Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Examining Software Liability In the Open Source Community

timothy posted more than 5 years ago | from the three-letters-starting-f-u-d dept.

The Courts 241

snydeq writes "Guidelines from the American Law Institute that seek to hold vendors liable for 'knowingly' shipping buggy software could have dramatic impact on the open source community, as vague language around a 'free software' exemption could put open source developers at litigation risk. Meant to protect open source developers, the 'free software' exemption does not take into account the myriad ways in which vendors receive revenue from software products, according to a joint letter drafted by Microsoft and the Linux Foundation. As such, the guidelines — which, although not binding, are likely to prove influential on future lawsuits, according to attorneys on both sides of the issue — call into question the notion of liability in the open source community, where any number of coders may be responsible for any given defect."

Sorry! There are no comments related to the filter you selected.

LOL (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28977221)

So now I can sue if I get open sores due to a flaw in open sores software? Sweet.

Re:LOL (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28977839)

niggers dune coons and african jungle bunnies and porch monkeys. that is all.

Re:LOL (2, Funny)

mcgrew (92797) | more than 5 years ago | (#28977841)

Put the chair down, Steve.

Sure (0)

Anonymous Coward | more than 5 years ago | (#28977241)

Only if they know who you are =)
Otherwise they can send their complaints to your gmail.com account.

Use something else... (0)

Anonymous Coward | more than 5 years ago | (#28977249)

If you don't like the open source software the the license that goes with it already.

Re:Use something else... (0)

Anonymous Coward | more than 5 years ago | (#28977607)

Ah, yet another lackey of Microsoft, the Most Likely Instigator of those so-called "guidelines".

microsoft and the linux foundation agree ? (3, Funny)

godrik (1287354) | more than 5 years ago | (#28977305)

I am sure hell is frozen now.

Re:microsoft and the linux foundation agree ? (4, Funny)

Tekfactory (937086) | more than 5 years ago | (#28977777)

Google would have joined them, but Beta software doesn't count.

That and the Universe asploding

August 6th, 1945 A Day That Will Live in Infamy!! (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28977811)

August 6th, 1945 A Day That Will Live in Infamy!!

Happy anniversary, Hiroshima !!

By the way, is that Hero'-she-ma or is it Her-row'-chi-ma ??

I believe almost every free software I use has.... (4, Informative)

Seakip18 (1106315) | more than 5 years ago | (#28977321)

"NO WARRANTY OR GUARANTEE IS IMPLIED. USE THIS SOFTWARE AT YOUR OWN RISK" or some combination of that. Even my home server says that every time I SSH into it.

So.....you're going to sue a developer for a defect, intentional or not, even though they said it was not warrantied and use at your own risk?

Re:I believe almost every free software I use has. (2, Insightful)

sqlrob (173498) | more than 5 years ago | (#28977349)

And so does every bit of commercial software. How do you differentiate?

Re:I believe almost every free software I use has. (3, Interesting)

piojo (995934) | more than 5 years ago | (#28977619)

I suspect that in commercial software, there is an implication of warranty (because the customer paid for it), and that warranty can't always be signed away by a contract (because of things like consumer protection laws).

I would think that if a piece of software is free as in beer, it would be easy to explain to a judge that the project authors had no business relationship with the user, and thus could not be held liable.

It's sort of like the "I am not your lawyer, this is not legal advice" disclaimer--the person giving advice is less likely to lose a malpractice suit if he/she says "I have no business relationship with you, so don't take this with the same gravity that you might take my real legal advice."

Re:I believe almost every free software I use has. (2, Funny)

piojo (995934) | more than 5 years ago | (#28977635)

Oh, and I'm not a lawyer. And if I were, I probably wouldn't be you lawyer. In which case this would not be legal advice...

Re:I believe almost every free software I use has. (1)

sumdumass (711423) | more than 5 years ago | (#28978155)

Not all Open source software is free and in beer. The free as in beer model isn't even required for free software especially the GPL or BSD or similar licenses.

OSS authors just as liable as commercial ... (1)

SineNomen (1613011) | more than 5 years ago | (#28978311)

I suspect that in commercial software, there is an implication of warranty (because the customer paid for it), and that warranty can't always be signed away by a contract (because of things like consumer protection laws).

I would think that if a piece of software is free as in beer, it would be easy to explain to a judge that the project authors had no business relationship with the user, and thus could not be held liable.

A business relationship does not require money to change hands. I suspect that like contracts all that is required is that both parties receive some sort of "consideration", http://en.wikipedia.org/wiki/Consideration [wikipedia.org] . Consideration is obvious for the user(s), they get the software, but consideration for the author(s) could be quite varied. Passing along the author's work (as the GPL requires), reporting bugs back to the author, mere use of the software enhancing the author's standing in a community (or maybe just stroking the ego), ... I'm sure a real lawyer could get quite creative, as they have successfully done with consideration under contract law. Unless of course the legislation gives OSS authors a special status which they currently do not have.

Re:I believe almost every free software I use has. (1)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#28977495)

There are things that can't be warrantied away like that(and in some cases, this is a good thing; but; I just don't think that software is one of them). "Delicious candy may contain succulent lead, eat at own risk, non-toxicity not warrantied" would not make selling tainted food any less problematic.

Re:I believe almost every free software I use has. (2, Insightful)

140Mandak262Jamuna (970587) | more than 5 years ago | (#28977877)

There are things that can't be warrantied away like that(and in some cases, this is a good thing; but; I just don't think that software is one of them). "Delicious candy may contain succulent lead, eat at own risk, non-toxicity not warrantied" would not make selling tainted food any less problematic.

