Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Negligence and Open Source

Cliff posted more than 14 years ago | from the stuff-to-think-about dept.

News 361

icing asks: "With the story about the Melissa trial, some people argue that Microsoft is partly to blame. Negligence in making a product safe to use, cannot be excused. And again, software is compared to real world things like cars and how car makers could not get away with what Microsoft is doing. Does not the same argument apply to makers and distributors of open software? Could makers or distributors of Open Source be held liable? Under which conditions? Or do we have a double standard here?" Hmmm...a touchy issue. What are your impressions?

Sorry! There are no comments related to the filter you selected.

And now, a quote from the GPL (2)

jemfinch (94833) | more than 14 years ago | (#1443541)




So no, no one can be held responsible for anything their GPL'ed program does. I don't know how the BSD license works, but I would assume some sort of similar constraint.


Not a double standard (3)

bravehamster (44836) | more than 14 years ago | (#1443542)

I think the difference here lies in the fact that Microsoft (or whoever) is selling them a closed product. Because it's closed, it's Microsoft's responsibility to make sure that everything in the code is "safe", and they should be held liable if it isn't.

I think the best analogy to use in this case is something like kit airplanes. If you buy a whole, complete airplane from a manufacturer (closed source) and it blows up in midair, you naturally and rightfully blame the company that made it. However if you buy a kit plane, put it together yourself, and the engine drops out of the plane in midair, you have only yourself to blame.

So, following this analogy, closed source companies should be held liable, because some things are hidden from the consumer, and open source companies should not, because the customer is able to see _exactly_ what they're getting. This would encourage many companies to switch to an open source model, don't you think?

Re:And now, a quote from the GPL (2)

Imperator (17614) | more than 14 years ago | (#1443543)

Yes, of course, but the typical commercial license has the same sort of clause. A question might be: if Microsoft should be liable for damage due to negligence (e.g. inadequate macro virus security), should open source authors be accountable for similar negligence?

Implied Responsibility (4)

NotQuiteSonic (23451) | more than 14 years ago | (#1443544)

By selling the software to an individual, Microsoft should have a responsibility to make "safe" software. Comparing it to auto manufacturers is reasonable. Microsoft should hire "software engineers" who are professionally licenced and insured to sign off product as safe.

Open source on the other hand shouldn't have this responsibility because it is given out for free. The the responsibility exists with the individual who implements the systems. If I designed a car and left the drawings open source. I would never be held liable for the car if it proved to be a defective design. If I sold the designs, I would.

If someone else sells my free drawings, maybe they should be liable as well.

Re:Not a double standard (1)

Imperator (17614) | more than 14 years ago | (#1443545)

Um, no. If I buy a plane kit, and the instructions for the engine are wrong, I don't only have myself to blame. IANAL, so I'm not sure who is legally liable in such a case.

open source software is like a commodity (0)

Anonymous Coward | more than 14 years ago | (#1443546)

Free software is like air or water, it is just there, like a public good, and when you use it for something, it is your responsibility to understand its limitations and risks.

So if someone is harmed by a system involving free software, the responsibility doesn't lie with the author(s), but with whoever used it in a system. Red Hat, your sysadmin, your manager, whoever chose to use the software.

The more authors are involved in a free software project, the more like a public good the software becomes.

The initial problem is that no one will want to take the blame, but as software and computers mature, that will have to change.

Re:Not a double standard (1)

donutello (88309) | more than 14 years ago | (#1443547)

That doesn't make any sense. Whether the source for Windows was open or not does not change the liability in any way.

It is being sold to people who have neither the time, nor the motivation, nor the expertise to make anything of that source and hence the source being available is immaterial. The analogy with kit airplanes is not apt because the kit airplanes are put together by the people using them and regardless the manufacturer has the reponsibility to make sure that if the instructions were followed reasonably diligently, the aircraft should be in no danger of blowing up.

Now if you want to make up special cases just so you can sleep at night that's a different thing...

IMO anonymous cowards should be kept (1)

SkunkPussy (85271) | more than 14 years ago | (#1443548)

Anonymity on Slashdot has become a haven for the ignorant and childish. I say remove it.

Couldn't agree more, except that if anonymity was removed, then previous AC's would register multiple (fake) names (so you still wouldn't know who the comment), and it would prevent the distinction between those who are prepared to stand by what they say, and those who aren't.
As in, anything you post un-anonymously you mean, because everyone else knows who posted it/has your email address.

Double Standards (2)

at0m (56249) | more than 14 years ago | (#1443549)

What a great question. I'd like to see how some open source coders respond to this. We so often double our standards; whenever there's something we can bash Microsoft about, we do so immediately. But a similar situation in the Linux community would be praised. We all do that, in one form or another.

As for the issue at hand, I don't think anyone, even Microsoft, should be held responsible for such bugs. Cmon, all programs are going to have problems; just because one of the bugs happens to have more risky consequences doesn't mean that it is any worse than a bug that is relatively harmless. It shouldn't be concidered "negligence" - it should be expected by users of the program.

On the other hand, both Microsoft and Open source programmers should be prepared to either a) fix bugs or b) pubish them as soon as they are notified of them.

It's Much Less Of A Problem With Open Source (5)

Bruce Perens (3872) | more than 14 years ago | (#1443550)

Disclosed source-code software has much less of a problem with negligence since the user and distributor are able to perform due diligience on their own - if the user has something to lose they can check the code or read other people's reviews of the code and protect themselves from damage. If there is damage due to negligence, the fault is at least in part the user's because they had the power to protect themselves.

This is not the case with Microsoft's non-disclosed-source-code software - they don't give the customer the power to check or fix their negligence, thus the negligence is all theirs.

True Open Source in general declines warranties because the software is distributed gratis or at very low cost. Of course, you have the option to make a contract with a support provider who might provide you warranties against negligence. I don't think it's likely that a provider of gratis software, Open Source or not, would be found liable for damages he explicitly disclaims. I'd like to hear of any cases where this has happened.



You don't buy open source software. (1)

jCaT (1320) | more than 14 years ago | (#1443551)

The difference between MS and Open Source software is that you don't pay for it. Remember the big piece of FUD from earlier this year?

"What if something happens because of the software? There's no one to be held accountable!"
You can look at it as either an advantage or a detriment, but there's no way someone who writes OSS could be held accountable for something like this. Now, there's a difference between the Melissa Virus case and something like UltraHLE (The reverse-engineered N64 Emulator.) I'm talking about legitimate software here.

That's increadably stupid (1)

Anonymous Coward | more than 14 years ago | (#1443552)

If I use a car to hit somebody, i'm to blame, not the auto maker for "not making the car so it can't hit other people or cars". Even to the extreme this argument doesn't work. If I kill somebody with a gun, it's still my fault, not the gun maker's, even if I wasn't intending to shoot the person.

iToast (1)

Magus311X (5823) | more than 14 years ago | (#1443553)

Cliff is right, this is a touchy issue. I am not a lawyer, but I do have have some thoughts in which I'm sure fellow slashdotters with more knowledge of the field/issue will expand on.

Law. Failure to exercise the degree of care considered reasonable under the circumstances, resulting in an unintended injury to another party.

Ok, hypothetical situation time. Company X makes this nifty toaster called the iToast. It can track user settings, adjust to hardware failure, and all sorts of nifty things to make you the perfect toast each and every time until the whole thing goes.

