Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Negligence and Open Source 361

icing asks: "With the story about the Melissa trial, some people argue that Microsoft is partly to blame. Negligence in making a product safe to use, cannot be excused. And again, software is compared to real world things like cars and how car makers could not get away with what Microsoft is doing. Does not the same argument apply to makers and distributors of open software? Could makers or distributors of Open Source be held liable? Under which conditions? Or do we have a double standard here?" Hmmm...a touchy issue. What are your impressions?
This discussion has been archived. No new comments can be posted.

Negligence and Open Source

Comments Filter:



    So no, no one can be held responsible for anything their GPL'ed program does. I don't know how the BSD license works, but I would assume some sort of similar constraint.

  • by bravehamster ( 44836 ) on Sunday December 26, 1999 @03:56PM (#1443542) Homepage Journal
    I think the difference here lies in the fact that Microsoft (or whoever) is selling them a closed product. Because it's closed, it's Microsoft's responsibility to make sure that everything in the code is "safe", and they should be held liable if it isn't.

    I think the best analogy to use in this case is something like kit airplanes. If you buy a whole, complete airplane from a manufacturer (closed source) and it blows up in midair, you naturally and rightfully blame the company that made it. However if you buy a kit plane, put it together yourself, and the engine drops out of the plane in midair, you have only yourself to blame.

    So, following this analogy, closed source companies should be held liable, because some things are hidden from the consumer, and open source companies should not, because the customer is able to see _exactly_ what they're getting. This would encourage many companies to switch to an open source model, don't you think?

  • Yes, of course, but the typical commercial license has the same sort of clause. A question might be: if Microsoft should be liable for damage due to negligence (e.g. inadequate macro virus security), should open source authors be accountable for similar negligence?
  • by NotQuiteSonic ( 23451 ) on Sunday December 26, 1999 @03:57PM (#1443544) Homepage
    By selling the software to an individual, Microsoft should have a responsibility to make "safe" software. Comparing it to auto manufacturers is reasonable. Microsoft should hire "software engineers" who are professionally licenced and insured to sign off product as safe.

    Open source on the other hand shouldn't have this responsibility because it is given out for free. The the responsibility exists with the individual who implements the systems. If I designed a car and left the drawings open source. I would never be held liable for the car if it proved to be a defective design. If I sold the designs, I would.

    If someone else sells my free drawings, maybe they should be liable as well.

  • Um, no. If I buy a plane kit, and the instructions for the engine are wrong, I don't only have myself to blame. IANAL, so I'm not sure who is legally liable in such a case.
  • That doesn't make any sense. Whether the source for Windows was open or not does not change the liability in any way.

    It is being sold to people who have neither the time, nor the motivation, nor the expertise to make anything of that source and hence the source being available is immaterial. The analogy with kit airplanes is not apt because the kit airplanes are put together by the people using them and regardless the manufacturer has the reponsibility to make sure that if the instructions were followed reasonably diligently, the aircraft should be in no danger of blowing up.

    Now if you want to make up special cases just so you can sleep at night that's a different thing...

  • Anonymity on Slashdot has become a haven for the ignorant and childish. I say remove it.

    Couldn't agree more, except that if anonymity was removed, then previous AC's would register multiple (fake) names (so you still wouldn't know who the comment), and it would prevent the distinction between those who are prepared to stand by what they say, and those who aren't.
    As in, anything you post un-anonymously you mean, because everyone else knows who posted it/has your email address.
  • What a great question. I'd like to see how some open source coders respond to this. We so often double our standards; whenever there's something we can bash Microsoft about, we do so immediately. But a similar situation in the Linux community would be praised. We all do that, in one form or another.

    As for the issue at hand, I don't think anyone, even Microsoft, should be held responsible for such bugs. Cmon, all programs are going to have problems; just because one of the bugs happens to have more risky consequences doesn't mean that it is any worse than a bug that is relatively harmless. It shouldn't be concidered "negligence" - it should be expected by users of the program.

    On the other hand, both Microsoft and Open source programmers should be prepared to either a) fix bugs or b) pubish them as soon as they are notified of them.

  • Disclosed source-code software has much less of a problem with negligence since the user and distributor are able to perform due diligience on their own - if the user has something to lose they can check the code or read other people's reviews of the code and protect themselves from damage. If there is damage due to negligence, the fault is at least in part the user's because they had the power to protect themselves.

    This is not the case with Microsoft's non-disclosed-source-code software - they don't give the customer the power to check or fix their negligence, thus the negligence is all theirs.

    True Open Source in general declines warranties because the software is distributed gratis or at very low cost. Of course, you have the option to make a contract with a support provider who might provide you warranties against negligence. I don't think it's likely that a provider of gratis software, Open Source or not, would be found liable for damages he explicitly disclaims. I'd like to hear of any cases where this has happened.



  • The difference between MS and Open Source software is that you don't pay for it. Remember the big piece of FUD from earlier this year?

    "What if something happens because of the software? There's no one to be held accountable!"
    You can look at it as either an advantage or a detriment, but there's no way someone who writes OSS could be held accountable for something like this. Now, there's a difference between the Melissa Virus case and something like UltraHLE (The reverse-engineered N64 Emulator.) I'm talking about legitimate software here.
  • by Anonymous Coward
    If I use a car to hit somebody, i'm to blame, not the auto maker for "not making the car so it can't hit other people or cars". Even to the extreme this argument doesn't work. If I kill somebody with a gun, it's still my fault, not the gun maker's, even if I wasn't intending to shoot the person.
  • Cliff is right, this is a touchy issue. I am not a lawyer, but I do have have some thoughts in which I'm sure fellow slashdotters with more knowledge of the field/issue will expand on.

    Law. Failure to exercise the degree of care considered reasonable under the circumstances, resulting in an unintended injury to another party.

    Ok, hypothetical situation time. Company X makes this nifty toaster called the iToast. It can track user settings, adjust to hardware failure, and all sorts of nifty things to make you the perfect toast each and every time until the whole thing goes.

    But I must mention that the iToast has a built in 3.5" floppy drive so you can apply patches, or isntall a whole different version of the software. Now, Company X ships the iToast bundled with its own software, but a nice little grassroots orginization creates their own OSS for the device. It's faster, and has a better isToastDone(args), which results in better output. Yum indeed.

    Unfortunately, the OSS geeks overlooked a small bug which can, although rare (say 1:20000 uses) cause the toaster to burst into flames. Not good.

    Now, the question is where can, if at all, the company become liable?

    I say there is little chance that the OSS group would be held liable if they released a patch immediately upon discovery of the bug. However, if they chose to ignore the bug, the group would more than likely be held liable for resulting damages. Of course, there are some creative lawyers out there nowadays, so . . . =)
  • Does the MS EULA not have language about not being accountable for "features" (bugs), not intended by the manufacturer? A lot of licenses have been copping out like this, and I don't necessarily think it's a good thing. The GPL is slightly different, because even if the software author doesn't care, you can ask your buddy the programmer to fix it and re-release it. But I don't think MS can be held liable for macros being run by Outlook and Word.


    --My magic 8-ball said "Outlook not so good" but they released it anyway...
  • I have a solution to all these liability problems. Blame it on me. I'm willing to take the fall for anything that happens with computers, because usually I am the cause. Every time I walked into the room with the webserver at work it would mysteriously go down. When I'm at work, the sysadmin has to drink an extra cup of coffee to keep with all the problems I cause. Bottom line, making me the scapegoat will solve any and all liability problems.
  • If the car's brakes were faulty or the gun's trigger was bad, then it would be the manufacturers fault for producing a defunct product.
  • Open Source liability? Hmm, isn't that what companies like RedHat are there for? I know some people don't like RedHat, but this question just brings the real issue to the front: most of us Open Source coders are here because it's fun to play around with code and invent new things. The last thing we want to worry about is whether we might get sued over somebody getting hurt by our latest invention. This is where companies like RedHat comes in -- they provide support, and act as somewhat the entity to point your finger at (read, sue) when things go wrong. We coders can't afford to be sued, hence the standard disclaimer of no-warranty in the GPL: we're not even getting paid (in most cases) for our contributions. We need somebody like RedHat as a "shield", so to speak, in case of major trouble.

    But as to our responsibility in putting out quality products, I think the nature of Open Source itself lends very well to producing high-quality products. As hobbyists, we're definitely more concerned for creating the best software out there than how to stuff our products with features so that it's more marketable. Perhaps a few coders might be negligent, but with the vast diversity of coders involved in Open Source projects, each with their own needs, preferences, and biases, such problems surface quickly, and hence, get fixed quickly as well. I think I don't need to repeat past stories on how fast security holes in Linux are fixed, compared to MS offerings.

    I suppose you can say there is negligence in the very fact that a security hole exists, but this is a little unreasonable because in a complex system, you don't know what the faults are until you actually put it to use. I think the more important issue is (1) whether problems like security holes are quickly fixed, and (2) coders care about their projects enough to make sure it doesn't contain obvious problems. I would say an Open Source project is stronger on both. On (2) particularly because of the coders' interest -- if your dinner depends on how well your code sells, you'd probably cut corners gladly so that you won't miss the deadline.