But if I just give away my leftovers from my restaurant to some soup kitchen free, would I still be liable? May be. If I give away left overs from my home to a passing vagrant would I be held liable? What if I brown bag my lunch and in the work place they order pizza for some reason and I give my brown bag to the homeless guy on the way to the trolley stop without even opening to check if the sandwich has spoiled, would I still be liable?

Re:I believe almost every free software I use has. (1)

jargon82 (996613) | more than 5 years ago | (#28978005)

I believe you would. I once worked in retail, and we couldn't give away food that was still in date and in good condition to food banks (but which for some reason or another we had to get rid of), because of liability concerns.

Re:I believe almost every free software I use has. (1)

AndrewNeo (979708) | more than 5 years ago | (#28977703)

You should really change your MOTD to something more interesting.

Re:I believe almost every free software I use has. (2, Interesting)

reebmmm (939463) | more than 5 years ago | (#28977827)

This comes up every time warranty issues are raised. The problem is that for that warranty to be effective, the parties had to agree. Hence, those that say open source software is not an agreement (or that one does not have to accept the terms of the GPL etc.) have a problem. I've said it before, certain of the terms of the GPL are not merely license language. The community cannot have it both ways.

Either this clause in unenforceable because their is no agreement (one party did not agree to it), or the GPL requires every user to accept the terms of it.

Re:I believe almost every free software I use has. (1)

Anonymous Brave Guy (457657) | more than 5 years ago | (#28978097)

But why should the clause be necessary at all if the software was free-as-in-beer? If there is no consideration, there should be no obligation either; this is basic contract law.

Attempting to make people who give things away entirely for free liable for the consequences is a very dangerous path to tread.

Re:I believe almost every free software I use has. (1)

sumdumass (711423) | more than 5 years ago | (#28978197)

Not everything is given away free.

What about a project who used the GPL but charges for the product like Redhat enterprise server or something.

Re:I believe almost every free software I use has. (1)

Anonymous Brave Guy (457657) | more than 5 years ago | (#28978323)

That's why I said free-as-in-beer.

If you want to take money from someone, there is an expectation that what you're offering in return is of a reasonable standard. In software, expecting totally bug-free consumer software is not reasonable, but expecting that it doesn't (for example) silently install malware, trash all the other data on your hard drive, or contain known serious security flaws is fair enough. Whether the source for the software happens to be open is, IMHO, irrelevant to this, and Red Hat et al should be held to the same standard when they charge for software as Microsoft, Oracle or $OTHER_BIG_COMMERCIAL_ENTITY.

Re:I believe almost every free software I use has. (1)

elgaard (81259) | more than 5 years ago | (#28978173)

It is not an agreement. The GPL licence says:

==
9. Acceptance Not Required for Having Copies.

You are not required to accept this License in order to receive or run a copy of the Program.
==

Re:I believe almost every free software I use has. (4, Insightful)

PolygamousRanchKid (1290638) | more than 5 years ago | (#28977901)

So.....you're going to sue a developer for a defect, intentional or not, even though they said it was not warrantied and use at your own risk?

No lawyer will sue individuals developers . . . they have no money. They will try to sue a big company, um, like what SCO tried with IBM. Lawyers go after the money.

Some big companies even forbid their programmers from working on Open Source projects on their own time . . . unless they are approved by their employer, of course. Because the lawyer suing will try to twist it so that the employer is responsible . . . because only a big company has enough cash to make it worth their effort.

Re:I believe almost every free software I use has. (0)

Anonymous Coward | more than 5 years ago | (#28977927)

And no warranty or guarantee *SHOULD* be implied. Almost all software is buggy under the right circumstances, as even the best programmers can't interpret, test, and correct every possible scenario. To make things even more complicated, it seems that all but the most expert of users blame the wrong component for their problems, whether it be the OS, the OEM, or Republicans.

Very high end software intended for business with high priced monthly or annual service contracts? Yes, hold the company liable for software problems that cause a serious loss. But holding OSS to the same standards? They're out of their minds!!

Re:I believe almost every free software I use has. (1)

moredots (1613051) | more than 5 years ago | (#28977941)

I'm logged in, so IDK why that was posted anonymously. -_-

Re:I believe almost every free software I use has. (0)

Anonymous Coward | more than 5 years ago | (#28978335)

IDK, my BFF Rose?

Re:I believe almost every free software I use has. (4, Interesting)

Wrath0fb0b (302444) | more than 5 years ago | (#28977955)

"NO WARRANTY OR GUARANTEE IS IMPLIED. USE THIS SOFTWARE AT YOUR OWN RISK" or some combination of that. Even my home server says that every time I SSH into it.

There is no reason that a legislature cannot pass a law saying that this disclaimer is contrary to public policy and won't be respected in the courts.

For instance, in my State, contracts to purchase a car that are "AS-IS" are not legal. You can write those terms into the contract and the buyer can sign it, but if she turns around and sues you the Court won't give effect to that part of the contract.

Another example, I cannot rent an apartment or house "AS-IS", I am required by law that my rentals conform to a general standard of habitability. It doesn't matter how many times in the rental contract I disclaim any warranty of habitability, I still have to provide a habitable dwelling.

Consumer protection statutes are full of these sorts of provisions that forbid the use of certain kinds of terms and conditions. You can't sell food without a warranty of non-contamination or edibility, you can't sell children's playground equipment without a warranty of safety, .....