But I must mention that the iToast has a built in 3.5" floppy drive so you can apply patches, or isntall a whole different version of the software. Now, Company X ships the iToast bundled with its own software, but a nice little grassroots orginization creates their own OSS for the device. It's faster, and has a better isToastDone(args), which results in better output. Yum indeed.

Unfortunately, the OSS geeks overlooked a small bug which can, although rare (say 1:20000 uses) cause the toaster to burst into flames. Not good.

Now, the question is where can, if at all, the company become liable?

I say there is little chance that the OSS group would be held liable if they released a patch immediately upon discovery of the bug. However, if they chose to ignore the bug, the group would more than likely be held liable for resulting damages. Of course, there are some creative lawyers out there nowadays, so . . . =)


xrayspx (13127) | more than 14 years ago | (#1443554)

Does the MS EULA not have language about not being accountable for "features" (bugs), not intended by the manufacturer? A lot of licenses have been copping out like this, and I don't necessarily think it's a good thing. The GPL is slightly different, because even if the software author doesn't care, you can ask your buddy the programmer to fix it and re-release it. But I don't think MS can be held liable for macros being run by Outlook and Word.


--My magic 8-ball said "Outlook not so good" but they released it anyway...

Re:Not a double standard (1)

cheese63 (74259) | more than 14 years ago | (#1443555)

I have a solution to all these liability problems. Blame it on me. I'm willing to take the fall for anything that happens with computers, because usually I am the cause. Every time I walked into the room with the webserver at work it would mysteriously go down. When I'm at work, the sysadmin has to drink an extra cup of coffee to keep with all the problems I cause. Bottom line, making me the scapegoat will solve any and all liability problems.

Re:That's increadably stupid (1)

uh (127786) | more than 14 years ago | (#1443556)

If the car's brakes were faulty or the gun's trigger was bad, then it would be the manufacturers fault for producing a defunct product.

Open Source responsibility (1)

Gurlia (110988) | more than 14 years ago | (#1443557)

Open Source liability? Hmm, isn't that what companies like RedHat are there for? I know some people don't like RedHat, but this question just brings the real issue to the front: most of us Open Source coders are here because it's fun to play around with code and invent new things. The last thing we want to worry about is whether we might get sued over somebody getting hurt by our latest invention. This is where companies like RedHat comes in -- they provide support, and act as somewhat the entity to point your finger at (read, sue) when things go wrong. We coders can't afford to be sued, hence the standard disclaimer of no-warranty in the GPL: we're not even getting paid (in most cases) for our contributions. We need somebody like RedHat as a "shield", so to speak, in case of major trouble.

But as to our responsibility in putting out quality products, I think the nature of Open Source itself lends very well to producing high-quality products. As hobbyists, we're definitely more concerned for creating the best software out there than how to stuff our products with features so that it's more marketable. Perhaps a few coders might be negligent, but with the vast diversity of coders involved in Open Source projects, each with their own needs, preferences, and biases, such problems surface quickly, and hence, get fixed quickly as well. I think I don't need to repeat past stories on how fast security holes in Linux are fixed, compared to MS offerings.

I suppose you can say there is negligence in the very fact that a security hole exists, but this is a little unreasonable because in a complex system, you don't know what the faults are until you actually put it to use. I think the more important issue is (1) whether problems like security holes are quickly fixed, and (2) coders care about their projects enough to make sure it doesn't contain obvious problems. I would say an Open Source project is stronger on both. On (2) particularly because of the coders' interest -- if your dinner depends on how well your code sells, you'd probably cut corners gladly so that you won't miss the deadline.

Anyway, to get back to the first point -- although we coders have enough interest to avoid obvious problems, and there are enough of us to quickly fix a problem when it comes up, there are still cases where major trouble might result. This is when a commercial entity like RedHat comes in -- it gives us dedicated workers, not just volunteers who could throw up their hands anytime and give up and leave the user in his own soup -- dedicated workers who are ready to accept more responsibility than hobbyists. We need both volunteers and dedicated people.

Lemme fix a mistake (1)

Magus311X (5823) | more than 14 years ago | (#1443558)

Ok, lemme clear something up before this gets flamed into oblivion. =)

In case of said failure, the group would be prolly liable for damages, but I don't think the feds would be on their case or there would be any major lawsuits, if they immediately released a patch.

Bad analogy (2)

EngrBohn (5364) | more than 14 years ago | (#1443559)

Comparing a design by Microsoft (or any other desktop/server software company) that has a flaw in it to a design by an automobile company that has a flaw is a poor analogy, in that a flawed automotive design has the potential to cause loss of life or limb. Desktop and server software doesn't put the customer at the same risk.
Christopher A. Bohn

What about support contracts? (3)

dsplat (73054) | more than 14 years ago | (#1443560)

While both open source and shrink wrap licenses disclaim liability, what about support contracts? When a security hole is known, especially when it is reported to the company providing the support by someone with a support contract, I would think that the courts would be much more likely to find that company liable if they made no attempt to remedy the problem or at least warn their customers of it.

Logically, (1)

lifebouy (115193) | more than 14 years ago | (#1443561)

When you tell someone, "Here are all the parts to build a car, its free if you can get it running!"
it is generally implied that that person is responsible for the car's functionality.
Not so if you sell the car.

They should do it in Beowulf... (0)

Anonymous Coward | more than 14 years ago | (#1443562)

by pouring hot grit down Natalie Portman's pants.

This is not a first post, so they won't censor^H^H^H^H^Hmoderate it

Let history repeat itself... (5)

evil9000 (72113) | more than 14 years ago | (#1443563)

Let history repeat itself. It took car manufactures well over 20 years to start incorporating saftey features into their vechicles, but until that happened, the only people complaining about how unsafe cars were were the people who cleaned up after the accidents (ie Doctors, nurses, etc).

This all changed with the Nadar report - and the publicity it generated in the media and the public eye.

What needs to be done is to increase people's awareness of how bodgy the Micro$ server code is, and how only the micro$ exchange servers were the ones that were affected adversly by the Melissa virus...

Re:open source software is like a commodity (0)

Anonymous Coward | more than 14 years ago | (#1443564)

Just to play devil's advocate: should there be no responsibility if the air or water is buggy (polluted)? I have exceedingly little choice about breathing air and drinking water; yet you seem to be saying that it should be my problem if I breathe air someone else has messed up.

I don't think an OSS creator's liability should be out of proportion with his gains... I just think this analogy is, uh, flawed :) (eg I have much more choice about using OSS)

Re:And now, a quote from the GPL (0)

Anonymous Coward | more than 14 years ago | (#1443565)

I suppose if personal injury resulted, the above disclaimer would be ineffective. (Under the UCC, a warranty disclaimer is ineffective for many kinds of personal injuries) The real question is, who do you sue?

Designing in security holes (2)

dsplat (73054) | more than 14 years ago | (#1443566)

Since the design criteria for Java were published, there is a clear source available warning of the dangers of allowing arbitrary pieces of code to be executed without the knowledge and consent of the user. Setting the security switches that would prevent this to the choice that allows it to happen by default is only slightly better than providing no way to turn it off. In essence, designing a way for arbitrary pieces of code to be sent to a machine and executed automatically is designing in a security flaw. That is an error of commission, not one of omission.

