OK, that's the problem. I dropped the project regarding clarifying that there may be no restrictions on use for a while due to some fires I needed to fight, I'd better take that up again.
If there's a bug in the kernel, and you can work around it in a user-level program, which should you fix? Is it *wrong* to work around a kernel bug in userland?
Russ, I am a bit surprised that you ask, because this is so fundamental to what Open Source is all about. Open Source is all about being able to fix the bug in the kernel rather than have to work around it in 1500 different programs in user mode. Is it wrong to fix it in user mode? If you have to, it's because someone's keeping it from being fixed in kernel mode, and yes that is wrong.
I can't say I'm happy that you have to bring these questions to Slashdot. Sure, there are times when it's good to seek input, but I'd think that today's issues are fundamental to OSI's chosen mission and aren't the ones you should have to ask about.
If this is not the case, then the implications are terrible.
It's not the case, and they are indeed terrible.
Not only would you not be able to share your homebrew stout with your friends
Yes, you may be liable if they are poisoned and hospitalized for a long time, if they are intoxicated and crash their car, etc. I pay for an additional US$2 Million general liability over the default offered on my home insurance for just this sort of thing, or if the cleaning lady hurts herself, etc.
now you know why many companies aren't using open sourced software.
That's a fallacious argument, and one that should be an FAQ. OK, folks, put this in an FAQ somewhere:
FAQ: Open Source is bad because when it breaks there is nobody you can sue.
Answer: This might be a valid consideration if there was anyone you could sue when your non-Open-Source software broke. There isn't. Go read the license that came with that software, if you don't believe me. Not only does it disclaim liability, it requires you to indemnify the software provider against your damages. Indemnify means that if there are damages to the vendor connected with your use of the software, you have to pay the vendor for them! Even if they are your damages!
Service contracts are available for both Open Source and proprietary software. They provide some limited protection, but read your license, it's probably less than you thought. They may only be liable to give you a repaired version of their software on a timely basis, not for other damages incurred through its use. If you lose your data, that is probably still your problem, not something covered by the contract.
If you have a lot to lose, buy insurance. You will find that your insurance company will require you to have a documented and working process to protect your company from damage - this will include backups, security and other evaluations, etc.
The GPL's no-warranty statement is a disclaimer, it does not request your agreement. The legal question is whether or not a simple disclaimer is adequate, and when the user must see it for it to be effective. I am for a single notice at distribution install time that there are licenses, that they disclaim warranties, and how you can view them. I don't think it's necessary for licenses to require that, it should be a guideline. Requiring click-through in a license would cause all sorts of problems for the distributions that they don't really need - there are better ways to solve this problem.
They've had a request for approval of a licence. Is it not reasonable for them to consult the wider community on this issue?
Do you really believe they even had to ask? This one seems pretty clear to me.
I'm intrigued by this statement. Some time ago I compared briefly read the Debian Social Contract and the OSD and I didn't notice any substantive differences.
When OSI was proposed to me, it was a way of marketing Free Software to business. It's been instead driven as a schism from Free Software. And the OSD continues to diverge from the DFSG. I also reject that the folks running OSI are representative of any Open Source community anywhere. In the case of SPI, there is a membership and elections. And unfortunately, most of the OSI board don't have time for OSI - they're too busy with their companies, etc. So 2 or 3 people end up running it.
First, it's necessary for you to divorce copyright from warranty in your mind. Warranty does not necessarily follow copyright. In many cases, the warrantor will be the person you got the software from, regardless of whether they hold a copyright. And they may be able to pass on damages to the person they got the software from, perhaps the original developer. I think the risk to FTP sites is low, but to distributions, who put more active work into the process, and sometimes get a cash consideration, it's high.
The problem is what is the default in the law regarding warranties. If the default were clearly no warranty, Free Software would be OK. To the extent that the default is otherwise, we are less OK, and must deal with imperfect instruments for disclaiming warranties, and getting the user to agree to indemnify us (pay for our damages). But our goal is not to go to court at all. The minute someone has us in court, we're already losing money. So, we want it to be so clear that there is no warranty that nobody will ever try to sue. This is why people are tempted to use click-wrap. But I don't think that requiring it is the right solution.
Aren't you actually proposing that we let the other side state the rules of the game? After all, Free Software is a rebellion against all of this litigious nonsense. I think we need to push back here.
This is not to say that there is no need for a set of guidelines on how to communicate to users the NO WARRANTIES message. But I don't feel that requiring click-through in licenses is the right approach.
The problem is that Red Hat (for example) can pass on damages that they are forced to pay in court to the original developer by turning around and suing that developer. Would they? Of course not. But of course management of companies changes, that is why we have contracts.
That said, I still don't recommend click-through. I would instead publish a set of guidelines for distributions that would tell them how to direct attention to individual software licenses.
Obviously, Free Software producers must be able to deny warranties, since they are not getting the consideration (money) necessary to provide them. People who want warranties should be able to buy them, either from the software producer, another software shop, or an insurance company.