TL;DR version: the law does not have to respect your right to contract under whatever terms you see fit (I'll leave the normative argument of whether it should for another time & place).

Re:I believe almost every free software I use has. (1)

Red Flayer (890720) | more than 5 years ago | (#28978077)

State law in the US often directly mandates certain warranty conditions for sold products. There are certain warranties that cannot be signed away, disclaimer or no.

The question is what happens when an open source product is used in a sold product. Is the seller of the end-product solely liable, or is the producer of the open-source (and free) component also liable?

Everyone likes to pass the buck. If I successfully sue Sony because their battery melted my thigh, is the company they contracted to manufacture said battery also liable? Can Sony recoup their fines from the battery manufacturer, if the battery was not delivered to spec? For non-open-source software, they can. But say that Sony used a software controller for the battery that caused the meltdown, and that controller was open-source. Can Sony sue to recoup their costs from the authors of that piece of software, which was provided free-of-charge under an OS license, and was probably not developed specifically for Sony's specifications?

*The reason I use the Sony example is because when they had their battery problems, contributory liability was a subject of discussion here on Slashdot. I don't think the OSS liability issue was raised at all, it's just the best example that popped into my head.

Re:I believe almost every free software I use has. (1)

nurb432 (527695) | more than 5 years ago | (#28978181)

Sure sounds like it, but i think the true intent here is to create a new market for 'software programming insurance' ( and government certifications and bonds that go with it ), which will be priced out of reach of the small hobby coder contributing to OSS or a small code shop trying to make a living in their tiny niche market..

And besides, what software doesn't have at least ONE bug in it?

Bug free software would be insanely expensive! (5, Insightful)

onionman (975962) | more than 5 years ago | (#28977325)

Bug free software is possible, it's just very very expensive to produce!

I've worked on DoD projects that required bug free software. It is possible, it just requires $150 Million to produce 100,000 lines of code.

Do you really want to force Microsoft or Apple to produce bug free operating systems? Who could afford them?

Re:Bug free software would be insanely expensive! (5, Informative)

sys.stdout.write (1551563) | more than 5 years ago | (#28977459)

Of course not. The article was terrible.

If you read the report from a better news source [yahoo.com] you'll learn that this only applies to fraudulent concealment of bugs, not simply their existence.

Re:Bug free software would be insanely expensive! (1)

Jaysyn (203771) | more than 5 years ago | (#28978003)

Would a Microsoft backdoor / killswitch be considered a fraudulently concealed bug?

Re:Bug free software would be insanely expensive! (0)

Anonymous Coward | more than 5 years ago | (#28978085)

I get all my news from FOX News! I know everything I need to know and nothing more!

And keep your government health care away from my Medicare, you whipper-snapper!

Re:Bug free software would be insanely expensive! (1)

SirGarlon (845873) | more than 5 years ago | (#28977563)

Bug free software is possible, it's just very very expensive to produce!

Or very, very small.

Re:Bug free software would be insanely expensive! (1)

digitig (1056110) | more than 5 years ago | (#28977739)

I'd be interested to know how, because I work in the field (including having done formal analysis of military systems) and although I know of methods to get exceptionally low bug rates, I'm not aware of any techniques that offer bug free for any but the most trivial program. And I've seen software houses make claims of bug-free software that have been accepted by safety regulators but that have subsequently been found to be wrong as bugs have been found.

Of course, it's possible the DoD knows how but is keeping quiet about the techniques...

Re:Bug free software would be insanely expensive! (2, Interesting)

maxwell demon (590494) | more than 5 years ago | (#28977845)

Simple: Add to your specification: "The program is not intended to be run." If anyone runs it, then he's operating it outside of its specifications. Anything unforeseen therefore isn't a bug :-)

Re:Bug free software would be insanely expensive! (1)

john.r.strohm (586791) | more than 5 years ago | (#28977985)

Are you familiar with the Gypsy Verification Environment and the Message Flow Modulator work, done by Don Good's group at The University of Texas at Austin in the late 1970s and early 1980s?

The Message Flow Modulator was a small (ca. 1000 lines of code, 1500 lines of type declarations and specifications) program, but it was by no means trivial. When it saw the acceptance test suite for the FIRST time, at the acceptance test at PAX River, in front of the customer, it passed. On the first time. No deviations, no waivers, no "yeah, but"s, no nothing, it passed.

The biggest issue, according to Don, was that it was expensive: at a time when 10 lines/man/day of allegedly-debugged, final, delivered code, with a known nonzero defect density, was considered typical, and acceptable, they were getting 1 line/man/day of absolutely-zero-defects delivered code. This is expensive, but one can readily conceive of environments where any measurable nonzero defect density is too high. (Like disk drives: if your bit error rate is high enough to measure, it's too high.)

My personal opinion is that the biggest issue they were going to encounter is that they didn't use C. Recall the resistance in this country to Ada, compared to the acceptance of Ada in Europe. (Recall also that Bell Labs, when asked to submit a DoD1 candidate based on C, politely declined, saying that C was not then and would never be robust enough to be a basis for highly reliable software.)

Re:Bug free software would be insanely expensive! (1)

nomadic (141991) | more than 5 years ago | (#28977855)

Do you really want to force Microsoft or Apple to produce bug free operating systems? Who could afford them?

I believe they're arguing that vendors shouldn't KNOWINGLY ship buggy software. If you found it before shipping, fix it. I suspect this will just cause software developers to just cut down on QA...