Re:Implied Responsibility (0)

Anonymous Coward | more than 14 years ago | (#1443567)

Redhat sells software too.

Re:Not a double standard (1)

Lazy Jones (8403) | more than 14 years ago | (#1443568)

I agree. Hopefully, at some point Microsoft will lose their grip on the customer to such an extent, that competing companies will be able to offer their equivalent products with an extended warranty as a value-enhancing feature, which will in turn put pressure on Microsoft to act similarly. Just because right now, people are used to the fact that there is no warranty on shrink-wrapped software products (as opposed to contract work), it doesn't mean that there is no market for it. It just means that so far, companies have got away with it (and some companies can get away with almost anything, like trojan horses spying out their customers illegally).

Not now (2)

QuMa (19440) | more than 14 years ago | (#1443569)

As it stands with current licenses, I think you can't blame anyone, at least not legaly. However, maybe the 'we are not responsible' clause should not be allowed if you sell the software... Dunno the legal implications, but it seems reasonable.

If you are only selling the medium, I suppose you aren't liable.

All software is Buyer Beware (4)

NateTG (93930) | more than 14 years ago | (#1443570)

There have been several posts claiming that Open Source software has less necessity for security, or safety. That the GPL somehow exonerates OSS in some way that the MS EULA does not. All of this is bunk.

If OSS software is really a general purpose solution then it must meet as stringent a security requirement as any other such solution. For all of those Linux evangelists out there, we can't claim security as an advantage in on sentence, and then claim less resposibility for it in the next without sounding silly.

What Linux does have is a better testing system, a more heterogenious and reliable user base, and a significantly better bug response method.

The concerns about safety, be they virus propogation, data integrety problems, or uptime/essential systems issues. Are the responsibilty of the system's administrator. Any system can be made secure by a careful admin, and any system can be made unsafe by running unknown (read closed) software.

The reality is that computers are so complicated that Admin's (for that matter developers) cannot go through the code checking all cases in some perverse proof of correctness. Making software engineers sign off just means that someone who really isn't responsible for having a buggy or defective piece of softwar can be canned for the zealous marketing and management of his company.

If a company claims that a system is secure - e.g. NT according to MS or perhaps Open BSD then the company could be considered liable if:
a) It fails to take reasonable measures to make sure that said product is secure.
b) Refuses to respond to security issues as they arrive.

The software you buy is always as is. Beware.

Re:Bad analogy (2)

HaKn5La5H (32015) | more than 14 years ago | (#1443571)

It does if that sofware is controlling something dangerous or important--like medical equipment, trafic lights, and nuculear bombs etc...

Cost is the key (1)

LotharHP (106080) | more than 14 years ago | (#1443572)

Meaning that if you get a piece of OSS for free and it doesn't work or causes some damage to your system then your pretty much out of luck unless you can prove that the faulty code was malicously placed. On the other hand if your purchase OSS software from someone who has repackaged it then you have an expectation of quality and the seller should be liable for it. Of course this isn't even the case for closed source commercial programs these days. Especially "shrinked-wrapped" software that often comes with disclaimers against liability should their software to really nasty things like burn down your house or trigger the apocalypse.

Re:And now, a quote from the GPL (0)

Anonymous Coward | more than 14 years ago | (#1443573)

Anonymity on Slashdot has become a haven for the ignorant and childish. I say remove it.

What a childish and ignorant comment.

Re:And now, a quote from the GPL (1)

Yebyen (59663) | more than 14 years ago | (#1443574)

The difference is that the EULA is so ridiculous that it is practically invalid. EULA's and similar licenses usually say that we have no rights and the software can be yanked out from under us at someone's whim, and we have no legal recourse if anything goes wrong, and we do not own the software, which means that we cannot do practically anything. These types of agreements (shrinkwrap licenses) would not hold up in court. The GPL says that if anything goes wrong, you have no legal recourse, but it also says that you have complete and total rights to redistribute software and such. This is much less of a one-sided agreement and much more likely to hold up in court.

As long as it does what it's supposed to do... (1)

Lazy Jones (8403) | more than 14 years ago | (#1443575)

... you can't blame the manufacturer. But if your car suddenly exploded because you put in the reverse while the radio was on (a good analogy to typical Windows behavior), then you would blame the auto maker - I hope.

Reasonable diffrence (2)

Felinoid (16872) | more than 14 years ago | (#1443576)

The liability should be on a product sold. With RedHat etc you paid for the pacaging not the develupment of the software. If something is wrong with the software that RedHat caused by the way the pacaged it or could have prevented by a small change in pacaging then they should be liable but if the problem is a flaw in the software RedHat did not develup (or develuped and gave away) they should not be liable.

If you buy a Compaq computer with Windows preinstalled you still paid Microsoft not Compaq for the software.. But if a defect in Windows is caused by the way it is installed then Compaq who installed it is liable.

The open source develuper who codes and gives away his software sold nothing and is liable for nothing unless he makes clames to the fitness of his software.

Basicly Microsoft might be liable for selling a defective product or a product with an unreasonable security defect. Sence open source develupers do not sell any product they can not be held reliable for that non-sale.
Giving away a defective product is (at this time) not subject to liable.

This may change over time with busnesses selling support instead of product but for now if Microsoft is found liable for selling a defective product it could boost open source a great deal..
Sell product and be liable for defects or sell support and let the userbase be responsable for the repairs.

But again even in open source your liable for clames so if you clame a product is bug free you could put yourself in a position of being even more liable than if you had sold the software to start with... Sold product can get away with a few defects so long as it can be shown to be reasonable.

negligence and open source (1)

d_ray (87502) | more than 14 years ago | (#1443577)

Ross Perot would call this "pie in the sky" argumentation. And it's just the kind of thing that hinders the open source movement. More so than graphics or limited apps or even setup/average user issues, the climate fostered by those who try to use weak, unproved theorems as postulates undermines the foundation of open source.

Icing's question of a double standard is moot. If someone breaks into your house, is it your fault that you didn't install just the right kind of alarm that would deter that criminal? Don't lose sight of who is malevolent.

Re:That's increadably stupid (1)

Phroggy (441) | more than 14 years ago | (#1443578)

YEs, but in the latter case, people will still get upset at the gun manufacturer. Correct me if I'm wrong, but I believe there have been lawsuits about that. Even if not, the idea has prompted gunmakers to add extra safety features.

important distiction (2)

MillMan (85400) | more than 14 years ago | (#1443579)

It's important to note the fact that microsoft is a corporation and most open source developers are individuals, and there aren't many developers that have formed oprn-source based corporations, relatively speaking.

When you speak of liability I assume you mean money. If microsoft is held liable for whatever they have done, generally the only penalty would be monetary, at worst they might be broken up.

Since microsoft (and most corporations) are pretty big, the penalties don't do all that much damage. It is extremely rare for a government body to come out and say "you have been found guilty, your company will cease to exist, your assets will be liquidated."

When we get to individuals, however, monetary damages can seriously impede your ability to do anything, such as programming, and often times people are thrown in jail (fraud, malpractice, whatever). Bill gates is most certainly not going to do jail time, even if it were proven his company has broken numerous laws with him knowing it. When you have a number of individuals developing a certain product open source style, with no business relationship, who would be held liable anyway? Try to single out who wrote the offending lines of code? It's not that simple and our law system doesn't cover this very well to my knowledge.