It's different with cars, because cars have a high potential to do physical injury to people and are thus expected to be built to a higher standard.
I agree that package installers should be able to present the software license for any package on demand, and that the option to read it should be very clearly available to the user. Also, there should be some general notice with a distribution at install time that there are licenses, and that they disclaim warranties, and how to see them. But I would reject an attempt to require the above in licensing. It's up to the distributions, who face most of the liability, to implement.
Well, from a liability standpoint, I would recommend that distributions who are worried about this include a click-through notice at distribution-install time. The notice should say that the software included in general disclaims warranties, and where the licenses are found on the system, and that it's a good idea to read them if you feel you deserve a warranty. I would not recommend that any license require one to maintain that click-through notice.
Well, my suspicion is that this is related to the disclaimer of warranty issue, and not copyright. But there are two ways to go at that - push Open Source licensing, and push to reform the law. I'd rather push to reform the law. If we continue to back up, we'll eventually have our backs to a wall. The Debian Free Software Guidelines, later called the OSD, were all about drawing a line in the sand. We need to hold that line.
All I can think of is that the click-through might be required for the disclaimer of warranty in some UCITA states. This is not a copyright issue. But we are working that angle by going for modification or withdrawl of UCITA.
I see this as a slippery slope. Accept it, and then there will be an incremental series of other "legaly necessary" requirements, until we can't be distinguished from shared source.
I'm aghast that OSI would even consider click-wrap, and I entirely reject the unsubsantiated scare-mongering that goes along with its proposal.
The OSD was developed by the Debian group under the aegis of Software in the Public Interest. Nobody who is presently involved with OSI had any part of that.
OSI is probably the biggest mistake I've ever made, and yes it's my mistake. It's time to clean it up. The OSD should be returned to SPI, who can be trusted to administer it sanely.
I agree that this is hardly the last shot in the battle. Hardly. If anything, we kept a bad situation from getting a drop worse. But I don't know if "wussied out" is really a fair description. I modified my own DMCA paper to protect HP's Linux program. When Kent Ferson sent his letter a whole 4 days later, I lit fires all over HP and (along with a cast of good people within HP) convinced everyone, including Kent, that using DMCA this way was a bad idea.
But I didn't get the law repealed this week. I'll keep working on that. It would be really nice if you would put in a lot of work on this, too. This is the sort of issue where every one of us has to help or we'll lose.
Well, hopefully I get points for not speaking out of ignorance, which is what I would be doing if I were to air a condemnation before I had first-hand data.
I read "full disclosure unless bound by contract" as "full disclosure unless you pay us to hide what we found". If I had written that page, I would have spun that line differently. I don't yet know if my (admittedly paranoid) interpretation represents the way they operate, or not.
People really resist the phone. Lots will reply to me here. A few will email. None will call. No kidding. That number has been on my web page for a year, and the calls I get are from the press, and the occassional Nigerian money-laundering scam.
In my investigation, I read the Snosoft home page. This is the second sentence of their introductory paragraph:
Our advisory release policy is full disclosure unless bound by contract.
Now, I don't know any of the people involved or how they really do business, and thus I am not ready to make any allegations. But that sentence sounds a bit like a shakedown, doesn't it?
I would hate to be manipulated in a shakedown of my own company.
On the other hand, some people say this is a year-old bug and that there was long correspondence before one of the employees finally revealed it. I don't know if that's true yet.
One has to balance law and personal integrity. If things went down the way they were reported - and that's a big if - I would not really be able to stand by this, and would probably air some criticism of HP management. When I was hired, I did negotiate how and when I could criticize the company, and this falls within those parameters. Would I quit? Some people think I should stay around and try to teach them the right thing to do. Not that this would be easier than quitting. But HP isn't going away just because I slam the door on them.
Well, my job is keeping the company from doing stuff that makes its customers want to "vote with their wallet" as you do, or fixing the problem when that goes wrong. Give me some chance to do it.
Bruce
Bruce
Russ, I am a bit surprised that you ask, because this is so fundamental to what Open Source is all about. Open Source is all about being able to fix the bug in the kernel rather than have to work around it in 1500 different programs in user mode. Is it wrong to fix it in user mode? If you have to, it's because someone's keeping it from being fixed in kernel mode, and yes that is wrong.
I can't say I'm happy that you have to bring these questions to Slashdot. Sure, there are times when it's good to seek input, but I'd think that today's issues are fundamental to OSI's chosen mission and aren't the ones you should have to ask about.
Bruce
It's not the case, and they are indeed terrible.
Not only would you not be able to share your homebrew stout with your friends
Yes, you may be liable if they are poisoned and hospitalized for a long time, if they are intoxicated and crash their car, etc. I pay for an additional US$2 Million general liability over the default offered on my home insurance for just this sort of thing, or if the cleaning lady hurts herself, etc.