Re:Bug free software would be insanely expensive! (1)

lena_10326 (1100441) | more than 5 years ago | (#28978149)

What about a "that bug is a feature" type of bug? What if we can't agree on categorizing its severity level? What if the bug affects 0.01% of the population and not worth fixing? What if the bug only appears occasionally when executing on runtime library 1.0, but never on 2.0? What if it works on a clean install but not when driver Y is installed? What if the bug is due to the user not keeping their OS up to date? What if the issue stems from data corruption? What if your code is script run inside of a 3rd party engine which you know might have a bug?

Not all bugs are solvable.

Re:Bug free software would be insanely expensive! (1)

mcgrew (92797) | more than 5 years ago | (#28977911)

How many copies of XP were sold? If Microsoft has sold 300 million copies, than at $150m development cost they could sell the OS for $2 and make a $150m profit.

Re:Bug free software would be insanely expensive! (1)

Zalbik (308903) | more than 5 years ago | (#28978289)

How many copies of XP were sold? If Microsoft has sold 300 million copies, than at $150m development cost they could sell the OS for $2 and make a $150m profit.

Yes, but the quote was $150million for 100,000 lines of code.

XP had over 40 million [wikipedia.org] lines of code, so assuming the costs scale linearly (which is optimistic IMHO), it would cost $60 billion dollars to develop a "bug free" version of XP.

For reference, Red Hat 7.1 contains approx 30 million [dwheeler.com] lines of code

Re:Bug free software would be insanely expensive! (1)

Anonymous Brave Guy (457657) | more than 5 years ago | (#28978167)

Bug free software is possible, it's just very very expensive to produce!

It may be possible, but no-one has ever worked out how to do it.

Even the Cleanroom guys have non-zero bug rates. They're very impressive, maybe an order of magnitude or two better than typical consumer products, but there are still bugs.

And to pick everyone's other favourite example, while TeX may now be as close to bug-free as any consumer software ever gets, there are plenty of people with framed cheques from Don Knuth to show that it wasn't always that way.

God damn you, lawyers. (5, Insightful)

synthesizerpatel (1210598) | more than 5 years ago | (#28977367)

Another stupid babysitter law to protect idiots.

At a previous job I asked my boss why we used Oracle and he said that if anything ever went terribly wrong, the company would have someone to sue. Of course, suing someone doesn't restore customer confidence, data, or revenue. No verifiable technical reason, just that OUR lawyers got warm and fuzzy with contractual language that would never, ever get exercised and if it ever did try to sue anyone we'd have run out of money before they dipped into their free soda fund.

Anything that executes code is buggy. Applications, frameworks, libraries, protocol stacks, drivers, bios', FPGAs and microchips. Grow up and deal with it.

Re:God damn you, lawyers. (4, Insightful)

TheRaven64 (641858) | more than 5 years ago | (#28977567)

At a previous job I asked my boss why we used Oracle and he said that if anything ever went terribly wrong, the company would have someone to sue

Next time you encounter this attitude, you should find the relevant clause in the EULA, which disclaims all responsibility for the software containing bugs. If a company like Oracle provides your software then, generally, the only response you have to bugs losing your data is to not buy from them in future (unless, of course, you've just built a large in-house application that depends on Oracle...)

Re:God damn you, lawyers. (4, Informative)

jdgeorge (18767) | more than 5 years ago | (#28977645)

Another stupid babysitter law to protect idiots.

At a previous job I asked my boss why we used Oracle and he said that if anything ever went terribly wrong, the company would have someone to sue. Of course, suing someone doesn't restore customer confidence, data, or revenue. No verifiable technical reason, just that OUR lawyers got warm and fuzzy with contractual language that would never, ever get exercised and if it ever did try to sue anyone we'd have run out of money before they dipped into their free soda fund.

Anything that executes code is buggy. Applications, frameworks, libraries, protocol stacks, drivers, bios', FPGAs and microchips. Grow up and deal with it.

First of all, this is not "another stupid babysitter law". It is NOT a law at all.

Second of all, the guidelines are intended to prevent product vendors from selling products they know are defective. Just as it would be unacceptable if an auto company sold a car whose brakes wouldn't work whenever the car was going 72 miles per hour, it would be bad if a software company sold a system that it knew had a defect that could cause data corruption.

Re:God damn you, lawyers. (1)

onto_dry_land (1346313) | more than 5 years ago | (#28977659)

Better yet, choose your software so that if the developers or support misbehaves and introduce bugs you can turn to anybody else, on a free market, without having to change to some different software. If Oracle misbehaves, not only can you not sue them in practice, but there is a good chance that you will still be stuck with them since changing to something else is too expensive. If you choose an open source solution you can always turn to someone else. The worst that can happen is that they will have to fork the code, but even that might not be needed.

Re:God damn you, lawyers. (1)

nomadic (141991) | more than 5 years ago | (#28977917)

Of course, suing someone doesn't restore...revenue.

Uhhh, yes it does. That's the whole point of suing.

Re:God damn you, lawyers. (1)

140Mandak262Jamuna (970587) | more than 5 years ago | (#28978025)

Of course, suing someone doesn't restore...revenue. Uhhh, yes it does. That's the whole point of suing.

Nah, Winning a suit restores revenue, (if the defendant had not already gone bankrupt). Suing only costs money to both.

Re:God damn you, lawyers. (1)

synthesizerpatel (1210598) | more than 5 years ago | (#28978275)

I bet you subscribe to CIO magazine.