Is there much software out there that has a warantee anyway? I haven't seen basically accept it "as is" as far as I know.

Anyway, I think the bottom line is that open source software is much, much more accountable to begin with than microsoft will ever be for plainly obvious reasons: it's simple to determine whats causing the problem.

Re:That's increadably stupid (1)

evil9000 (72113) | more than 14 years ago | (#1443580)

if i crack someones computer using a bug in micro$ products, then who is to blame??

users have no choice (1)

Lazy Jones (8403) | more than 14 years ago | (#1443581)

... at this time, they have other issues to worry about when they choose their software (other than small print in licenses). If there were competing products equivalent to MS's, but with a more user-friendly EULA and even with a slightly higher price, I'm sure that most people would choose those instead (as long as they knew about the differences).

Re:Double Standards (1)

ncc74656 (45571) | more than 14 years ago | (#1443582)

As for the issue at hand, I don't think anyone, even Microsoft, should be held responsible for such bugs. Cmon, all programs are going to have problems; just because one of the bugs happens to have more risky consequences doesn't mean that it is any worse than a bug that is relatively harmless. It shouldn't be concidered "negligence" - it should be expected by users of the program.

This is an overly-broad generalization. A bug that trashes your computer's hard drive is one thing, but a bug that kills is another thing altogether. (Yes, there have been software errors that have ended up causing severe injury--and even death. Computer-controlled medical devices come to mind as an example; ml [] is a paper I wrote a few years back regarding such problems.) Is a bug that kills really no worse than one that merely inconveniences people? I think not.

Re:Bad analogy (2)

EngrBohn (5364) | more than 14 years ago | (#1443583)

To repeat myself, desktop and server software does not put life & limb at risk. Embedded software might.

Further, unless and until life or limb is endangered, then there's nothing to hold Microsoft accountable for. Consider the voluntary recalls many, many companies issue to correct design flaws that they discover before anyone is injured. Similarly, if Microsoft were to issue a Service Pack and notify all registered users of that software before anyone is injured, then there'd be nothing to hold them accountable for.
Christopher A. Bohn

Automobiles, Open Source, and parenting the public (2)

Oestergaard (3005) | more than 14 years ago | (#1443584)

You can be held liable for whatever you promise, which is why most open source software has a clause something like:
>> This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

If you read the EULA from Microsoft, I'm pretty sure that they have a similar clause, much to most people's surprise. Then what are you actually paying for, you might ask. Well, that's the good question ;)

The car-makers have a responsibility of making cars *reasonably* safe, according to government regulations. They are not required to stop your kids from driving into brick walls using your car. They are however required to make sure your car doesn't fall apart or stops breaking when you want it to etc.

There are no such rules (yet) for software. The vendors make the rules, and the vast majority of customers/consumers simply neglect this fact and *expect* that there is some sort of reasonable agreement behind it all, just like when they bought their car.

Open source licences are usually very cautios to ``warn'' people of the possible dangers that lie ahead when using the software. And some people may even pay attention because ``there's gotta be a catch with gratis software after all''. I think this is a pretty good way to handle things.

There could be some sort of either regulations or at least some rule that software vendors should state LOUD AND CLEAR what they promise and what they don't. Pretty much like the warning messages on cigarette boxes :) This would probably not change the promises or the software, but it would make the general public aware of the lack of promises they actually get from spending huge cash on closed source software.

Re:open source software is like a commodity (0)

Anonymous Coward | more than 14 years ago | (#1443585)

just to bend the analogy a little (too much perhaps): if you're designing a building and need to ventilate it or bring in drinking water, is it your responsibility to make sure the water is clean by filtering it as it comes in, or should you just hope that if it has chemicals and someone drinks it and falls ill, they will find and sue all the polluters?

similarly, if you are redhat and you put together a software distribution and call it a "super secure server", do you take responsibility for the software, or do you put in a fat disclaimer and hope the original authors get sued? I don't think so, I think since redhat had all the source code available to them, they should be able to put a stamp of approval on it and be held accountable, just like microsoft should be for their software.

Re:Bad analogy (2)

msslave (26178) | more than 14 years ago | (#1443586)


I wonder what would happen if I scrambled critical data concerning your life around.

"Gee Mr. Bohn," says the nice lady behind the counter, "Our systems shows that you are overdue on your student loan payments. Guess you can't have that nice car or house or engagment ring."

"Mr. Bohn, due to the lack of poor grades, police record, and drug abuse, we do not want you working for the XYZ company."

"The arrest warrent says the address is 123 Main and the crook is armed and dangerous and a cop killer." (The felon actual lives at 123 Maine, but hey, due to a error, you don't care, you are dead.)

Bad data can kill. Think before you type.

Re:Not a double standard (2)

ralphclark (11346) | more than 14 years ago | (#1443587)

To my mind the difference is clear. When I buy a thousand-package CD set from SuSE for GBP25.00 I know I'm not getting any guarantees. Only an idiot would expect there to be any at such a price. Caveat Emptor.

But when I have to fork out GBP140.00 for just one CD of Win98SE without any applications I damn well expect the thing to work. When it doesn't (even after spending a fortune online to download dozens of megabytes of official updates) I think I'm quite justified in feeling ripped off. Just look at the EULA for Christ's sake. According to them we have no rights of redress at all! We're all being shafted up the ass big time and we must be stupid to let it happen.

Microsoft have got it coming to them all right.

Consciousness is not what it thinks it is
Thought exists only as an abstraction

Re:Double Standards (1)

J4 (449) | more than 14 years ago | (#1443588)

I'm not disputing that there is an apparent double standard but the problems with macro viruses aren't due to bugs. The problems are caused by "features". Features of dubious value which were implemented with disregard for security.

To make a car analogy.....

Rear hatch on early Chysler minivan. Bug...
latch was poorly designed

Suicide doors on 62 Lincoln.... Feature...
Meant to look good but an inherently unsafe design.

The latch on the minivan can be modified to perform as expected
No matter what you do to a suicide doors (short of welding them shut) they are unsafe.

err.. In case anybody is too young to know, suicide doors open backwards

It's a double standard (1)

Rainy (17894) | more than 14 years ago | (#1443589)

And for a good reason - the situation is different. MS can afford to do this sort of thing because Microsoft is a monopoly. Let's imagine for a second that qmail developers get really lazy or reckless and allow several scandalous security bugs to creep in their release. What happens next? I will switch to exim or sendmail or something else - and you will, too. This is not really a question of Open Source vs Closed Source, and I think guarantees and responsibility for your product are not important. If there's healthy competition, these issues are solved implicitly.

Re:Open Source responsibility (0)

Anonymous Coward | more than 14 years ago | (#1443590)

I'll be glad when you so-called OSS coders finally write code that doesn't crash on my Linux box. Sure the OS keeps running but the apps crash left and right. You guys aren't any better at coding than the commercial guys and you know it!

Does it "work" (0)

Anonymous Coward | more than 14 years ago | (#1443591)

You are confusing "Windows 98 is a buggy OS that doesn't do many things very well" with "It doesn't work". The fact is everything on the Win98 CD *does* work as it was designed, to a certain extent.

"This isn't very good, it sucks!", and "This is horribly defective and somebody owes me my money back!" aren't the same thing.

