I don't see any legality issues with basing fines on bug severity. I'm not sure about the legality of basing it on company size.
Of course, we all know that any punishment will just waste court time as large companies spend more on their legal department than they would for proper fixes.
What if a fix is not immediately obvious and takes a week or two to fix?
Show people that you're working on it. Post updates to the bug report. Let people know why it's taking so long (eg bug is actually in another module, trying to eliminate it without bugging something else).
Forcing people to write perfect code their first try is a pain.
s/a pain/impossible/ I know that it is impossible to write perfect code. However, it is not impossible to keep track of bug reports and to fix them, or to reply stating the reason they don't get fixed.
My bad. I had completely forgotten the original purpose of this thread, being fines for failure to fix bugs. Of course, with these fines, there's incentive for companies to fix bugs.
Of course, the fines will need to hurt the corporations for them to be effective. Maybe base the fine on a combination of bug severity and company's net worth? Probably not legal, but probably effective.
Thank you for explaing this. I agree with most of what you said.
However:
Exploits can only be made publically available after a patch is available
I would change this to be either after a patch is available or after a given amount of time has passed since the bug report. If the vendors don't fix it, put a fire under their asses.
- Does it grant elevated permissions (suid/sgid)?
- Does it allow file access to someone without permission?
In the first case, your recipe database shouldn't be doing this. Very few programs should have to suid, although some may need to sgid.File access is a bit trickier. If the app runs as user X and grants access to files that should be viewable only by user Y, that's an OS problem. If the app runs as user X and allows anyone on the network to view files only readable by user X, that's an app problem.
BTW - OS crashes, even when triggered by application programs, are usually considered OS bugs.
I'll grant you that. Any way that an app can cause an OS to crash is an OS bug, and should be the OS vendor/maintainer's liability.
too many backspaces = kill the application
And that's where the fault is. There is no reason for too many backspaces to be an application-killing fault.
Do you fix security bugs immediately? If you re-read my comment, you'll notice that I mentioned penalties for insecure software. Period. If the software you write allows a hacker to crash the operating system or get access to personal data, I would say that you are liable if you don't fix it immediately.
Although I am only human, I would like to believe that I would feel the same way if I were the one who was liable.
This was not my intent.
What you are proposing would even wipe out something like a recipe database.
If the recipe database causes a security hole, or can cause an entire operating system to crash, yes, I believe it should have liability attached to it.
If there is no maintainer, there is nobody to update the pages, cut releases, administer CVS, etc.
If you don't like the term "job", replace it with "task". It is a task one takes upon oneself by creating open-source software.
Most of it is. However, I wouldn't trust beta software for my business, so they lose liability and users at the same time.
For every active open-source project, there is a maintainer. It is the job of this maintainer to ensure that released software is bug-free.
I think that, if we're going to have penalties for insecure open-source software, we should:
hold the maintainer liable
Only have penalties for release-level software. No alphas, betas, or cvs nightly builds. I also believe that a vendor or maintainer should be given a reasonable amount of time to fix a bug. There shouldn't be a penalty for a security hole that exhibits itself at one second after midnight on a full moon if the year is divisible by 7 when an attacker uses the root password as a user name. However, if this combination is discovered, and isn't fixed, then hold the maintainer/vendor liable.
OTOH, a crash that's caused by pressing the backspace key too many times should be fixable immediately or subject to penalties.
IMHO, of course.
there will be absolutely no doubt who did it
Re-read the scenario. I didn't say they don't know who did it. I said we don't know who the target is.
you can never kill civilians
Hiroshima.
The human race is not close to being eradicated by nuclear weapons. Maybe Pakistan is, but not the world.
It is my belief that the launch of a single nuke will be the end of civilization as we know it. You may ask why.
Country X launches a nuclear weapon. It doesn't matter who launched it, it doesn't matter who's targetted. Every country in the world sees a nuke going up. Let's say, for the purpose of this example, that the nuke is flying in an eastern direction. Now everybody to the east of country X will start launching counterattacks at country X, as none of them know for sure whether they're the target.
Country Y, to the west of Country X, sees Country Z, to the east, launching nukes. There are hostilities between these two countries. Y sees Z launching in their general direction, and so launches their own counterattack. Repeat ad nauseum.
Don't forget, also, that the world is round. A missile targetted to the east may well alarm a country to the west, especially if the target is on the other side of the planet. And don't think that any non-participating countries will be unaffecated. The amount of fallout caused by the participant countries will be more than enough to cause severe problems for the non-participants.
Compiles fine on most Linux distributions. It needed a small amount of help to compile on Mac OS X
Yes, but in the Real World we still need to support Windows.
Note that GPGME isn't really a GPG library. It uses the GPG command-line behind the scenes, so it is inherently unportable - you can't get IO from another running process in ISO C.
When I suggested creating a PGP library, I meant a true library. Make the code ISO9899 compliant, then the only issue is linking it to the front end.
specifically what does it add over GPG?
Usability? GUI?
Um...because NAI doesn't want to? They own it now, I believe. And they want to profit from it somehow.
How 'bout putting the algorithm into a library? If there's one library for PGP (written in ISO-standard C), front-ends could be written for it for any platform. One back-end to watch for major bugs, and front-ends that allow the interfaces people are used to.
Funny, I thought the United States had a
As funny as it would be to see RMS trying to explain it to the judge, the FSF has better judgement than that. They're sending their General Counsel, Professor Moglen. Being a lawyer, he's probably better suited to being in a courtroom.
There might be an inital expense in retraining workers to use the new software, but the benefits seem to outweigh the costs in the long run.
Have you ever tried to get a beaurocracy to look beyond immediate expense?