    Anyway, to get back to the first point -- although we coders have enough interest to avoid obvious problems, and there are enough of us to quickly fix a problem when it comes up, there are still cases where major trouble might result. This is when a commercial entity like RedHat comes in -- it gives us dedicated workers, not just volunteers who could throw up their hands anytime and give up and leave the user in his own soup -- dedicated workers who are ready to accept more responsibility than hobbyists. We need both volunteers and dedicated people.

  • Ok, lemme clear something up before this gets flamed into oblivion. =)

    In case of said failure, the group would be prolly liable for damages, but I don't think the feds would be on their case or there would be any major lawsuits, if they immediately released a patch.
  • Comparing a design by Microsoft (or any other desktop/server software company) that has a flaw in it to a design by an automobile company that has a flaw is a poor analogy, in that a flawed automotive design has the potential to cause loss of life or limb. Desktop and server software doesn't put the customer at the same risk.
    Christopher A. Bohn
  • by dsplat ( 73054 ) on Sunday December 26, 1999 @04:10PM (#1443560)
    While both open source and shrink wrap licenses disclaim liability, what about support contracts? When a security hole is known, especially when it is reported to the company providing the support by someone with a support contract, I would think that the courts would be much more likely to find that company liable if they made no attempt to remedy the problem or at least warn their customers of it.
  • When you tell someone, "Here are all the parts to build a car, its free if you can get it running!"
    it is generally implied that that person is responsible for the car's functionality.
    Not so if you sell the car.
  • by evil9000 ( 72113 ) on Sunday December 26, 1999 @04:12PM (#1443563) Homepage
    Let history repeat itself. It took car manufactures well over 20 years to start incorporating saftey features into their vechicles, but until that happened, the only people complaining about how unsafe cars were were the people who cleaned up after the accidents (ie Doctors, nurses, etc).

    This all changed with the Nadar report - and the publicity it generated in the media and the public eye.

    What needs to be done is to increase people's awareness of how bodgy the Micro$ server code is, and how only the micro$ exchange servers were the ones that were affected adversly by the Melissa virus...
  • Since the design criteria for Java were published, there is a clear source available warning of the dangers of allowing arbitrary pieces of code to be executed without the knowledge and consent of the user. Setting the security switches that would prevent this to the choice that allows it to happen by default is only slightly better than providing no way to turn it off. In essence, designing a way for arbitrary pieces of code to be sent to a machine and executed automatically is designing in a security flaw. That is an error of commission, not one of omission.
  • I agree. Hopefully, at some point Microsoft will lose their grip on the customer to such an extent, that competing companies will be able to offer their equivalent products with an extended warranty as a value-enhancing feature, which will in turn put pressure on Microsoft to act similarly. Just because right now, people are used to the fact that there is no warranty on shrink-wrapped software products (as opposed to contract work), it doesn't mean that there is no market for it. It just means that so far, companies have got away with it (and some companies can get away with almost anything, like trojan horses spying out their customers illegally).
  • by QuMa ( 19440 )
    As it stands with current licenses, I think you can't blame anyone, at least not legaly. However, maybe the 'we are not responsible' clause should not be allowed if you sell the software... Dunno the legal implications, but it seems reasonable.

    If you are only selling the medium, I suppose you aren't liable.
  • by NateTG ( 93930 ) on Sunday December 26, 1999 @04:18PM (#1443570)
    There have been several posts claiming that Open Source software has less necessity for security, or safety. That the GPL somehow exonerates OSS in some way that the MS EULA does not. All of this is bunk.

    If OSS software is really a general purpose solution then it must meet as stringent a security requirement as any other such solution. For all of those Linux evangelists out there, we can't claim security as an advantage in on sentence, and then claim less resposibility for it in the next without sounding silly.

    What Linux does have is a better testing system, a more heterogenious and reliable user base, and a significantly better bug response method.

    The concerns about safety, be they virus propogation, data integrety problems, or uptime/essential systems issues. Are the responsibilty of the system's administrator. Any system can be made secure by a careful admin, and any system can be made unsafe by running unknown (read closed) software.

    The reality is that computers are so complicated that Admin's (for that matter developers) cannot go through the code checking all cases in some perverse proof of correctness. Making software engineers sign off just means that someone who really isn't responsible for having a buggy or defective piece of softwar can be canned for the zealous marketing and management of his company.

    If a company claims that a system is secure - e.g. NT according to MS or perhaps Open BSD then the company could be considered liable if:
    a) It fails to take reasonable measures to make sure that said product is secure.
    b) Refuses to respond to security issues as they arrive.

    The software you buy is always as is. Beware.
  • It does if that sofware is controlling something dangerous or important--like medical equipment, trafic lights, and nuculear bombs etc...
  • Meaning that if you get a piece of OSS for free and it doesn't work or causes some damage to your system then your pretty much out of luck unless you can prove that the faulty code was malicously placed. On the other hand if your purchase OSS software from someone who has repackaged it then you have an expectation of quality and the seller should be liable for it. Of course this isn't even the case for closed source commercial programs these days. Especially "shrinked-wrapped" software that often comes with disclaimers against liability should their software to really nasty things like burn down your house or trigger the apocalypse.
  • The difference is that the EULA is so ridiculous that it is practically invalid. EULA's and similar licenses usually say that we have no rights and the software can be yanked out from under us at someone's whim, and we have no legal recourse if anything goes wrong, and we do not own the software, which means that we cannot do practically anything. These types of agreements (shrinkwrap licenses) would not hold up in court. The GPL says that if anything goes wrong, you have no legal recourse, but it also says that you have complete and total rights to redistribute software and such. This is much less of a one-sided agreement and much more likely to hold up in court.

  • ... you can't blame the manufacturer. But if your car suddenly exploded because you put in the reverse while the radio was on (a good analogy to typical Windows behavior), then you would blame the auto maker - I hope.
  • The liability should be on a product sold. With RedHat etc you paid for the pacaging not the develupment of the software. If something is wrong with the software that RedHat caused by the way the pacaged it or could have prevented by a small change in pacaging then they should be liable but if the problem is a flaw in the software RedHat did not develup (or develuped and gave away) they should not be liable.

    If you buy a Compaq computer with Windows preinstalled you still paid Microsoft not Compaq for the software.. But if a defect in Windows is caused by the way it is installed then Compaq who installed it is liable.

    The open source develuper who codes and gives away his software sold nothing and is liable for nothing unless he makes clames to the fitness of his software.

    Basicly Microsoft might be liable for selling a defective product or a product with an unreasonable security defect. Sence open source develupers do not sell any product they can not be held reliable for that non-sale.
    Giving away a defective product is (at this time) not subject to liable.

    This may change over time with busnesses selling support instead of product but for now if Microsoft is found liable for selling a defective product it could boost open source a great deal..
    Sell product and be liable for defects or sell support and let the userbase be responsable for the repairs.

    But again even in open source your liable for clames so if you clame a product is bug free you could put yourself in a position of being even more liable than if you had sold the software to start with... Sold product can get away with a few defects so long as it can be shown to be reasonable.
  • Ross Perot would call this "pie in the sky" argumentation. And it's just the kind of thing that hinders the open source movement. More so than graphics or limited apps or even setup/average user issues, the climate fostered by those who try to use weak, unproved theorems as postulates undermines the foundation of open source.

    Icing's question of a double standard is moot. If someone breaks into your house, is it your fault that you didn't install just the right kind of alarm that would deter that criminal? Don't lose sight of who is malevolent.
  • YEs, but in the latter case, people will still get upset at the gun manufacturer. Correct me if I'm wrong, but I believe there have been lawsuits about that. Even if not, the idea has prompted gunmakers to add extra safety features.
  • It's important to note the fact that microsoft is a corporation and most open source developers are individuals, and there aren't many developers that have formed oprn-source based corporations, relatively speaking.

    When you speak of liability I assume you mean money. If microsoft is held liable for whatever they have done, generally the only penalty would be monetary, at worst they might be broken up.

    Since microsoft (and most corporations) are pretty big, the penalties don't do all that much damage. It is extremely rare for a government body to come out and say "you have been found guilty, your company will cease to exist, your assets will be liquidated."

    When we get to individuals, however, monetary damages can seriously impede your ability to do anything, such as programming, and often times people are thrown in jail (fraud, malpractice, whatever). Bill gates is most certainly not going to do jail time, even if it were proven his company has broken numerous laws with him knowing it. When you have a number of individuals developing a certain product open source style, with no business relationship, who would be held liable anyway? Try to single out who wrote the offending lines of code? It's not that simple and our law system doesn't cover this very well to my knowledge.

    Is there much software out there that has a warantee anyway? I haven't seen basically accept it "as is" as far as I know.