You have the wrong idea (1)

ZorkZero (6507) | more than 14 years ago | (#1443592)

It's about the car being manufactured with an engine that self destructs and the hood welded shut. It's about the driver getting injured if some wiseguy puts a brick in the road with a hat on top of it. It's about being obliged to take the car to a Microsoft service center for any repairs, because nobody else can get any parts. (What do you do if your car breaks down in the middle of nowhere?) There are so many other parallels. Can't steer if the power steering goes out. Can't brake if the power brakes go out. When you blow a fuse the locks and windows won't work. You have to pay extra for more than one passenger at a time. As you drive along, more and more inexplicable grinding noises accumulate. And you have to do a full overhaul to get rid of them.

Hmm, there's probably more?

Re:negligence and open source (0)

Anonymous Coward | more than 14 years ago | (#1443593)

Yes, but your analogy is a bit off. Free software could be considered equivalent to building your own alarm. Those that built the parts that you used couln't be held liable. If you purchase a commercial alarm system, you expect more. If the manufacturer finds out about a way for people to break into your house and doesn't tell you about it or make any attempt to fix it, they are negligent.

Re:Reasonable diffrence (1)

test972 (125415) | more than 14 years ago | (#1443594)

Here's what I think - If I paid someone for something - I expect it to work - otherwise its their problem - whether they coded it or just packaged it.

As you mentioned Redhat charges for packaging. Since they are charging for it - its their responsibilty to make sure that what they put in their distro works before they package it.

As someone mentioned previously here the incentive for RedHat is to package it in such a way that for the product not to work - so that they can start charging for support to make the product work.

On the other hand I downloaded RH 6.1 - tried to install it - the install exceptioned out because whoever coded the install decided that after doing partitioning they just continue without rebooting. (Maybe its what RH wants - if the default config does not work - buy support and we will fix it for ya).
If I had paid for that I would have been terribily upset - but since it was free download I downloaded Linux-Mandrake - it recognized the partition prob - made me reboot the system and the install worked.

So my point is - if you pay for something - it better be something that works - or whoever is making money off it should be in serious trouble - whether it is Microsoft's proprietery s/w or RedHat's Open Source software.

Yeah - I know its bit harsh - blaming redhat for a bug in gcc because they packaged it - but rewards come only at a certain risk - and the money that they expect to make out of selling open source be better used to make sure that open source that they are selling really works.

And it may not even fit into the current paradigm of Open Source developemnt - but world is changing and someone should be their to accept responsibility for a bug/problem - because it is no longer a hobby-ist's OS but when businesses get into it they expect someone to take responsibilty for what they are paying big bucks for.


From another point of view... (1)

Madjeurtam (101190) | more than 14 years ago | (#1443595)

For me, the responsibility comes more from the system administrator or even the individual who chooses a non-safe {OS - Server app - Client app} than from the software designer, open source or not.

IMO, the software designer can sell or distribute, freely or not, any program, even if it is full of security holes. The license of any program (commercial AND GPL'd) has a clause which says that the software designer is not accountable for bugs their application may contain. That's really the job of a good system administrator to secure its system and to choose the right solution. That's a matter of choice and these clauses in MS EULA-like licenses protecting the software designer against legal attacks seem a Good Thing (TM) to me.

Of course, theses views apply less easily to the home user, but the user who don't protect himself against macroviruses or security holes in his mail client is responsible from his own negligence. There is enough talk about Melissa & others in the mainstream press for the average user to know theses problems.

Don't ever forget that the perfect, bug free, 100% secure software is a myth. Legal actions against software designers have no real effect against big software vendors, but would hurt little companies/individuals, resulting in less choice, since only big companies would be able to "take the risk" to publish software ! It must be harder to write software with the constant fear of a legal action if you make a mistake somewhere in your code.

With my reasoning, no double standard problem : the system administrator / the user is the first person to be accountable for his poor choices.

Just my thoughts,


But w OSS, you can check safety before running it! (1)

Anonymous Coward | more than 14 years ago | (#1443596)

You cannot examine the code on closed source software to make sure it is suitable to your purpose before executing it. With OSS, you can... at least theoretically. Of course it is arguably impossible to fully check out source for large programs (any linux distro, for example). You could check key areas that worry you though. This absolves OSS authours from lawsuits (IMO), but not closed source vendors.

Due diligence (to what?) (1)

Aleatoric (10021) | more than 14 years ago | (#1443597)

One of the biggest conditions applied to liability issues in any product is intended use. You can't, for example, sue a knife manufacturer because you got stabbed by one, whether you did it, or someone else did.

That being said, what is the intended use of a general purpose operating system (as opposed to specific systems, such as life support systems)? No-one that I have seen will argue, for example, that Windows 98 is secure, or is even intended to be secure. Linux and NT are quite a bit more secure, and it is usually these that are placed in an environment where security is an intended goal.

However, a knife (or car, etc), are devices with a well defined, specific purpose, and the same cannot be said of operating systems, by and large. The intended purpose of any particular OS installation is entirely dependent on what it is trying to do, eg. be a webserver, transaction database, etc. Since it is quite possible for a badly behaved application to compromise even a very good operating system, you are then faced with choosing who to hold responsible for any failure, the OS vendor, or the app vendor (if they differ).

Admittedly, the better the OS, the less likely is the above scenario, but the only really secure system is a secure SYSTEM, in other words, if any part of the system is insecure, the entire system can be considered to be insecure, by extension.

Assuming that we allow the establishment of responsibility on the part of the vendor for security issues, one of the telling parameters that is involved is that of forseeability, or was the compromise that occured one that could have been reasonably forseen, and guarded against before the fact. And we haven't even addressed the issue of bugs.

Due diligence doesn't mean that the product must be perfect, it means that the manufacturer is required to make a reasonable effort to prevent, and / or correct, any issue that might arise. To use the Melissa virus as an example, it is not necessarily MS's fault that such an exploit can be made in the first place, but they could be reasonable held accountable if they failed to address this issue after the fact. I would also say that the same applies to Open Source products as well. It is disingenuous to apply a double standard, if MS can be held accountable, so can Open Source, and vice versa.

Notwithstanding the fact that both MS's EULA, and the GPL both contain warranty disclaimers, it is also true that such disclaimers are not protection against negligence or failure to exercise due diligence.

The above diatribe aside, when it comes down to the crunch, it is my belief that the architects/administrators of the system should be responsible for security issues on their system. And this is where OSS really works best, it places in the architects hands the ability to fully scrutinize the particulars of the system they create, and provides them with the greatest amount of control over the operation of the system. If the system architect chooses a closed system, they still must be responsible, since they CHOSE the system they provide.

Microsoft clause to cover their errors (1)

mr (88570) | more than 14 years ago | (#1443598)

If you use Micro$oft code as a basis for your product, and your product doesn't work (because of Micro$oft code) and you are sued, here's a clause:

(c) indemnify, hold harmless, and defend Microsoft from and against any claims or lawsuits, including attorney's fees, that arise or result from the distribution of the Redistributable Component

Think it can't happen? Anytime there is a loss, the lawyers take a shotgun approach. Sue EVERYONE who was involved. That means you, the software developer, Micro$oft, etc la.

We humans CAN make error free software. We have missles that fly through the air, make tight corners, fly through windows and blow up. As opposed to software that is on windows that just blow up. Yet, the 'market' won't 'buy' software that is bug-free. Personally, I believe the market won't buy it because it hasn't been convinced to buy it.