Re:God damn you, lawyers. (1)

Jaysyn (203771) | more than 5 years ago | (#28978039)

I would have been escorted from his office laughing, right after he got "sue Oracle" out of his mouth.

bollocks (4, Interesting)

shentino (1139071) | more than 5 years ago | (#28977375)

I'd say that ye olde standards of gross negligence and recklessness should cover any profoundly careless bugs.

The trick is to get them to apply to corporations like MS.

Sue who for what now? (4, Interesting)

spun (1352) | more than 5 years ago | (#28977387)

First point, if someone working for hire at Red Hat, Novell, or IBM knowingly (how's that defined?) ships buggy open source software, why shouldn't the company be held liable, if they would be held liable for shipping buggy closed source? Second point, who is going to sue some no-name contributor who doesn't have any money anyway, especially if you have to prove that that particular developer knew there were bugs? I love open source, but I feel that if we as a community want to be taken seriously, we should be held to the same standards as closed source software.

Re:Sue who for what now? (1)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#28977611)

The "same standards" should allow shipping plenty of horrors...

More generally, while concealing bugs is a super sleazy behavior, there are loads of situations where buggy software is preferable to no software. Virtually any software product of any complexity ships complete with a "known issues" section, which is nothing more or less than a list of bugs and omissions. Somehow, we all muddle through. I don't see FOSS vs. proprietary as differing markedly in that respect.

Re:Sue who for what now? (1)

spun (1352) | more than 5 years ago | (#28977967)

What constitutes 'knowingly distributing?' What do their guidelines call a bug? If the bug is disclosed, can the lawyers still sue?

Could someone please answer these questions in the form of a car analogy for me? This is Slashdot and I'll be damned if I'm going to read the article.

Re:Sue who for what now? (1)

cyphercell (843398) | more than 5 years ago | (#28978145)

Fight Club: "If the cost of a recall is more than the average cost of an out of court settlement ... we don't do one."

Re:Sue who for what now? (1)

maxwell demon (590494) | more than 5 years ago | (#28977731)

Have you ever read an EULA of proprietary software? Typically all they guarantee is that the CD you got is readable for about a month.

Re:Sue who for what now? (1)

spun (1352) | more than 5 years ago | (#28977873)

So, are you suggesting that these American Law Institute guidelines will simply be null and void if the end user agrees to a EULA? Problem solved! We EULA them too, and we're off scot-free.

Somehow, I don't think it works like that.

Microsoft (0, Redundant)

gillbates (106458) | more than 5 years ago | (#28977799)

Second point, who is going to sue some no-name contributor who doesn't have any money anyway, especially if you have to prove that that particular developer knew there were bugs?

Microsoft. That's who.

If it is possible to sue OSS for bugs, any vendor who feels they've lost business to OSS will be prone to suing OSS maintainers, if for no other reason than to cast FUD on free software, i.e. "Didn't they (the OSS developers) get sued for writing buggy software?"

Without the proposed legislation, such lawsuits are much more likely to be dismissed.

Re:Microsoft (1)

spun (1352) | more than 5 years ago | (#28978047)

In general, maintainers are not distributors. They may work for distributors, but they aren't the ones who package it up and sell it. If anyone could sue anyone who ever worked on a project that had bugs in it, that would be bad. Nobody would sign such an asini... well, maybe they would, but I doubt it.

If Microsoft really stands to benefit from suing open source maintainers, why are they against this as is clearly stated in the summary.

Re:Sue who for what now? (1)

countertrolling (1585477) | more than 5 years ago | (#28978243)

...to be taken seriously...

Is way overrated. Who cares if we're "taken seriously"?

Bad idea (3, Insightful)

ShadowRangerRIT (1301549) | more than 5 years ago | (#28977407)

Vendor liability for software is a good idea only in *very* limited fields, with *very* strict parameters. If the problem domain allows for exhaustive testing (every possible input, every possible code path), then this sort of liability is reasonable. Embedded control software for vehicles is a good candidate. But to apply the law to general purpose computers like we would for mechanical devices is absurd. They aren't a monoculture; they can run anything, which means anything can break them. Every general purpose OS out there suffers from the occasional crash (Windows, OSX and *NIX included), and the very nature of the machine means that you can't always determine the cause. If one kernel level process writes into the memory space of another, overwriting pointers and code, the eventual crash will appear to be the fault of the innocent process (after all, it tried to dereference null). The forensics required to assign blame unquestionably would cost more than the lawyers would.

Much like patent law, this is one field where hardware can go that software should not.

Why should general liability even exist? (5, Insightful)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#28977427)

Other than the fact that people hate software bugs, which is fair; but insufficient reason, why should a general liability be presumed to exist?

For software purchased as a custom/customized enterprise type setup, with guys in suits, and contract negotiations, and spec documents and whatnot, surely the parties involved can settle any questions of bugs, liability for bugs, responsibility for timely fixes, etc. as a matter of contract between themselves. Perhaps it would be convenient for a de-facto standard set of terms to exist; but I don't see why any legally binding assumption needs to be made, beyond what was specified in the contract.

For the consumer/shrinkwrap/non-custom stuff, I'd be strongly in favor of a right to return for refund if defective(though deciding exactly what level of buginnes qualifies as "defective" could well be tricky, and settling the issue of whether or not "being able to run on joe sixpack's box-o'-spyware-and-rootkits or timmy the tweaker's bleeding-edge-super-nlite-professional-l33t-3dition-h4x0red-windows-box" is actually a reasonable expectation could be a nuisance); but liability beyond that, unless actual damages can be demonstrated, seems unreasonable.