    Anyway, I think the bottom line is that open source software is much, much more accountable to begin with than microsoft will ever be for plainly obvious reasons: it's simple to determine whats causing the problem.
  • if i crack someones computer using a bug in micro$ products, then who is to blame??
  • ... at this time, they have other issues to worry about when they choose their software (other than small print in licenses). If there were competing products equivalent to MS's, but with a more user-friendly EULA and even with a slightly higher price, I'm sure that most people would choose those instead (as long as they knew about the differences).
  • As for the issue at hand, I don't think anyone, even Microsoft, should be held responsible for such bugs. Cmon, all programs are going to have problems; just because one of the bugs happens to have more risky consequences doesn't mean that it is any worse than a bug that is relatively harmless. It shouldn't be concidered "negligence" - it should be expected by users of the program.

    This is an overly-broad generalization. A bug that trashes your computer's hard drive is one thing, but a bug that kills is another thing altogether. (Yes, there have been software errors that have ended up causing severe injury--and even death. Computer-controlled medical devices come to mind as an example; ml [] is a paper I wrote a few years back regarding such problems.) Is a bug that kills really no worse than one that merely inconveniences people? I think not.

  • To repeat myself, desktop and server software does not put life & limb at risk. Embedded software might.

    Further, unless and until life or limb is endangered, then there's nothing to hold Microsoft accountable for. Consider the voluntary recalls many, many companies issue to correct design flaws that they discover before anyone is injured. Similarly, if Microsoft were to issue a Service Pack and notify all registered users of that software before anyone is injured, then there'd be nothing to hold them accountable for.
    Christopher A. Bohn

  • You can be held liable for whatever you promise, which is why most open source software has a clause something like:
    >> This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

    If you read the EULA from Microsoft, I'm pretty sure that they have a similar clause, much to most people's surprise. Then what are you actually paying for, you might ask. Well, that's the good question ;)

    The car-makers have a responsibility of making cars *reasonably* safe, according to government regulations. They are not required to stop your kids from driving into brick walls using your car. They are however required to make sure your car doesn't fall apart or stops breaking when you want it to etc.

    There are no such rules (yet) for software. The vendors make the rules, and the vast majority of customers/consumers simply neglect this fact and *expect* that there is some sort of reasonable agreement behind it all, just like when they bought their car.

    Open source licences are usually very cautios to ``warn'' people of the possible dangers that lie ahead when using the software. And some people may even pay attention because ``there's gotta be a catch with gratis software after all''. I think this is a pretty good way to handle things.

    There could be some sort of either regulations or at least some rule that software vendors should state LOUD AND CLEAR what they promise and what they don't. Pretty much like the warning messages on cigarette boxes :) This would probably not change the promises or the software, but it would make the general public aware of the lack of promises they actually get from spending huge cash on closed source software.

  • Wrong!

    I wonder what would happen if I scrambled critical data concerning your life around.

    "Gee Mr. Bohn," says the nice lady behind the counter, "Our systems shows that you are overdue on your student loan payments. Guess you can't have that nice car or house or engagment ring."

    "Mr. Bohn, due to the lack of poor grades, police record, and drug abuse, we do not want you working for the XYZ company."

    "The arrest warrent says the address is 123 Main and the crook is armed and dangerous and a cop killer." (The felon actual lives at 123 Maine, but hey, due to a error, you don't care, you are dead.)

    Bad data can kill. Think before you type.
  • To my mind the difference is clear. When I buy a thousand-package CD set from SuSE for GBP25.00 I know I'm not getting any guarantees. Only an idiot would expect there to be any at such a price. Caveat Emptor.

    But when I have to fork out GBP140.00 for just one CD of Win98SE without any applications I damn well expect the thing to work. When it doesn't (even after spending a fortune online to download dozens of megabytes of official updates) I think I'm quite justified in feeling ripped off. Just look at the EULA for Christ's sake. According to them we have no rights of redress at all! We're all being shafted up the ass big time and we must be stupid to let it happen.

    Microsoft have got it coming to them all right.

    Consciousness is not what it thinks it is
    Thought exists only as an abstraction
  • I'm not disputing that there is an apparent double standard but the problems with macro viruses aren't due to bugs. The problems are caused by "features". Features of dubious value which were implemented with disregard for security.

    To make a car analogy.....

    Rear hatch on early Chysler minivan. Bug...
    latch was poorly designed

    Suicide doors on 62 Lincoln.... Feature...
    Meant to look good but an inherently unsafe design.

    The latch on the minivan can be modified to perform as expected
    No matter what you do to a suicide doors (short of welding them shut) they are unsafe.

    err.. In case anybody is too young to know, suicide doors open backwards
  • And for a good reason - the situation is different. MS can afford to do this sort of thing because Microsoft is a monopoly. Let's imagine for a second that qmail developers get really lazy or reckless and allow several scandalous security bugs to creep in their release. What happens next? I will switch to exim or sendmail or something else - and you will, too. This is not really a question of Open Source vs Closed Source, and I think guarantees and responsibility for your product are not important. If there's healthy competition, these issues are solved implicitly.
  • It's about the car being manufactured with an engine that self destructs and the hood welded shut. It's about the driver getting injured if some wiseguy puts a brick in the road with a hat on top of it. It's about being obliged to take the car to a Microsoft service center for any repairs, because nobody else can get any parts. (What do you do if your car breaks down in the middle of nowhere?) There are so many other parallels. Can't steer if the power steering goes out. Can't brake if the power brakes go out. When you blow a fuse the locks and windows won't work. You have to pay extra for more than one passenger at a time. As you drive along, more and more inexplicable grinding noises accumulate. And you have to do a full overhaul to get rid of them.

    Hmm, there's probably more?
  • Here's what I think - If I paid someone for something - I expect it to work - otherwise its their problem - whether they coded it or just packaged it.

    As you mentioned Redhat charges for packaging. Since they are charging for it - its their responsibilty to make sure that what they put in their distro works before they package it.

    As someone mentioned previously here the incentive for RedHat is to package it in such a way that for the product not to work - so that they can start charging for support to make the product work.

    On the other hand I downloaded RH 6.1 - tried to install it - the install exceptioned out because whoever coded the install decided that after doing partitioning they just continue without rebooting. (Maybe its what RH wants - if the default config does not work - buy support and we will fix it for ya).
    If I had paid for that I would have been terribily upset - but since it was free download I downloaded Linux-Mandrake - it recognized the partition prob - made me reboot the system and the install worked.

    So my point is - if you pay for something - it better be something that works - or whoever is making money off it should be in serious trouble - whether it is Microsoft's proprietery s/w or RedHat's Open Source software.

    Yeah - I know its bit harsh - blaming redhat for a bug in gcc because they packaged it - but rewards come only at a certain risk - and the money that they expect to make out of selling open source be better used to make sure that open source that they are selling really works.

    And it may not even fit into the current paradigm of Open Source developemnt - but world is changing and someone should be their to accept responsibility for a bug/problem - because it is no longer a hobby-ist's OS but when businesses get into it they expect someone to take responsibilty for what they are paying big bucks for.


  • For me, the responsibility comes more from the system administrator or even the individual who chooses a non-safe {OS - Server app - Client app} than from the software designer, open source or not.

    IMO, the software designer can sell or distribute, freely or not, any program, even if it is full of security holes. The license of any program (commercial AND GPL'd) has a clause which says that the software designer is not accountable for bugs their application may contain. That's really the job of a good system administrator to secure its system and to choose the right solution. That's a matter of choice and these clauses in MS EULA-like licenses protecting the software designer against legal attacks seem a Good Thing (TM) to me.

    Of course, theses views apply less easily to the home user, but the user who don't protect himself against macroviruses or security holes in his mail client is responsible from his own negligence. There is enough talk about Melissa & others in the mainstream press for the average user to know theses problems.

    Don't ever forget that the perfect, bug free, 100% secure software is a myth. Legal actions against software designers have no real effect against big software vendors, but would hurt little companies/individuals, resulting in less choice, since only big companies would be able to "take the risk" to publish software ! It must be harder to write software with the constant fear of a legal action if you make a mistake somewhere in your code.

    With my reasoning, no double standard problem : the system administrator / the user is the first person to be accountable for his poor choices.

    Just my thoughts,

  • You cannot examine the code on closed source software to make sure it is suitable to your purpose before executing it. With OSS, you can... at least theoretically. Of course it is arguably impossible to fully check out source for large programs (any linux distro, for example). You could check key areas that worry you though. This absolves OSS authours from lawsuits (IMO), but not closed source vendors.
  • One of the biggest conditions applied to liability issues in any product is intended use. You can't, for example, sue a knife manufacturer because you got stabbed by one, whether you did it, or someone else did.

    That being said, what is the intended use of a general purpose operating system (as opposed to specific systems, such as life support systems)? No-one that I have seen will argue, for example, that Windows 98 is secure, or is even intended to be secure. Linux and NT are quite a bit more secure, and it is usually these that are placed in an environment where security is an intended goal.

    However, a knife (or car, etc), are devices with a well defined, specific purpose, and the same cannot be said of operating systems, by and large. The intended purpose of any particular OS installation is entirely dependent on what it is trying to do, eg. be a webserver, transaction database, etc. Since it is quite possible for a badly behaved application to compromise even a very good operating system, you are then faced with choosing who to hold responsible for any failure, the OS vendor, or the app vendor (if they differ).