The second problem is software doesn't match the assembly-line mass production model, more of an artist crafting a work. So the relability we have come to expect of mass producted items *koff koff* doesn't apply to the software world.

And until we move beyond the lone artist and more assembly line, we will have bug-ridden large software releases.

Who's to blame for the 'virus'? I can say its not me. I don't buy M$, and don't write viruses.

The consumers (for buying insecure software), the writers of the insecure software, and the virus writers are all able to take the blame.

As OpenSource delivers what M$ (and others) can't, the consumers will make the demands of good software, M$ will have to deliver or die.

Okay, How about this.. (1)

J4 (449) | more than 14 years ago | (#1443599)

Another car analogy but this time nobody gets hurt.

1981 Caddy Eldorado with v6. These cars ping.
It is well documented that there is nothing you can do about it
This was an expensive car that has driveability problems. Got tons of bells and whistles but the only thing you can do when it's pinging (which can burn a hole in a piston, not a cheap repair) is turn the radio up. That or put in a different motor (also not cheap).

Let's face it, there is no such thing as a good analogy
but to nitpick because nobody dies from macro viruses
is delusional.

Re:Cost is the key (0)

Anonymous Coward | more than 14 years ago | (#1443600)

Yeah, but if you haven't noticed the commercial companies would never release the awful quality of software you find in the OSS community for a 1.0 release. At least they make sure it works and looks good. Sure they may not find all the bugs but overall the apps are quality apps. This is not the case with OSS software. I've used too much of OSS software that keeps crashing, making we long for the day when the commercial companies start porting their "for-fee" working apps to Linux, so I don't have to put up with the inferior OSS junk that's just a duplication of what one can get commercially.

Re:It's Much Less Of A Problem With Open Source (0)

Anonymous Coward | more than 14 years ago | (#1443601)

hello people. in an abject case of NEGLIGENCE, I emptied an OPEN bowl of hot grits down my pants. This has been the SOURCE of my 3rd degree burns on my inner thighs.

Merry Xmas, and Happy Holidays from the Grits Boy !

One grit. One love.

-- Linux and grits down my pants. Does it get any better?

Auto Makers (0)

Anonymous Coward | more than 14 years ago | (#1443602)

Ummm, auto makers DO "get away with it".

Ford Pinto -- A corporate decision was made that lawsuit settlements would be cheaper than re-engineering a known faulty design. Result? People were burned. Ford had to pay more money than they anticipated. Ford is still in business today doing pretty well (so much for consumer backlash).

Then there's the Chevrolet Corsair -- another known faulty design that hurt people. Today's obvious statement -- Chevy is still in business.

So now the "we hate Microsoft" group cries that the folks in Redmond are to blame.... for what? Locked-up mail servers? A lovestruck 31337 wannabe who glued together a VB script that had some nasty consequences?

Folks, if maiming and killing people doesn't put a company out of business, hanging their MS Exchange servers damn sure won't do it.

If you want to take out Microsoft -- make a better product (hint: you've already beat them in the server arena). Market it well. Make developers want to write on your platform (oh wait -- already did that).

Please don't waste time trying to put them out of business for making vulnerable mailservers. It won't work. As a professional, your job is to point out these shortcomings to the people with the checkbooks. If they don't ask you or (worse) ignore you, they have no one to blame but themselves. And if they offer you a ride a home in their Pinto, take the bus.

Due Diligence (2)

warlocke (29338) | more than 14 years ago | (#1443603)

Mr. Perens has (as usual) an apt comment. Disclaimers:
2) I am not directly associated with Open Source Software.

The concept of due diligence is hyper important. In fact, a finding of negligence is essentially a finding that due diligence was not performed.

What I have seen of Open Source indicates that the people who work on it are extremely "diligent" where bugs of all kinds, not just security bugs, are concerned. When one is reported, generally someone gets after it right away, to (1) confirm it's there (2) figure out what a fix should be and (3) fix it. This is an historical pattern, I believe, and could be substantiated by lots of testimony.

Note that the Law doesn't require that the bugs actually be fixed, or that the fix be better than the bug was. Due diligence simply means that all reasonable methods were used to conclude what the problem was and how it might be fixed, and to fix it if it seemed warranted.

Note that in the Pinto and GM Truck cases mentioned above, due diligence broke down -- the companies involved concluded that the problem existed, but that it wasn't economically justifiable to fix it, that is, the necessary fix would cost so much that it wasn't worth it. The Court, in general, is hostile to this view, to say the least.

There's also the matter of 'deep pockets' and political correctness. Even with all the malicious hacker stories in the press, you still wouldn't get very many lawyers willing to sue some 26-year-old nerd for negligence in fixing a software bug; defense lawyer starts telling sob stories, and it's likely to turn the whole thing around -- plus, how much are you likely to get? An Open Source programmer isn't likely to have much. Companies like Red Hat theoretically have money, although most of it's virtual, Stock Market valuations that probably couldn't be realized. With BMW payments to make, how many will chance it? Microsoft on the other hand is known to have a pile of real cash, easily converted to your Actual Folding -- just what a plaintiff's lawyer likes to see.

So no, I can't see open source being in much danger from negligence suits for software bugs. It isn't an attractive target for such suits, and a fairly strong defense is on hand. Bill & Steve might should sweat it.


Re:Implied Responsibility (1)

matman (71405) | more than 14 years ago | (#1443604)

Lets break the analogy down... OSS vs Car Manufacturing OSS code = blueprints for a car OSS bin = manufactured car

if you compile a program and distribute it, i say, you should be responcible for it, if you distribute the source code and someone else compiles it, they should be responcible.

Altho, car manufacturing plants arent usually redily available to the general public to 'compile' car designs, so, this analogy might not even hold up here.

Re:It's Much Less Of A Problem With Open Source (1)

test972 (125415) | more than 14 years ago | (#1443605)

Yes - it would make perfect sense - if we assume that all the users of Linux are going to be kernel hackers or hobby-ists who spent half their time exploring the OpenSource code for the OS and all the applications that they run. But if the users were just this small group RHAT shares would be selling for less than pennies. But once when this starts to be a mainstream application / s/w / OS - can we expect each company who decides to use Linux (and are paying big bucks to companies like RedHat - to make sure that they get something that really works - better than what they were using before) to go into the source code and make sure that it does not have any bugs.

So someone should start taking some responsibilty. If someone wants to make some easy money out of this OpenSource they better understand that along with just putting everything on a CD and charging low distribution costs of 40/50 bucks they better make sure that they work properly too.

Who's to Blame? (1)

Sirius25 (96063) | more than 14 years ago | (#1443606)

Personally, i don't think MS, or any software publisher, should take the blame for something like a virus.

Do we blame the carmakers for making unsafe cars when somebody plants a bomb on it?
Or do we sue the people who make windows when a brick comes flying through and hits us in the eye?

No, of course not!! It's not MS's fault....

Don't sweat it! (1)

Bobzibub (20561) | more than 14 years ago | (#1443607)

The main difference is that most Open Source contributers are individuals and could not fork over the winnings of a major award. Many are poor (students!) and are spread across many countries; companies are insured and have assets.

Big Rich Company licence: "We are *not* liable."
GPL: "We are *not* liable."

Lawyers know where the gold is. Which will they widdle away at?

RedHat might worry, but the rest of us are safe.