Already, if software is being used as a component of a system(medical, aviation, whatever) where bugs matter, it is subject to those standards, establishing a set of liabilities for software generally just seems like a good way to encourage ever more onorous disclaimer contracts and quash free/OSS/cheap software.

Re:Why should general liability even exist? (1)

n30na (1525807) | more than 5 years ago | (#28977751)

"being able to run on joe sixpack's box-o'-spyware-and-rootkits or timmy the tweaker's bleeding-edge-super-nlite-professional-l33t-3dition-h4x0red-windows-box"

I giggled.

'knowingly' (2, Insightful)

oldhack (1037484) | more than 5 years ago | (#28977431)

That's the weasel word to generate extra lawyer business. Scumbags.

Re:'knowingly' (1)

nomadic (141991) | more than 5 years ago | (#28978033)

So...you're saying there should be strict liability? If you ship software with a single bug that it would have been almost impossible for you to find, you should be held liable?

Re:'knowingly' (1)

Inf0phreak (627499) | more than 5 years ago | (#28978241)

ALL non-trivial (non-TeX :D) software is either shipped with known bugs, or it costs 1000+$ per line of code (aviation, DoD, NSA - that kind of stuff).

Why should there be an exemption for FOSS? (2, Interesting)

Assmasher (456699) | more than 5 years ago | (#28977455)

I'm not anti-FOSS in any way, I'm just wondering why it would be exempted...

Re:Why should there be an exemption for FOSS? (0)

Anonymous Coward | more than 5 years ago | (#28977775)

For the same reason you should not be liable for defects in items you may donate to a charity?

Re:Why should there be an exemption for FOSS? (3, Interesting)

johannesg (664142) | more than 5 years ago | (#28977951)

I'm not anti-FOSS in any way, I'm just wondering why it would be exempted...

Would you spend years of your life making something useful, then give it away freely, and subsequently be sued to the point of losing your house, just for fun? At least commercial businesses are actively trading risk for gain; the open source developer only gets the risk part of the equation here.

I can see an entire industry spring up around finding bugs and sueing the maker of the software (much like the patent-sharks of today). You don't even have to read the source, just download a copy of whatever you want to hit and look in its Bugzilla tracker...

Re:Why should there be an exemption for FOSS? (1)

Assmasher (456699) | more than 5 years ago | (#28978141)

First, that's a very inaccurate description of what FOSS is. There are FOSS developers who make a living just doing FOSS, for example, charging for support, training, prioritization of bug fixes/feature requests, et cetera. Second, and most importantly, what has that got to do with basic fairness?

Whether you charge for software or do not charge for software should not affect your liability in the legal system for issues with that software.

Re:Why should there be an exemption for FOSS? (1)

Tired and Emotional (750842) | more than 5 years ago | (#28977983)

Because its free, so no contract is formed between the user and the supplier.

In any case, for a lot of open source software, the bug database is also open, so making sure any bug you find is reported in a timely manner should be a good defense. Putting it in the database discloses it while making sure it is timely means you cannot be accused of keeping it secret.

It does create an incentive for projects to keep open bug databases.

Re:Why should there be an exemption for FOSS? (1)

Assmasher (456699) | more than 5 years ago | (#28978279)

Contract? Nobody is talking breach of contract, this is a push for legislative bindings that would punish people who 'ship' software with bugs knowingly. Whether you charge for your code or not should be immaterial to whether you can be sued for knowing publishing buggy software for people to use. Why should FOSS be exempted? Many major FOSS projects are only 'sort of free' in any case, charging for support for example (again, there's nothing wrong with that.)

Personally, I think that issues like this should be left to the contract involved (thereby automatically exempting most FOSS) and the traditional method for handling things like this. New legislation and/or legal guidelines in this area is simply opening a large can of worms.

New guidelines (2, Insightful)

SirGarlon (845873) | more than 5 years ago | (#28977501)

How about these for new liability guidelines: if the vendor knowingly ships buggy software, the customer is entitled to a 100% refund on the license cost.

Re:New guidelines (1)

i.r.id10t (595143) | more than 5 years ago | (#28977709)

Or how about entitled to the source so they can fix it or pay to have it fixed by a contractor?

Re:New guidelines (1)

cenc (1310167) | more than 5 years ago | (#28977937)

I think you are on to something as a legal argument here:

The open source license and the source code is the warranty. Essentially it is full disclosure and the responsibility of the user to evaluate the suitability of its use in a given situation. It is the 'if I screwed up making this software, here is the code for you to find, fix, or improve' warranty 'but I did not build it for any particular user and thus we are not in some sort of implied contract'.

For example, if you buy a car and get in a car accident, the end user has very little to stand on legally if he did not know how to drive a car.

Now, a company say like Red Hat that provides the service of installing and maintaining that software on the behalf of some other user might have some sort of liability depending on their contract for not fully evaluating or keeping up with whatever.

Re:New guidelines (1)

Soukyan (613538) | more than 5 years ago | (#28977737)

This becomes a hard guarantee to make. As a poster above stated, it can take millions to produce a relatively small amount of bug-free code. Not that it is impossible. It is costly and time-consuming, but certainly possible. Doing an analysis between the costs of bug fixes and shipping a bug-free product might provide more insight, but then again, there's the issue of what caused the bug. Was it a platform issue? Was an interaction with other software? Was it an untested configuration? We might begin to see shorter lists of supported platforms, and hear more responses stating that software is not supported on that configuration, so there is no guarantee. I do not think someone should knowingly ship flawed software, but I do think that some bugs will always be found after the software has been "in the wild".