    Admittedly, the better the OS, the less likely is the above scenario, but the only really secure system is a secure SYSTEM, in other words, if any part of the system is insecure, the entire system can be considered to be insecure, by extension.

    Assuming that we allow the establishment of responsibility on the part of the vendor for security issues, one of the telling parameters that is involved is that of forseeability, or was the compromise that occured one that could have been reasonably forseen, and guarded against before the fact. And we haven't even addressed the issue of bugs.

    Due diligence doesn't mean that the product must be perfect, it means that the manufacturer is required to make a reasonable effort to prevent, and / or correct, any issue that might arise. To use the Melissa virus as an example, it is not necessarily MS's fault that such an exploit can be made in the first place, but they could be reasonable held accountable if they failed to address this issue after the fact. I would also say that the same applies to Open Source products as well. It is disingenuous to apply a double standard, if MS can be held accountable, so can Open Source, and vice versa.

    Notwithstanding the fact that both MS's EULA, and the GPL both contain warranty disclaimers, it is also true that such disclaimers are not protection against negligence or failure to exercise due diligence.

    The above diatribe aside, when it comes down to the crunch, it is my belief that the architects/administrators of the system should be responsible for security issues on their system. And this is where OSS really works best, it places in the architects hands the ability to fully scrutinize the particulars of the system they create, and provides them with the greatest amount of control over the operation of the system. If the system architect chooses a closed system, they still must be responsible, since they CHOSE the system they provide.

  • If you use Micro$oft code as a basis for your product, and your product doesn't work (because of Micro$oft code) and you are sued, here's a clause:

    (c) indemnify, hold harmless, and defend Microsoft from and against any claims or lawsuits, including attorney's fees, that arise or result from the distribution of the Redistributable Component

    Think it can't happen? Anytime there is a loss, the lawyers take a shotgun approach. Sue EVERYONE who was involved. That means you, the software developer, Micro$oft, etc la.

    We humans CAN make error free software. We have missles that fly through the air, make tight corners, fly through windows and blow up. As opposed to software that is on windows that just blow up. Yet, the 'market' won't 'buy' software that is bug-free. Personally, I believe the market won't buy it because it hasn't been convinced to buy it.

    The second problem is software doesn't match the assembly-line mass production model, more of an artist crafting a work. So the relability we have come to expect of mass producted items *koff koff* doesn't apply to the software world.

    And until we move beyond the lone artist and more assembly line, we will have bug-ridden large software releases.

    Who's to blame for the 'virus'? I can say its not me. I don't buy M$, and don't write viruses.

    The consumers (for buying insecure software), the writers of the insecure software, and the virus writers are all able to take the blame.

    As OpenSource delivers what M$ (and others) can't, the consumers will make the demands of good software, M$ will have to deliver or die.
  • Another car analogy but this time nobody gets hurt.

    1981 Caddy Eldorado with v6. These cars ping.
    It is well documented that there is nothing you can do about it
    This was an expensive car that has driveability problems. Got tons of bells and whistles but the only thing you can do when it's pinging (which can burn a hole in a piston, not a cheap repair) is turn the radio up. That or put in a different motor (also not cheap).

    Let's face it, there is no such thing as a good analogy
    but to nitpick because nobody dies from macro viruses
    is delusional.
  • Mr. Perens has (as usual) an apt comment. Disclaimers:
    1) IANAL
    2) I am not directly associated with Open Source Software.

    The concept of due diligence is hyper important. In fact, a finding of negligence is essentially a finding that due diligence was not performed.

    What I have seen of Open Source indicates that the people who work on it are extremely "diligent" where bugs of all kinds, not just security bugs, are concerned. When one is reported, generally someone gets after it right away, to (1) confirm it's there (2) figure out what a fix should be and (3) fix it. This is an historical pattern, I believe, and could be substantiated by lots of testimony.

    Note that the Law doesn't require that the bugs actually be fixed, or that the fix be better than the bug was. Due diligence simply means that all reasonable methods were used to conclude what the problem was and how it might be fixed, and to fix it if it seemed warranted.

    Note that in the Pinto and GM Truck cases mentioned above, due diligence broke down -- the companies involved concluded that the problem existed, but that it wasn't economically justifiable to fix it, that is, the necessary fix would cost so much that it wasn't worth it. The Court, in general, is hostile to this view, to say the least.

    There's also the matter of 'deep pockets' and political correctness. Even with all the malicious hacker stories in the press, you still wouldn't get very many lawyers willing to sue some 26-year-old nerd for negligence in fixing a software bug; defense lawyer starts telling sob stories, and it's likely to turn the whole thing around -- plus, how much are you likely to get? An Open Source programmer isn't likely to have much. Companies like Red Hat theoretically have money, although most of it's virtual, Stock Market valuations that probably couldn't be realized. With BMW payments to make, how many will chance it? Microsoft on the other hand is known to have a pile of real cash, easily converted to your Actual Folding -- just what a plaintiff's lawyer likes to see.

    So no, I can't see open source being in much danger from negligence suits for software bugs. It isn't an attractive target for such suits, and a fairly strong defense is on hand. Bill & Steve might should sweat it.

  • Lets break the analogy down... OSS vs Car Manufacturing OSS code = blueprints for a car OSS bin = manufactured car

    if you compile a program and distribute it, i say, you should be responcible for it, if you distribute the source code and someone else compiles it, they should be responcible.

    Altho, car manufacturing plants arent usually redily available to the general public to 'compile' car designs, so, this analogy might not even hold up here.

  • Yes - it would make perfect sense - if we assume that all the users of Linux are going to be kernel hackers or hobby-ists who spent half their time exploring the OpenSource code for the OS and all the applications that they run. But if the users were just this small group RHAT shares would be selling for less than pennies. But once when this starts to be a mainstream application / s/w / OS - can we expect each company who decides to use Linux (and are paying big bucks to companies like RedHat - to make sure that they get something that really works - better than what they were using before) to go into the source code and make sure that it does not have any bugs.

    So someone should start taking some responsibilty. If someone wants to make some easy money out of this OpenSource they better understand that along with just putting everything on a CD and charging low distribution costs of 40/50 bucks they better make sure that they work properly too.

  • Personally, i don't think MS, or any software publisher, should take the blame for something like a virus.

    Do we blame the carmakers for making unsafe cars when somebody plants a bomb on it?
    Or do we sue the people who make windows when a brick comes flying through and hits us in the eye?

    No, of course not!! It's not MS's fault....
  • The main difference is that most Open Source contributers are individuals and could not fork over the winnings of a major award. Many are poor (students!) and are spread across many countries; companies are insured and have assets.

    Big Rich Company licence: "We are *not* liable."
    GPL: "We are *not* liable."

    Lawyers know where the gold is. Which will they widdle away at?

    RedHat might worry, but the rest of us are safe.
  • Microsoft is the scapegoat of the computer industry. Every problem which occurs in the industry is blamed on Microsoft, if the company was involved in any means at all; if there is a problem which does not involve Microsoft, it will be ignored by the media. Practically every element of the media, from the most non-technical columinst in the daily newspaper, to the editor of the most elite technical consultant publication, rats on Microsoft, and only Microsoft, continuously.

    It is not an issue of open source vs. closed source. It is an issue of Microsoft vs. non-Microsoft. Companies such as Sun, Oracle, Apple, and IBM are primarily closed source, but are 100% immune to blame.

    Blaming the Melissa virus on Microsoft was just an example of Microsoft as the scapegoat. Much more serious security problems have occurred in the past which should have been blamed on the appropriate vendor (e.g. the internet worm). However, since these didn't fit into the media's convenient definition of who is to blame for every problem in the industry, they received little press, and were blamed on "hackers", instead of the irresponsible vendors.

    A prime example the media using Microsoft as a scapegoat was yesterday's Hotmail outage. Here, the problem was blamed on Microsoft since it owns Hotmail. The fact that the Hotmail servers run Unix was ignored. Had Hotmail been run by another company, but used Microsoft servers, the problem would again have been blamed on Microsoft, absolutely regardless of who really was to blame.

    An excellent example of a problem being ignored because Microsoft wasn't involved is eBay's continuing problems with Solaris. eBay's market capitalization has dropped by literally several billion dollars because of outages which were caused by bugs in the Solaris operating system. However, this is never brought up in the media, because Sun is considered a holy company by the media, and the perception is that no problem could POSSIBLY ever be Sun's fault. (Ironically, since eBay uses Microsoft products as the front end for its servers, Microsoft received blame very early when the problem first appeared -- though the critics quickly shut up when they realized that in fact Sun was to blame and the Microsoft products were chugging along nicely. Note that they didn't switch to blaming Sun, they merely stopped blaming Microsoft.)

    An extreme example of Microsoft as the scapegoat has been Judge Jackson's ruling that failed products such as Netscape Navigator and OS/2 all owe their failure to Microsoft. It is now commonly thought by many people that ANY product which fails in the marketplace owes its failure to Microsoft, and not lack of marketing, lack of quality, etc.