Only Microsoft Will Ever Receive Blame (1)

VAXman (96870) | more than 14 years ago | (#1443608)

Microsoft is the scapegoat of the computer industry. Every problem which occurs in the industry is blamed on Microsoft, if the company was involved in any means at all; if there is a problem which does not involve Microsoft, it will be ignored by the media. Practically every element of the media, from the most non-technical columinst in the daily newspaper, to the editor of the most elite technical consultant publication, rats on Microsoft, and only Microsoft, continuously.

It is not an issue of open source vs. closed source. It is an issue of Microsoft vs. non-Microsoft. Companies such as Sun, Oracle, Apple, and IBM are primarily closed source, but are 100% immune to blame.

Blaming the Melissa virus on Microsoft was just an example of Microsoft as the scapegoat. Much more serious security problems have occurred in the past which should have been blamed on the appropriate vendor (e.g. the internet worm). However, since these didn't fit into the media's convenient definition of who is to blame for every problem in the industry, they received little press, and were blamed on "hackers", instead of the irresponsible vendors.

A prime example the media using Microsoft as a scapegoat was yesterday's Hotmail outage. Here, the problem was blamed on Microsoft since it owns Hotmail. The fact that the Hotmail servers run Unix was ignored. Had Hotmail been run by another company, but used Microsoft servers, the problem would again have been blamed on Microsoft, absolutely regardless of who really was to blame.

An excellent example of a problem being ignored because Microsoft wasn't involved is eBay's continuing problems with Solaris. eBay's market capitalization has dropped by literally several billion dollars because of outages which were caused by bugs in the Solaris operating system. However, this is never brought up in the media, because Sun is considered a holy company by the media, and the perception is that no problem could POSSIBLY ever be Sun's fault. (Ironically, since eBay uses Microsoft products as the front end for its servers, Microsoft received blame very early when the problem first appeared -- though the critics quickly shut up when they realized that in fact Sun was to blame and the Microsoft products were chugging along nicely. Note that they didn't switch to blaming Sun, they merely stopped blaming Microsoft.)

An extreme example of Microsoft as the scapegoat has been Judge Jackson's ruling that failed products such as Netscape Navigator and OS/2 all owe their failure to Microsoft. It is now commonly thought by many people that ANY product which fails in the marketplace owes its failure to Microsoft, and not lack of marketing, lack of quality, etc.

So, no, open source software will never receive blame if it fails or has technology flaws. At least not now. The media is having a field day blaming Microsoft. If ten years down the line, open source becomes the standard, then it will likely begin receiving the blame, as the media seems to be only pick on whatever is popular.

A computer is a tool. (0)

Anonymous Coward | more than 14 years ago | (#1443609)

If the hammer I just bought happens to have the ability to smash my thumb it's my fault for letting it do so.

A software bug might not be as obvious but you are responsible for your own data. If you follow basic safe computing even the biggest problems are easily recovered from.

Now that all being said... For those people who feel the need to sue someone the choice is pretty simple. You buy the distro from company X (or otherwise you download it at your own risk) they are the ones who are selling you a product. If it ends up being defective they're the ones who will get sued.

Take some Initiative (1)

erik umenhofer (782) | more than 14 years ago | (#1443610)

Windows has many problems but with litte work, a lot can be patched up. This goes with most operating systems. I think the general public doens't have that many problems with windows being "unsafe". People do stupid things then blame the software. I think the software is very safe and over many many years of using each version, I, and many people I know, have not had a single problem with unsafe software. Is this all MS's doing? No, i think it's being half intelligent and using the software the way it should be. I know for a fact I'm not a exception. There are many examples of people not making a safe product, I think people like to go on witch hunts, and MS has recieved the brunt of this.

Re:Not a double standard (1)

mochaone (59034) | more than 14 years ago | (#1443611)

I appreciate your willingness to accept responsibilit for all of mankind. When they mention the cliched statement that "someone is sued every 2 minutes in this country", we will know they are talking about cheese63.

Where were you when cheese63 took responsibility?

Re:Bad analogy (2)

Mawbid (3993) | more than 14 years ago | (#1443612)

desktop and server software does not put life & limb at risk

Oh, I don't know. I have only so many MacOS crashes left before I take that G3 box and fling it through the window and when I do, your life and limbs better not be on the pavement 4 stories below :-)

Re:It's Much Less Of A Problem With Open Source (0)

Anonymous Coward | more than 14 years ago | (#1443613)

True Open Source in general declines warranties because the software is distributed gratis or at very low cost.
Oh really? So, to get the Bruce Perens Certified Truthness Feature on Open Source, you need to surrender your investment to beggars and thieves?

Yeah, sure. Tell us another anti-business myth, Bruce.

Re:It's Much Less Of A Problem With Open Source (0)

Anonymous Coward | more than 14 years ago | (#1443614)

Yes, we assume Unix users are programmers. Unix was made for programmers. We didn't invite the non-programmers, so they need to learn to cope on their own if they insist upon crashing our party. They are not our responsibility. It's time for users to take responsibility for their own ineptitude.

Re:And now, a quote from the GPL (0)

Anonymous Coward | more than 14 years ago | (#1443615)

That's not a valid licence, for millions of reasons. Here's just one: There's no quid pro quo, so it's not a legal contract.

Re:And now, a quote from the GPL (1)

TerryMathews (57165) | more than 14 years ago | (#1443616)

Just remember that no major EULA has been tested in court, except under piracy circumstances. And, piracy falls under copyright law. So, most of the clauses of EULAs have not yet been shown to be upheld in court.

No one makes OSS a target (0)

Anonymous Coward | more than 14 years ago | (#1443617)

Just as many virii and trojands can affect Linux and OSS. The big difference is no one makes OSS & Linux the target. A virus or a trojan can be written for any OS, t just has to be in the scopes of the people creating them. Remeber the most famous of all, The Interner Worm, did not affect MS at all. Don't be so cocky about accusing MS code to be faulty, ans OSS to be so secure. It is much easier to crack a safe when you know how the safe lock works.

No one makes OSS a target (0)

Anonymous Coward | more than 14 years ago | (#1443618)

Just as many virii and trojans can affect Linux and OSS. The big difference is no one makes OSS & Linux the target. A virus or a trojan can be written for any OS, it just has to be in the scopes of the people creating them. Remember the most famous of all, The Interner Worm, did not affect MS at all. Don't be so cocky about accusing MS code to be faulty, ans OSS to be so secure. It is much easier to crack a safe when you know how the safe lock works.

My heart bleeds (1)

warlocke (29338) | more than 14 years ago | (#1443619)

green swamp water.

For roughly a decade, Bill & Co. could Do No Wrong. Darlings of the press, celebrated in every computer rag.

Once at the lake I was watching as a couple of drunk teenagers took daddy's boat around at high speed. Another boat got in front; the driver chopped the throttle -- and the following wave drowned the $5,000 highly chromed super duper engine. glug!

Or you might like Jeremiah better: They that sow the wind, shall reap the whirl-wind.

The word is schadenfreude. Look it up.


Re:And now, a quote from the GPL (0)

Anonymous Coward | more than 14 years ago | (#1443620)

Wrong. The "get to distribute" part of the untested-in-court GPV does not suffice to make it non-one-sided. 99.998% of the users are not redistributing. Therefore, even were your point valid in redist cases, it wouldn't be valid here.