Bruce
That's a fallacious argument, and one that should be an FAQ. OK, folks, put this in an FAQ somewhere:
FAQ: Open Source is bad because when it breaks there is nobody you can sue.
Answer: This might be a valid consideration if there was anyone you could sue when your non-Open-Source software broke. There isn't. Go read the license that came with that software, if you don't believe me. Not only does it disclaim liability, it requires you to indemnify the software provider against your damages. Indemnify means that if there are damages to the vendor connected with your use of the software, you have to pay the vendor for them! Even if they are your damages!
Service contracts are available for both Open Source and proprietary software. They provide some limited protection, but read your license, it's probably less than you thought. They may only be liable to give you a repaired version of their software on a timely basis, not for other damages incurred through its use. If you lose your data, that is probably still your problem, not something covered by the contract.
If you have a lot to lose, buy insurance. You will find that your insurance company will require you to have a documented and working process to protect your company from damage - this will include backups, security and other evaluations, etc.
Bruce
Bruce
Do you really believe they even had to ask? This one seems pretty clear to me.
I'm intrigued by this statement. Some time ago I compared briefly read the Debian Social Contract and the OSD and I didn't notice any substantive differences.
When OSI was proposed to me, it was a way of marketing Free Software to business. It's been instead driven as a schism from Free Software. And the OSD continues to diverge from the DFSG. I also reject that the folks running OSI are representative of any Open Source community anywhere. In the case of SPI, there is a membership and elections. And unfortunately, most of the OSI board don't have time for OSI - they're too busy with their companies, etc. So 2 or 3 people end up running it.
The whole thing makes me very uncomfortable.
Bruce
First, it's necessary for you to divorce copyright from warranty in your mind. Warranty does not necessarily follow copyright. In many cases, the warrantor will be the person you got the software from, regardless of whether they hold a copyright. And they may be able to pass on damages to the person they got the software from, perhaps the original developer. I think the risk to FTP sites is low, but to distributions, who put more active work into the process, and sometimes get a cash consideration, it's high.
The problem is what is the default in the law regarding warranties. If the default were clearly no warranty, Free Software would be OK. To the extent that the default is otherwise, we are less OK, and must deal with imperfect instruments for disclaiming warranties, and getting the user to agree to indemnify us (pay for our damages). But our goal is not to go to court at all. The minute someone has us in court, we're already losing money. So, we want it to be so clear that there is no warranty that nobody will ever try to sue. This is why people are tempted to use click-wrap. But I don't think that requiring it is the right solution.
Bruce
This is not to say that there is no need for a set of guidelines on how to communicate to users the NO WARRANTIES message. But I don't feel that requiring click-through in licenses is the right approach.
Bruce
That said, I still don't recommend click-through. I would instead publish a set of guidelines for distributions that would tell them how to direct attention to individual software licenses.
Bruce
Obviously, Free Software producers must be able to deny warranties, since they are not getting the consideration (money) necessary to provide them. People who want warranties should be able to buy them, either from the software producer, another software shop, or an insurance company.
It's different with cars, because cars have a high potential to do physical injury to people and are thus expected to be built to a higher standard.
Bruce
Bruce
Bruce
Bruce
I see this as a slippery slope. Accept it, and then there will be an incremental series of other "legaly necessary" requirements, until we can't be distinguished from shared source.
No, no, a thousand times no!
Bruce
The OSD was developed by the Debian group under the aegis of Software in the Public Interest. Nobody who is presently involved with OSI had any part of that.
OSI is probably the biggest mistake I've ever made, and yes it's my mistake. It's time to clean it up. The OSD should be returned to SPI, who can be trusted to administer it sanely.
Bruce
Bruce
I agree that this is hardly the last shot in the battle. Hardly. If anything, we kept a bad situation from getting a drop worse. But I don't know if "wussied out" is really a fair description. I modified my own DMCA paper to protect HP's Linux program. When Kent Ferson sent his letter a whole 4 days later, I lit fires all over HP and (along with a cast of good people within HP) convinced everyone, including Kent, that using DMCA this way was a bad idea.
But I didn't get the law repealed this week. I'll keep working on that. It would be really nice if you would put in a lot of work on this, too. This is the sort of issue where every one of us has to help or we'll lose.
Thanks
Bruce
Thanks
Bruce
Bruce
Bruce
I'm uncomfortable about that line. Thus, I'd better investigate both sides thoroughly.
Bruce
In my investigation, I read the Snosoft home page. This is the second sentence of their introductory paragraph:
Now, I don't know any of the people involved or how they really do business, and thus I am not ready to make any allegations. But that sentence sounds a bit like a shakedown, doesn't it?
I would hate to be manipulated in a shakedown of my own company.
On the other hand, some people say this is a year-old bug and that there was long correspondence before one of the employees finally revealed it. I don't know if that's true yet.
What do you think?
Bruce
Bruce
Bruce