    So, no, open source software will never receive blame if it fails or has technology flaws. At least not now. The media is having a field day blaming Microsoft. If ten years down the line, open source becomes the standard, then it will likely begin receiving the blame, as the media seems to be only pick on whatever is popular.
  • Windows has many problems but with litte work, a lot can be patched up. This goes with most operating systems. I think the general public doens't have that many problems with windows being "unsafe". People do stupid things then blame the software. I think the software is very safe and over many many years of using each version, I, and many people I know, have not had a single problem with unsafe software. Is this all MS's doing? No, i think it's being half intelligent and using the software the way it should be. I know for a fact I'm not a exception. There are many examples of people not making a safe product, I think people like to go on witch hunts, and MS has recieved the brunt of this.
  • I appreciate your willingness to accept responsibilit for all of mankind. When they mention the cliched statement that "someone is sued every 2 minutes in this country", we will know they are talking about cheese63.

    Where were you when cheese63 took responsibility?

  • desktop and server software does not put life & limb at risk

    Oh, I don't know. I have only so many MacOS crashes left before I take that G3 box and fling it through the window and when I do, your life and limbs better not be on the pavement 4 stories below :-)

  • Just remember that no major EULA has been tested in court, except under piracy circumstances. And, piracy falls under copyright law. So, most of the clauses of EULAs have not yet been shown to be upheld in court.
  • The only problem is the consumer doesn't know what they are getting, even if it's open source. How many people even know how to program? Exactly, so they trust the OSS developer to deliver the product promised. So I say Open Source companies should be held liable, for the 99% of the population who can't program.
  • Yes, this is a double standard. Let's examine why.

    First, the Melissa virus is possible due to the dominance of one specific piece of software on the average users desktop. The only open source equivalent to this kind of dominance -- that I know of -- is sendmail. It is not the same for a variety of reasons, but let's continue on for the sake of discussion.

    Compare the closest open source equivalent "virus" -- again, that I know of -- that happened with sendmail [] to the Melissa-Macro Virus []. You will notice two interesting things. First, the CERT advisory for Melissa states: "This macro virus is not known to exploit any new vulnerabilities." Second, note the options they give for correction: block the mail, utilize virus scanners, and encourage users to disable Word macros. The free software solution would be to fix the problem at the source -- pun intended. In a free software environment the option to: fix the problem, is available whereas in a closed source solution it is not. You have to wait for company X to fix the problem for you, and in the mean time, get by with blocking, anti-virii programs and the like. Since this problem is not new and any user that buys Microsoft products has to wait for them to deign to fix it, it would seem that there is a powerful argument for some culpability on Microsoft's part.

    There are of course the issues that other people have mentioned here: no warranty, free software is not a "product" sold by a business (let us remember companies like Red Hat make money off the service not the CD), etc. However, I think this is the central point. They have different standards because they are not analagous. You are not comparing like things.

    Or to put it another way: Sure, a "thief" is responsible for his own actions. However, if I entrust the security of my home to some company, it seems quite reasonable to say that if someone steals something because that company left my door open, the company is also at fault.

    For free software, you use it with the understanding that you are not entrusting anything to anyone so the same standard does not apply.


  • I don't think the situations are directly comparable. Microsoft pays people a lot of money to make sure a lot of folks buy their software. Given that they are paying money for it, and were talked into paying money for it, there is an implication they will get value for their money --i.e. the software will behave as claimed by the sales people.

    Open source is quite a bit different. Until recently there was hardly any sales or marketing and there is still very little. People who use open source usually seek it out on their own. And they do not exchange anything for it's use. They make agreements about redistribution, but not use.

    It seems to me, not being a lawyer, that there is an implied contract in the Microsoft case that isn't present in the open source case, and that this lack might hinder an attempt to hold an open source project responsible for damages consequent to use.
  • I'm having some difficulty understanding the distinction. All I know is, it keeps locking up, crashing, going to sleep and then refusing to wake up, or refusing to let me log off or shut it down. And I've had to reinstall the damn thing more than a dozen times in the three months or so I've had it. You call that working? I don't. It's a crock. It's cost me thousands of pounds in lost productivity. And I don't consider an admonition that I should have bought NT to be a sufficient defence. If they're going to sell Win98SE and charge GBP140.00 for it I think we've a right to expect it to work without significant problems let alone hourly disasters.

    Consciousness is not what it thinks it is
    Thought exists only as an abstraction
  • With Open Source software, there is typically no warranty as to the quality or fitness for a particular purpose. But that's OK because the user is not required to pay for the product and is permitted to inspect it and modify it should the quality or suitability be lacking.

    The GNU license permits a seller (who is not necessarily the developer) to offer warranty protection. Which means that if you want someone to blame, you just have to find someone who is willing to sell such warranty protection for a given product.

    The Microsoft model doesn't permit the user to inspect the software and make improvements. Nor does it create business model for third party vendors. What I mean is, you could sell warrany protection for Microsoft software but you would be crazy to do so, not having any power to actually resolve an emerging issue.

    In other words, there is fairness in the Open Source world. I'm not going to guarantee that this program works, but neither will I twist your arm with a draconian license that doesn't permit copying, withhold the source code from you and charge you good money. If you are going to pay money to me, then, unlike say Microsoft, I'm going to stand behind the software.
  • by coyote-san ( 38515 ) on Sunday December 26, 1999 @05:57PM (#1443664)
    Much of the "double standard" you refer to are due to the profound differences in the way each group operates.

    All proprietary software vendors operate with the implicit (or not so implicit) assumption that They Know Best. They may give lip service to serving the customer's needs, but when push comes to shove they (or in a few cases, a client with a very thick wallet) decide what is done, how it is done, how long it is supported, etc. Because the customer can't look after his own interests, the company is required to assume some measure of responsibility for doing it on the customer's behalf.

    In contrast, all open source projects operate on the assumption that the Customer Knows Best. We hope that our code solves the problem as-is, but we embrace customers who are willing and able to modify the source to fit their needs exactly. In general, all we ask in return is feedback (in the form of modified source code) so that we can drift the main source tree towards the customer's requirements, if there's general consensus that the changes are improvements. Not every customer is competent to judge whether the open source project poses an acceptable risk, of course, but they *can* take a hint from the fact that other customers can and do provide updates to the source code.

    Besides the staggering difference between these two ideals (and what it appears to do to the psychological profile of each camp), there's a fundamental difference in terms of the law. A proprietary software vendor can, and is expected to, maintain exclusive access to the software. This incurs a significant legal obligation since they, alone, can modify it. In contrast, an open software vendor not only does not maintain exclusive access to the software, he can't force the people downstream to use the latest version of the software or to retain changes made for the purpose of minimizing risk. Meta-legally, you can only be held responsible for acts you control. (That's why many people are *deeply* troubled by the laws that criminally punish parents for the acts of their minor children.)

    Finally, it is worth noting that the courts can (and IIRC occasionally *do*) negate the "disclaimer of liability" statements found in shrinkwrap and open licenses.
  • Well, before I purchased an appliance recently I checked out reviews of it in Consumer Reports and elsewhere. That doesn't make me a washer-drier expert. The point here is that if there is a publicly known problem with a piece of software, you can probably find out about that easily and it's going to be hard to claim ignorance in court later. With disclosed source-code or true Open Source the details are out there where people can see them and it's more likely a problem will be publicly known.

    People who want to provide warranties should be allowed to provide them, for a fee. If everyone has to provide warranties, it is going to drive costs up for applications where warranties are neither desired nor necessary.



  • To me, the issue isn't that MS is the bad guy and OSS is the good guy, but rather the response to safety and security "issues".

    I think that due diligence for software faults lies in a) acknowledging problems when they occur, b) fixing them rapidly, or if not possible, at least suggesting a workaround, and c) releasing the fixes or workarounds to the customer as quickly and publically as possible.

    Open Source Software has a tendancy to do all of these reasonably well. More and more, OSS projects are having publically accessible bug tracking databases, reasonably fast turnaround for security bugs, and a fast enough release cycle (esp. for patches) to fix most security bugs rapidly.

    With things like BUGTRAQ, CERT, and other mailinglists and security-advisory sources, most Unix-based systems (Linux, *BSD, Solaris, HP-UX, etc) are fairly good at reacting quickly to a known problem -- the RTM Worm woke them up to the foibles of ignoring security issues -- and they do do a decent job of alerting their customers.

    Microsoft isn't entirely negligent -- a quick scan of BUGTRAQ showed a lot of MS-related security bugs, and many of them had MS patches. I think where MS fails is making those patches known to the public.

    Another possible pitfall for liability is negligent design -- designing something that should be obvious is a problem. From a "real world" security standpoint, this would be like putting a dimestore lock on a bank vault.