Re:New guidelines (1)

dedmorris (1137577) | more than 5 years ago | (#28977947)

How about these for new liability guidelines: if the vendor knowingly ships buggy software, the customer is entitled to a 100% refund on the license cost.

Forget 100%. As a competitive advantage, FOSS projects could offer triple the license cost as a refund.

Interesting (1)

BigGar' (411008) | more than 5 years ago | (#28977519)

IANAL - NDIPOOT (Nor Do I Play One On Tv) From the Article: A key passage -- Section 3.05 (b), if you want to look it up -- says that user agreements contain an implied warranty that purchased software "contains no material hidden defects of which the transferor [the seller] was aware at the time of the transfer." What's more, no matter what language the vendor places in the user agreement, the warranty still stands. Wouldn't this make it tough to ship a product at all? The code base would have to have no known defects (bugs) regardless or scope or scale of the bug/defect. I'm assuming a material defect would just be a defect or some part of the code that doesn't do what it's supposed to do. I suppose you could just publish a list of known "usability enhancements",but even that at it still seems like a huge burden to place on the developer. What about when issues come up once a product ships? The products that ship after the discovery but before the notices can be updated would be in breach of this "recommendation".

Re:Interesting (1, Funny)

Anonymous Coward | more than 5 years ago | (#28977617)

ADSTIYHTEWTM - Acronyms don't save time if you have to explain what they mean

Re:Interesting (1)

piojo (995934) | more than 5 years ago | (#28977859)

The code base would have to have no known defects (bugs) regardless or scope or scale of the bug/defect.

I imagine you can get around this by publishing the URL of your bug tracker in the contract.

Of course, this URL would probably go to a server that was configured to display no bugs past $DATE and to only display the initial bug report or title, not the ensuing discussion (at least for secretive companies).

Bigger companies (those that sell shrink-wrapped software) might have to just keep a public bug tracker. That would be really nice, because I could look up whether a piece of software had any issues on my hardware before I bought it. (This might be useful for enterprise Linux distros.)

But that's retarded, all software has LOTS of bugs (1, Interesting)

Anonymous Coward | more than 5 years ago | (#28978163)

Every moderately complex piece of software has hundreds or (more typically) thousands of KNOWN bugs in it when it ships. The developers know this, because they try to fix all the *bad* ones before shipping it. Every large project I've worked on, had tens of thousands of bug reports in the bug tracking system. For example: our current codebase is a few million lines, and our bug tracker has 35,000 bug reports in it, of which maybe 1 to 2 thousand will be *known bugs* (but minor ones) that are fixed before we ship. This is entirely normal throughout the entire software industry, and useful software would simply NEVER GET SHIPPED if we didn't work like this. /shrug.

A few years ago I was on a team of 4 people that were part of a larger (approx. 200 people) product team at one of those big corporations everyone dislikes. Our component (with 4 people and a few hundred thousand lines of code) had maybe 300 or 400 known open bugs in it, when the product shipped. Which tells you very little about the overall quality of the project--most of those were very minor nits. We did fix around two thousand bugs (ranging from annoying to showstopper) in the months leading up to ship.

bugs are features (1)

kronosopher (1531873) | more than 5 years ago | (#28977537)

No but seriously, considering the amount of money and effort being shelled out to patch software this really doesn't seem plausible. So long as development is beholden to short-term corporate profits, bugs will never go away.

License (1)

pete-classic (75983) | more than 5 years ago | (#28977571)

Could this be worked around with some language in the license along the lines that 1. We disclaim liability. 2. If such a disclaimer is not valid in your jurisdiction, we do not extend you license to use this software?

-Peter

Can a "level" of liability be set fairly? (1)

Soukyan (613538) | more than 5 years ago | (#28977609)

While a number of coders could be responsible for a software defect, it would be the responsibility of a given software project to correct that defect in a timely and effective manner. The reliance on an open source application can be guaranteed in part through support contracts, but simple ethics would dictate that the developers should hold themselves accountable for the final product. I wrote an essay (Liability, Reliability, and Safety [indigospot.com] ) that briefly touches on this topic back in 2007.

One point that I argue is "[c]ompanies must constantly look at their level of liability and manage the reliability and safety of their systems. Spinello discusses some issues of reliability such as software 'bugs' which are an inherent problem with any piece of software and are to be expected, within reason. However, the programmers of the software are expected to assume the responsibility for providing fixes for the bugs and improving upon the existing code."

The problem lies in defining what "knowingly" means. After all, "software vendors know that the nature of software guarantees a certain amount of bugs thereby raises the risk to the vendor. However, it is not unreasonable to expect that any crippling system bugs would be removed from the final release product. Asking software vendors to assume some liability would help to drive the quality of the software upward."

Ironically enough, I ask the question at the close of my arguments: "From a legal perspective, the United States has some way to go to resolve the problem of liability, especially in the software industry. Software products and systems are not only used to process secure transactions and enable consumers to manipulate data, but they are also used in environments where human lives are at stake and sensitive private data is handled by many different people at all hours of the day. Negative feedback has been proven to work less effectively than positive feedback when dealing with the human psyche, but should software vendors be offered incentives to provide better offerings and assume more liability, or should they be forced to accept a minimum level of responsibility by law and an increasing amount of accountability based upon the industry and the application of the product?"