    This is where I think that fundamental differences between OSS and MS come to the foreground. A very large percentage of OSS software is designed to run on Unix-like systems, where underlying OS security issues have been considered, studied, and beaten on for nearly 30 years. It's very hard to accidentally code a general system exploit for a program designed to be run as a user. And if an exploit is discovered on purpose, it's a bug in the OS, and is treated as such. Among other things, this creates -some- inherent resistance to viruses. Unix security is generally good, but not perfect. Unix has a reasonably high-quality lock on the bank vault.

    On the otherhand, MS Win95/98 isn't really designed with security in mind. At a fundamental level, the OS is open to any meddling that any program wants to do. On top of that, MS has added "features" that become reasonably trivial to exploit to creat security issues -- MS Word macros, ActiveX controls, etc.

    For years, security experts have been telling people that the "Good Times" virus is a hoax -- that you can't get a virus from just reading an email, you have to run a program to do it. MS managed through their "features" and "enhancements" to make "Good Times" possible.

    It's like MS, not content with putting a dimestore lock on the bank-vault, decided to put a plate-glass window on the vault so people could see their money from the sidewalk!

    I don't think I have a double standard with regard to negligence, but I think that, in general, OSS software tends to meet my standards more than MS does.
  • A prime (poor) example the media using Microsoft as a scapegoat was yesterday's Hotmail outage.

    As you will be reading in the news in the next few days, Hotmail was down because went down ( is used to authenticate users). went down because (listen carefully) microsoft was late paying the $35.00 domain registration fee to Network Solutions Inc. and NSI removed the IP from the DNS. Even the big guys have to pay there bills.

    We're not ragging on ms. They due a good enough job of triping on there own feet(read:msbob). We're just around to point it out when they do.

  • Well, let's take another example. I buy a package of Kodak film, and I spend $100,000 to hire models and do a location photo shoot. The film turns out to be no good and I lose all of the work I spent $100,000 for. Should Kodak be liable for that?

    Take a look at the Kodak box, any Kodak box made in the last 30 years or more, and you'll see they are not liable for more than replacement of the blank film. And that makes sense to me. If I want that kind of insurance, I'll buy it when I need it.

    This doesn't mean that wouldn't do my best to fix bugs and protect the users. That's the attitude that is important to getting mainstream customers, and that's what Linux distributions should be doing to the software they distribute - and for the most part they are. Certainly Debian has fixed 50K bugs in the lifetime of its bug system, no doubt the others do something similar.



  • It's possible to have a powerful macro language that also has a good security model. Microsoft failed in it's due dilgence by ignoring security rules that have been observed in computer science for decades when they made the decision to deploy VB into an application it wasn't designed for.
  • If I sell you a bill of goods but don't misrepresent it - and give you opportunity to validate my claims - well buyer beware.

    That is counted as your stupidity.

    If I sell you a bill of goods but I did misrepresent it and you really had no chance to validate my claims - you have me to rights.

    That is counted as my taking advantage of you.

    OSS is no different than selling used cars. I can sell a used car without telling you about some problems and it is your problem if you buy it from me. What? You are not competent to identify those problems? Sorry - that is why you have the right to get the car inspected by an independent mechanic or to bring in a friend. If you didn't do that, that is your problem.

    So whether or not you have the skills to evaluate software, you can hire someone with said skills, so failure to do so is your problem, not mine.

  • You gain the right to redistribute my software.

    I gain the guarantee that my wishes are respected regarding the distribution of my works.

    Read the GPL closely, you don't need to agree to it to use the software, only to distribute it. In other words it isn't the act of downloading that is the point of agreement, it is the point of putting it on your ftp site.

  • What is this word "consumer" you use... the whole point of GPL and other such licenses is freeness. If software is free you're not buying it. And 99.9% of computer usage is not quite as important as a life, which could be put at stake by this loose seatbelt. The other 0.1% generally writes their own software. The writers of those pieces of software are always held accountable, they lose their jobs if their software fails.

  • Don't you ever get the urge to tell the license lawyers to stop shouting? ;)
  • by Sloppy ( 14984 ) on Sunday December 26, 1999 @07:23PM (#1443720) Homepage Journal

    Damn straight! When someone buys Microsoft products, they know what they are getting into. All this whining about Microsoft products executing arbitrary code sent to them has been going on for years. When these products first came out, it was Microsoft's fault. But it's old news now. If you buy a known defective product with the expectation that when (not if, but when) it blows up, you can just sue the maker, then you are the negligent one. These products all come with a warning label in huge letters: the Microsoft trademark. How can a person possibly pretend they were ignorant of the danger?

    I bet more people know about Microsoft these days than even the Ford Pinto.

    The best way to improve software quality is for people to start taking responsibility for their decisions. If you buy an Internet product for your company from Microsoft -- a company with an established reputation and a known and consistent track record of repeatedly making horribly defective product after horribly defective product -- then you should get fired. It's as simple as that.

    For people to keep blaming their problems on Microsoft is immoral. It's 1999 and if you're still using Microsoft products, then you deserve what's coming to you.

    It's like you buy a '74 Ford Pinto, and it blows up and kills your son. That's bad, and it shouldn't have happened. You go to the pub to drown your sorrows in beer, and everyone else is also talking about how their Pintos also blew up and killed a loved one. Then you buy another Pinto. It blows up and kills your daughter. You buy another one, and it blows up and kills your wife. Who is your wife's ghost going to haunt: Ford, or you?

  • I think it should all come down to whether the software was guaranteed or not. If software is sold as "Super-Secure Server" and there's a thing in it that says "May not actually be secure and probably isn't" then i dunno it gets confusing and these things should be decided on a case-by-case deal. Let's say software says it will do something and there's a line in the license that says "Not guaranteed to serve a particular purpose" then that line isn't really valid is it because there's somewhere else (whether it's in the license or not) that says it does such and such. Of course if it doesn't do such and such, you should be able to sue for the price of the software. Back to case-by-case, that's how it should be. I could see a situation where someone is learning to program and puts a program up that says "OK I'm trying to get it to do such and such and it works for me and you can try it if you want" then that's not a guarantee. A license shouldn't be able to contradict itself. That's that. Whoa you read my rant! :-)

  • Disclosed source-code, however, sounds so ugly. Open is such a pretty, pleasing pair of syllables, so fitting to name a company with....

    Not being Mr. Perens, I can't say for sure, but it seems to me that he used "Disclosed source-code" rather than "Open Source ode" purposely, since there is a difference between the two. His arguments apply to any situation in which the source code has been disclosed. This source code, however, is not necessarily "Open Source." For example, code licensed under the SCSL (Sun's not-quite-Free license) is disclosed to the user, but not Open.
  • I use disclosed source-code to refer to all situations where source is available without reference to licensing. That means source available with a no modification permitted license, or with Sun SCSL, or with GNU GPL.

    Sometimes it makes sense to talk about that without licensing coming in to the picture.

    You are correct that all cases of non-disclosed source code are probably proprietary. But my argument didn't rest on the license being compliant with the Open Source Definition, so there was no point in bringing Free/Proprietary into it.

    I hope that makes it easier to understand.



  • Difference: A combination lock claims security. Microsoft win98 doesn't.

  • It isn't negligence if you don't fix it instantly. If you have time and opportunity to fix it and you do not, that is what makes it negligence. Otherwise, it's simple liability (which we also disclaim).

    In the U.S. I think negligence gets you triple damages in a lawsuit, while simple liability gets you just damages, but IANAL and it's no doubt more complicated than that.



  • Wait: here's another analogy :-). I create software that makes my toaster work better. My friends all say "Great, can I have a copy" and I decide to GPL it and put it on my public ftp server. I nolonger use my new toaster software, when I discover a proprietary product that I like better. I take it off of my ftp server, but it's still other people's ftp servers because it was gpl'd. People continue to use my toaster software because it's nifty and they don't want to have to pay extra on their toasters. It turns out there's a bug in my toaster software that makes one out of every 1,000,000 toasters explode. There is no way I could've known about the bug beforehand, as I stopped development. There is now no way I could patch it, as I'm no longer the source for my popular toaster software... it's all over and no one looks at my ftp site anymore now that it doesn't have the toaster software. Even if I released a patched version, which i wouldn't because I'm no longer the developer, no one would use it... all the ftp sites have the buggy version. So toasters keep exploding, but I can't be liable. Someone point out any flaws in my logic please.

  • Hm. Not touching your argument, what filesystems were on disk 2? I did this to a Linux disk once. I wrote a short hack to scan the disk looking for ext2 superblocks (they have a magic number), and then dumped the data from them to recover the partition information. Since ext2 stores redundant superblocks, a kernel hacker like yourself should be able to recover the system if the data is still there at all.


  • Problem: let's say my software is over 1 gig (like many OS's). No one wants to download it, so I sell it for a nominal fee, maybe $4 for the 2 cd's. I think a proportion needs to be made between the amount of profit made by selling software/the amount of damages caused by said software. Coming up with such a proportion would be difficult if not imposibble though.

  • by jabber ( 13196 ) on Sunday December 26, 1999 @08:21PM (#1443763) Homepage
    I don't know if this is redundant, but...

    The main differences between open source and commercial software on this matter is cost and claims. Lets look at a few points:
    • M$ makes claims about the security of NT. They shout from a mountain top that NT is C2 compliant, and that higher security can only be achieved by disabling the networking features. (I worked at a software store when NT first came out. I wish I still had access to some of the 'sales point memos' that we got to help us sell NT.)

    • M$ charges money for NT, and you presume that you're paying money for that security. After all, these are the advertised features of the product that you're paying for, right? Maybe there's a legal loophole to jump through in there somewhere (EULA?), but it seems pretty common-sense to me.

    • M$ then fails to deliver on those marketting claims. What's more, M$ tactics 'require' that you buy new versions of software, which sidestep whatever security is in NT to begin with. (Word, Outlook - these products open up security holes you could drive a truck thru).

    • For the OS bugs, M$ releases 'get-it-yourself' patches, or better still charges more money for the features you thought you paid for in the first place. And, M$ will not support the application induced flaws, because they're not part of the OS service contract.

    It's akin to claiming to make an impenetrable door. Selling the customer a version with a doggie-door and plastic hinges instead. Then strong-arming the contractor into installing it with built-in plate-glass Windows. Then charging the customer for shutters, metal hinges and, oh yeah, a lock.

    Linux is the alternative. It's free, and everyone knows (and keeps repeating) that it's written by the community. The quality disclaimer is implicit - it's written for fun, in spare time, by people who know (and love) what they're doing. You can look inside the door jambs and see how reinforced it is. You can put in a steel plate if you want - and there's plenty of people willing to tell you, and help you, get it done. For free.

    Not only are you able to do this, but you are encouraged to do this. And, if security matters to you, you are given the means to take responsibility for the security of your system. This way, the responsibility is divided. You can check that the developer did his job, and if not, or if your needs differ enough to make it a special case, then you can remedy the situation.

    With closed software, you are not given the choice of taking responsibility. Logically then, the full responsibility rests squarely on the shouders of the people who made the product.

    If you don't like Linux, you can go out back, drag home one of the reinforced BSD doors, and hoist it into place youself. The cost? Your time.

    The cost of securing an OS, be it from a big closed-source shop or from some freak in a Bazaar, is time. In the case of the former it's also money. And you don't get to see why it needs securing in the first place so you end up guessing or taking a priest at his word.

    In the case of the latter, you can pore over the code to find the flaw, fix it and take it back to the freak. He won't give you money for your efforts, but he'll give your suggestion to his freaky friends for review - and you might get a free beer out of it.

    -- Did anyone notice that the latest security innovation in NT2k is Kerberos security?
  • In addition to Bruce's comment about the code being open, I think it's important that the process is (usually) open too.

    A typical closed source product gets developed behind closed doors and then unleashed on the public - we don't really know how decisions were made about what problems to fix. It's easy to imagine (even if it's not true) that people behind closed doors might conspire to conceal problems rather than fixing them.

    An Open Source project typically has a public mailing list where problems are reported and discussed. Somebody might still make a decision to release the product with known problems - but there's no question of it being a secret.

    I make it a practice to subscribe to development lists for products that are important to me. It allows me to get a great sense of how the product is doing - even if I have no intention of modifying the code. I would think that any company large enough to have a few million dollars worth of damages should be able to have somebody follow the development of essential software.

  • And you, of course, are a Microsoft user. Nope, all of these posts are made from Slackware 7. If you read my userinfo you would know that (but who reads userinfo anyway... I know I don't.) I wasn't advocating microsoft, I was pointing out that they know they aren't secure.

  • Scoff, viruses can occur almost as easily in linux... they just don't occur quite as often because usually the first people to use a new piece of software are the guys who will read the code and if they find a virus they will scream loudly. An OSS app with a virus in it will not exist for long.

    I've got another analogy for us that proves why virus writers can't be held responsible because they wrote the virus...

    I have 2 old and decrepit computers, and I decide I want to end their lives in a bang. I write a program that could be considered a virus that's designed to attack several computers on a network. My friend likes it. He asks if he can have a copy. He stupidly runs it on his computer that is attached to a T1 and it starts infecting not only his computer, but also some other computers on the internet. Can he be held accountable? NO, he didn't realize he was releasing it. Can I be held accountable? No, I didn't release it.

    OK there was another rant.

  • "Mr. Bohn, due to the lack of poor grades, police record, and drug abuse, we do not want you working for the XYZ company."

    Sorry to be picky, but I'd think that poor grades, a police record, and drug abuse are all very good things to lack.
  • I don't think a court would find that Microsoft or open source authors should be held liable due to negligent software design.

    First, a court would have to find that there was negligence. That is to say, that there was a standard of care that applied in the situation, that the standard of care was breached, and that the breached caused damage both in fact and in terms of "proximate" cause. Second, there is the fact that this would be products liability, which has some of its own rules. I don't know them very well, though I am familiar with a rule which holds that one can generally disclaim the merchantability of a product for certain kidns of uses, unless the product can be made unusually dangerous (usually construed as physically dangerous to a person) in its intended use by negligent manufacturing.

    I don't have time to write about all of these elements, and you don't want to read it all anyway. I want to note, though, that in most cases where the negligence of one party creates a dangerous situation, and another party discovers it and intentionally exploits it to bring about the danger that was risked, the connection of "legal cause" between the negligence and the damage is understood to be broken.

    An example which comes up in casebooks is a case where a railroad company spilled gasoline all over the place. The question presented was whether the railroad was liable for damage from the ensuing fire when someone threw a match on it -- there was testimony to show that he had intentionally thrown the match. The appellate court in the case held that the railroad would not be liable if the other defendant had intentionally thrown the match. The rationale (at least according to my torts professor) is that if someone exploits a dangerous situation before the negligent party finds out about it and has a chance to clean it up, we shift the liabiltity over to him and take it off the negligent party.

    Now, we can all think of how there are similarities and difference in a software situation, where the parties know that the person using the software is relying on it to get the job done. On the other hand, there are the issues of warranty disclaimer and the defenses to liability. I think one of the reasons courts are unlikely to find Microsoft liable in this situation, even going past the defenses it would have available, is that they would have to apply it to all small companies and open source programmers to that kind of liability, and no one can insure against it. The courts will look for the best ways to spread these losses around so that they are manageable. Microsoft might be able to spread those kinds of losses around, by insuring itself and raising software prices (yes, I say that in all seriousness), so it will be tempting to assign liability there, but the individual or group who writes a shareware or open source network program and leaves in an opportunity for a buffer overflow cannot, and would go bankrupt quickly, leaving only a few people compensated and countless more uncompensated. The courts will not create an otherwise-unjustified double standard between the behemoth and the little guy when the only difference between them is that one is a behemoth and one is a little guy.

    For these reasons, I expect that the person or company who accepts the licensing agreement and its disclaimers, even for mission-critical operations, will have to self-insure against its failure when there is no warranty, and will have to self-insure against the security risks involved in using such software.

    In parting, here's my own little disclaimer: I am not a lawyer, just a student, so you should not rely on anything I have said for any purpose other than as something to think about.

  • In response to the responses to my original post, I propose an alternative analogy. A refrigerator. If the refrigerator has a flaw such that, if abused, the door would fail to seal, then the manufacturer would really tick off a lot of people and could cause a lot of companies to lose money (especially in the food service industry). Yet, we could come up with a scenario in which this could threaten life or limb, such as if the refrigerator is used as temporary storage of blood in a surgical ward. Or if someone failed to notice that the refrigerator was no longer cold and then failed to properly cook the food inside. Or when someone opened the freezer, all the melted ice spilled out and that someone slipped on the floor. Or someone who cannot travel outside the home and must rely on someone else to bring the groceries, and the new groceries aren't due for another week.

    But by its nature, by its obvious intended purpose, such a flaw is an inconvenience and a cause of lost money, but is not a direct threat to life or limb (unlike a 1000kg collection of steel, aluminum, and plastic travelling at 100kph).

    And that last bit really is the crux of this discussion -- the suitability for any particular purpose. And that's been discussed sufficently elsewhere in this article.

    And, yes, I realize a different flaw in a refrigerator could cause it to topple over, but that isn't my point ... I chose a refrigerator because it was easier to come up with a flaw with similar results to a flaw in Microsoft's OLE than if I were to suggest a flaw in a book (besides something so obvious as misprinting) that could, in certain scenarios, threaten life or limb.

    Christopher A. Bohn
  • ...You're in London, where they tried to computerise the ambulance service. Horribly bodgy code (which lost emergency call data, and would go into infinite loops) cost the lives of an unknown number of people, but estimates place it in the hundreds.

    ...You're in the control room of a nuclear power station, where faulty software can potentially put a little warmth into the surroundings. Permanently.

    ...You're lost at sea, and your emergency distress calls, linked to GPS, are sending rescuers to the wrong hemisphere...

    ...You're in the middle of a war, and your ship has a division by zero error, shutting down all systems, stranding you...

    The sad fact is, unreliable software -does- cost lives, every year. The difference is, you can -see- the cause and effect from a motor accident, it's usually a lot messier, and it's usually a lot more direct. This isn't true for deaths or injuries relating to computer software errors.