So, in the case of open source software, should an application targeted at the medical industry be more liable than an application that serves personal media on the Internet? While I would like to see more open source software used in more organizations, I believe that as things stand now, service level agreements and quality of support on standard platforms play a large role in determining whether or not to use an open source application.

As for the risk of litigation,where does the onus of responsibility fall when there is no corporate entity? Does the owner of the individual project become the liable one?

Option (2, Interesting)

sanosuke001 (640243) | more than 5 years ago | (#28977643)

Just add a stipulation for software that has source code available as exempt.

Or add an exemption to any company that gives a list of known bugs at release. If they blatantly say they know something is buggy, then that would be fair to me.

There goes the Video Game Industry (1)

Tekfactory (937086) | more than 5 years ago | (#28977653)

Well hell there goes the Video game industry.

No more just ship it and we'll patch it later mentality. Because at that point you "knowingly" shipped product with defects.

Either that or Quality Control esting will drop to Zero and bug databases will get wiped right before shipping.

Re:There goes the Video Game Industry (1)

Tekfactory (937086) | more than 5 years ago | (#28977707)

Either that or Quality Control esting will drop to Zero and bug databases will get wiped right before shipping.

Oh the ironies

Quality Control Testing

Does this mean.. (1)

Tomun (144651) | more than 5 years ago | (#28977657)

Does this mean that if someone informs a vendor of a bug in their software they immediately have to prevent all downloads and inform retailer to remove the product from their shelves until the bug is fixed and replacement software can be shipped ?

Does anyone have a link to the full text of these guidelines ?

Solution (1)

Absolut187 (816431) | more than 5 years ago | (#28977699)

Any law/guidelines that discourage developers from creating/distributing "known bug" lists is just retarded.

Solution:
Change the guideline to "knowlingly selling software with undisclosed bugs".

Then you are just encouraging developers to make known bugs known to their customers, which I think we can all agree is usually a good thing.

Re:Solution (1)

CastrTroy (595695) | more than 5 years ago | (#28978037)

Good point, although I would changed it to "knowingly selling software with known bugs which are undisclosed". All the unknown bugs are obviously undisclosed, and you wouldn't want a software company fined because they didn't disclose bugs that they didn't even know about.

Problem is knowing. So close your eyes. (1)

140Mandak262Jamuna (970587) | more than 5 years ago | (#28977713)

So you could be liable if you knowingly ship defective software. The correct solution is then not to look at bug reports and other feedback. Then you could not be accused of knowingly shipping defective software. That is why Microsoft refuses to acknowledge the existence of security holes widely reported and widely being exploited. By saying "We are still investigating the alleged security violations" and making these "inspectors" not communicate with developers and mangers charged with shipping the products, Microsoft evades responsibility. It takes money and bigger infrastructure to pull of this trick. Now that Red Hat has also finally grown up and joined the big boys (now it is part of S&P 500) it can afford to pull the same trick. And so it is scaring the hobbyist. Once the hobbyist and enthusiasts stop contributing code the big commercial guys can divvie up the market between themselves. That seems to be the strategy here.

Send bug reports directly by email to managers in Microsfot and Red Hat. Make them "know" the defect. That will level the playing field.

Not like it matters... (1)

dmsuperman (1033704) | more than 5 years ago | (#28977789)

Most software ships explicitly without any warranty and says that it has no responsibility for lost data or corruption and such, wouldn't this negate any liability?

what nonsense (1)

i_ate_god (899684) | more than 5 years ago | (#28977797)

Every company I've worked for has knowingly released software despite KNOWING there are bugs. That's just the nature of the business. Get every single major bug fixed, bring low priority bugs down to a minimum and release. Open source or not, this is how it works. Sometimes the new features of a new version is more important than making sure a particular button in the UI is properly translated in the different languages you support. It's still a bug, and it was KNOWINGLY SHIPPED with that bug, but it wasn't worth the effort.

Sue happy lawyers will one day know what it's like when I litigate my foot up their ass.

The solution is simple... (1)

Zantac69 (1331461) | more than 5 years ago | (#28977865)

Developers will now refer to "known bugs" as "software features that require coding improvement that will be patched at a later date" while "unknown bugs" will remain "undocumented software features"

Agency regulation? (1)

johannesg (664142) | more than 5 years ago | (#28977987)

If you read to the end of the article, they are suggesting that instead of a law, what is needed might be agency regulation. I'm not really sure which of the two is more frightening, or more stifling for the industry...

"like the body or the subject!"- sry (1)

paxcoder (1222556) | more than 5 years ago | (#28978007)

BTW Why are you quoting free software?

And in other breaking news... (1)

atlien247 (1594089) | more than 5 years ago | (#28978029)

...technological process comes to a halt. Potentially, one could be faced with a perpetual software development project--deadline after deadline missed because of a 'known' bug. Of course, one could always forego QA testing so that bugs can get by 'unknowingly'. Granted, these are extremes, but still... get a clue ALI!

Programmers Developers , Engineers (0)

Anonymous Coward | more than 5 years ago | (#28978237)

Programmers and Developers are generally safe from any lawsuits, as long as they follow CYA principles [ Cover Your Arse].

Engineers are other LICENSED PROFESSIONALS who USE said software above, are liable THEMSELVES.

Simple as that.

Any good engineer knows that software calculations MUST BE CHECKED, and they are liable for any defects THEY [not the software] cause.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?