    However, that's almost by the by. Software companies claim that the Turing Halting Problem gives them exemption. As they cannot prove fitness for use, they argue that they should be exempt from any and all quality legislation.

  • This has probably been said before, but I'll say it again. So long as it's encouraged (and soon to be legal, if it isn't already) to have EULA's of the kind that are standard, quality control will always be non-existant and negligence will be rampant.

    Let's take a look at the typical EULA.

    1. There is a disclaimer, stating that the product offers no guarantee to be fit for any purpose. (Translation: We'll claim what we like in the adverts, but we'll give you what we damn well please. And you'll like it! Even if it's nothing like what we said, doesn't work, causes injury, and/or brings about the End of the World.)
    2. There is a disclaimer, that the company selling the software is not liable for any consequence of using the software. (Translation: If we put a virus on, which destroys your computer and melts your hard disk, without your knowledge, it's your fault, not ours.)
    3. There is a statement, that you don't actually own the software but merely own the piece of paper which says you can use it. (Translation: You're using our property, and we can take it away from you at any time, for any or no reason we care to be bothered to think of. You have no rights whatsoever, because it's not yours to have any rights over.)
    4. There is an implicit statement to the effect that if your computer won't run the software, it is a fault of the computer, and the company and/or shop that sold you the software is in no way liable to so much as pay a refund, offer an alternative, or even say "good morning" to you when you take the defective product back, even if it was the company and/or shop that told you beforehand that the product would work on your computer, that such refunds existed and that they would be pleased to be of service.

    The fact is, software companies have got it made. The EULA's are getting legal protection in the USA, which gives software houses total immunity from prosecution for any reason, whatsoever, for anything and everything.

    That's not the only scary thing. You think it'll stop there? Car manufacturers are -big-! If the software companies get immunity from prosecution and immunity from consumer protection laws, do you think the larger manufacturers are going to just say "oh, well, that's them"? Or are they going to say "hey! Give us immunity too!"

    How long before no consumer protection exists in the US, and you are literally taking your life in your hands every time you use the microwave or toaster?

  • After seeing this I want to expound a bit on what
    someone else said in response.

    > I disagree... having the ability to look deep
    > into the product to check for possible problems
    > is not the job of the consumer.

    This is exactly why I think Free Software
    programmers should not be held liable.

    Free Software does not follow the standard
    Capitalist model. The standard model is, Party 1
    makes the product, party 2 pays money to party 1
    for the product.

    Free software is "Party 1 makes the product.
    Anyone is free to take the product". Rather than
    "Hey here it is, the one thing you need"
    "Heres what I did, use it if it fits your needs,
    don't use it if it doesn't"

    Its about being open and shareing. The whole
    purpose of negligence and similar things came
    about because capitalism inherintly rewards
    cutting corners and making products as cheaply
    as possible, whether its safe or not.

    It is because of this that negligence laws and
    similar responsibilities of product producing
    companies exist.

    In Free Software, there is no incentive to cut
    corners. A person working on a piece of software
    is usually writting it first and formost because
    he needs it. As such the incentive is in getting
    it to work and fill his need.

    As such, there is no "Consumer". A person who
    needs the same need filled can take his code and
    use it if they like. They are the ones that seek
    it out, and they are the ones who put it in place.
    Ultimatly they should be responsible for making
    sure it meets their need before they put it in

    > Software engineers are simply unethical
    > engineers.

    I disagree emphaticaly. What is so unethical about
    disclaiming any warrenty? Other engineers
    generally work for hire or for a company. This
    means they are getting money to design something
    for someone else, as such they are liable to the
    person who is paying them.

    However, if an electical engineer designs his own
    TV remote control from parts he can buy at radio
    shack, completely at home and on his own. Then he
    releases the plans on how to build it...
    should he be liable if someone builds it and it
    doesn't work for them?
    He didn't charge them for the plans. He just said
    "Here is how I did it, this works for me"
    Should he suddenly be liable if it doesn't work
    or causes harm to someone elses TV?

    If that is to be the case, then free exchange of
    information may as well be a dead idea. It would
    make it much to costly.
  • > Windows, any version, is not as defective as
    > you make it out to be

    I was a PC tech on Desktop machines in a HUGE
    Win95 environment. I can make WIndows out to be
    pretty damned defective from what I have seen it

    > Windows 98 works just fine for the vast majority
    > of people who use it.

    Well...the "vast Majority of people" are morons.
    They have just gotten used to rebooting several
    times a day when the system crashes. They have
    gotten used to phrases like "You have to expect
    it will crash ocasionally".

    I have even heard a salesman on TV saying that
    computers run so FAST these days that they
    ocasionally make mistakes and get themselevs
    screwed up. I kid you not he was actually saying
    on no uncertain terms that "crashes" and lockups
    were the fault of the hardware going real fast
    and losing track of what it was doing.

    I have seen too many Windows machines with too
    many differnt problems for too many users to
    say that Windows is not extremely defective.
    It IS defective.

    Which is exactly why I no longer run it on any of
    my machines.
  • I think you are either lying...

    I neither lied not exaggerated. Why should I? I don't have any hidden agenda. My only animosity towards Microsoft is precisely because of my negative experiences with Windows.

    ...or have truely defective hardware.

    I have had the same or similar problems with a range of hardware including three different CPUs, two different chipsets and four different motherboards, three different sound cards, three different graphics cards. And four different hard disk, three different sets of Simms, three different CD-ROM drives.

    It's therefore a fact that there is a great deal of hardware out there upon which Win95 OSR2 and Win98SE simply will not run reliably. I'm giving you the benefit of the doubt here because I don't directly know of any hardware configurations upon which it will run reliably.

    Windows, any version, is not as defective as you make it out to be. Windows 98 works just fine for the vast majority of people who use it.

    The only remotely stable Windows 95 configurations I have ever seen was the original (pre-OSR2) Win95 release on integrated motherboards from Intel. From what I've heard, Win98SE is not stable on any configuration and the problems I've been having are widespread.

    Just because YOU can't figure something out or because it doesn't work for YOU ...

    I can figure out plenty. I've had to learn because Windows 95 OSR/2 and Windows 98 are so temperamental. I've spent hundreds of hours studying Microsoft Knowledge Base articles and following their useless recommendations. The fact is Microsoft are extremely reluctant to admit to faults that can't be fixed which are down to inadequacies in their software, so many of the problems I've faced are simply not acknowledged.

    ...does not mean it's a defective product.

    It doesn't work as advertised. Microsoft cannot or will not fix it. It is, by any meaningful definition, a defective product.

    In attempting to refute facts which are well known to correspond to most technical users' experience, you clumsily expose yourself as a Microsoft employee. No surprise then that you post as an AC. Listen up drone; denying that the problem exists will not make it go away. At least, not here it won't.

    Consciousness is not what it thinks it is
    Thought exists only as an abstraction
  • Second question: if the seller knows explicitly that the brakes are bad then is it still ok to sell it?

    Yes, as long as the fact is disclosed clearly and unambiguously before sale...

    (of course, IANAL, that's my disclosure ;)
    Your Working Boy,
  • Take a look at the Kodak box, any Kodak box made in the last 30 years or more, and you'll see they are not liable for more than replacement of the blank film.

    That assertion may be printed on the box but that doesn't mean that Kodak has no liability for consequential damages. That is a question for a court to decide. It is common to see blanket disclaimers of liability and other statements that conflict with the law on licenses, contracts, sales receipts, warranties and product packaging.

  • IANAL, but I think it might have something to do with the intended use of the 'product', what it is sold for.

    If you buy a car, the intended use is to drive it on roads. Thus you have cause to sue if the brakes stop working or the wheels fall off. If you decided instead to use it as a foodstuff, you couldn't sue claiming injury because of indigestion. It's your own fault for using it for
    a purpose it wasn't designed for.

    You can apply this to software too. If you bought a web browser and found that it wouldn't display web pages (and you could prove that this was the browser's fault, and not badly-behaved site, broken networking or whatever else), you would have a legitimate grievance. (Although IMHO the most you should be entitled to is a refund of what you paid, unless you have agreed different warranty terms in advance.)

    However, if you used the browser for a mission-critical information display, in a hospital or whatever, you wouldn't have a legitimate complaint if memory leaks caused it to crash after two weeks of use. A browser is not designed to give that kind of reliability, and it doesn't claim to. (Some things such as Java explicitly say that 'X is not designed for use in safety critical applications'.)

    So I think that you have to ask: is the user just being stupid by trying to use the software for something inappropriate?
  • Disclosed source-code software has much less of a problem with negligence since the user and distributor are able to perform due diligience on their own

    I think this mostly summs it up. I would add that consistant public denial of security problems on the part of a certain vendor compounds the liability. Open Source projects very rarely deny security flaws in press releases or marketing material.

  • Well, you could sell the medium (The cd in this case) for as much as you want, as long as you don't prevent people from copying/borrowing etc.

Today is a good day for information-gathering. Read someone else's mail file.