You don't want the GPV in court. It would be squished like a bug by people who have hundreds of millions of dollars to throw at lawyers who can prove anything they want to prove.

What does Melissa have to do with security? (1)

Garpenlov (34711) | more than 14 years ago | (#1443621)

The Melissa virus didn't exploit any security holes to do what it did. It exploited two things: user's willingness to blindly open documents and enable macros for them, and the power of Visual Basic for Applications.

Sure, there ARE security holes where no action by a user is required for the payload to go off, but as many people have pointed out, why bother? They're much more complicated to write, and you don't have be that sneaky. People will open documents, executable attachments, etc without thinking.

"Negligence in making a product safe to use"? Comparing software to cars? As long as we're talking about Melissa, let's do that. Microsoft (the car maker) enabled Person A to use his Word program (his car) to create destructive force that could be delievered to someone else's Word program (their car). Of course, they would have been safe, but they deliberately said, "Enable macros" (turn off my air bags).

Lastly.. could car makers do what Microsoft is/was doing and get away with it? How many alternatively-powered vehicles do you see in mass production? How many gas-powered? Why could that be?

Re:Implied Responsibility - wait a sec (1)

spwolf (101751) | more than 14 years ago | (#1443622)

ok... its not like MS products have virues, somebody else plants it in there. Now, you can compare it to car blowing up if somebody puts explosive under it ... now thats a good one... you people just blindly attack MS - well damn it, I dont like them too much myself... However, best solution for it would be to include Antivirus with Windows... but wait, that would be bad practice and everybody would damn MS for unfair competition! Kind of double edged sword, dont u think? ;)

Hold them liable (0)

Anonymous Coward | more than 14 years ago | (#1443623)

Microsoft should be held criminally liable for distributing an O/S (and I use that term guardedly) that permits these kind of violations. It's completely stupid, and it's their own damn fault. They mis-designed their system to make viruses rampant. This just doesn't happen on Unix. We're not idiots. Stop blaming the crackers when you leave your front door open with a loudspeaker blaring that you have expensive toys to steal on Christmas Eve.

Solution: "Clopen source" (1)

Anonymous Coward | more than 14 years ago | (#1443624)

The solution is to use Clopen Source. It's a combination of Open Source and Closed Source, and it gives you the best of both worlds.

In Clopen source, you email the world's software engineers the entire source code to your 1M+ LOC project. You then ask them to analyze your project and fix bugs, and do it all for free.

Then, if amazingly anyone actually cared enough to fix one spelling error in a sea of crash-and-exit bugs, you redistribute the source again, let Red Hat steal your code, let Microsoft steal your idea, and some score an IPO with your idea *and* source, and then develop a drug habit.

Then after 5 years of killing brain cells, you go through drug rehab, earn an MCSE, make $100/hr modifying Visual Studio Wizard-generated code for an investment bank, and curse all Linux and Open Source users on public forums like /.

Re:Not a double standard (2)

m3000 (46427) | more than 14 years ago | (#1443625)

The only problem is the consumer doesn't know what they are getting, even if it's open source. How many people even know how to program? Exactly, so they trust the OSS developer to deliver the product promised. So I say Open Source companies should be held liable, for the 99% of the population who can't program.

Yes, it is a double standard. (2)

daigu (111684) | more than 14 years ago | (#1443626)

Yes, this is a double standard. Let's examine why.

First, the Melissa virus is possible due to the dominance of one specific piece of software on the average users desktop. The only open source equivalent to this kind of dominance -- that I know of -- is sendmail. It is not the same for a variety of reasons, but let's continue on for the sake of discussion.

Compare the closest open source equivalent "virus" -- again, that I know of -- that happened with sendmail [] to the Melissa-Macro Virus [] . You will notice two interesting things. First, the CERT advisory for Melissa states: "This macro virus is not known to exploit any new vulnerabilities." Second, note the options they give for correction: block the mail, utilize virus scanners, and encourage users to disable Word macros. The free software solution would be to fix the problem at the source -- pun intended. In a free software environment the option to: fix the problem, is available whereas in a closed source solution it is not. You have to wait for company X to fix the problem for you, and in the mean time, get by with blocking, anti-virii programs and the like. Since this problem is not new and any user that buys Microsoft products has to wait for them to deign to fix it, it would seem that there is a powerful argument for some culpability on Microsoft's part.

There are of course the issues that other people have mentioned here: no warranty, free software is not a "product" sold by a business (let us remember companies like Red Hat make money off the service not the CD), etc. However, I think this is the central point. They have different standards because they are not analagous. You are not comparing like things.

Or to put it another way: Sure, a "thief" is responsible for his own actions. However, if I entrust the security of my home to some company, it seems quite reasonable to say that if someone steals something because that company left my door open, the company is also at fault.

For free software, you use it with the understanding that you are not entrusting anything to anyone so the same standard does not apply.


Re:But w OSS, you can check safety before running (0)

Anonymous Coward | more than 14 years ago | (#1443627)

I disagree... having the ability to look deep into the product to check for possible problems is not the job of the consumer. Do you open up the seatbelt mechanism to make sure there are no loose hinges? I doubt it. You take it for granted. Same goes for software. Software engineers are simply unethical engineers. We put little clauses about "No expressed or implied" this that and the other because we're too lazy to use tcov etc.

Re:Due diligence (to what?) (1)

xski (113281) | more than 14 years ago | (#1443628)

You can't, for example, sue a knife manufacturer because you got stabbed by one, whether you did it, or someone else did.

Actually, I think that's exactly what the City of Chicago is doing to firearm manufacturers. And the Feds are looking into it. So much for that argument.

Re:Implied Responsibility - wait a sec (0)

Anonymous Coward | more than 14 years ago | (#1443629)

it's not like MS products have viruses themselves.
Oh yes. It's exactly like that. They've given their lusers a system that is fundamentally misdesigned. It's a big racket. They point the finger at people doing bad things, but it's MS's fault at the root of all this. Triple damages are in order.

Re:Only Microsoft Will Ever Receive Blame (0)

Anonymous Coward | more than 14 years ago | (#1443630)

This post deserved a "2" or "3", but because it wasn't a Microsoft bashing post, it only got a "1". Sorry!

-Your Moderator

We don't care about (1)

test972 (125415) | more than 14 years ago | (#1443631)

those f*cking (l)users -who were stupid enough to pay money to use our product attitude.

After reading couple of reply's I thought that the attitude is not too prevalent - but since continuing to read further posts show that none of us here believe / think that anyone should be responsible for a problem in OpenSource software because it is written for free and distributed for a very low cost. Instead of making a blanket staement that says whatever happens it is your fault - maybe it should say blame it on the person whom you paid your hard - earned money to.

As I pointed out elsewhere - this argument makes perfect sense if we decide that only people who know how to debug the kernel should be using free software - who I don't think are too many.

So if any of this opensource "stuff" should be mainstream, someone should take some responsibility for it. It does not have to be the developers who write it for free or distribution sites that store it in ther machines. If a person wants to get something for free - they very well know that they are responsible for what they do. But if someone pays some good money for it - they better get something that works.

I am pretty sure that most of the OpenSource s/w have much less bugs than the closed source ones - but nevertheless - before I run gcc - no one should expect me to go through the gcc source code and make sure that if I accidently pass a -P option it will re-partition my hard-drive.

As far as people who are buying a RH CD for $50 with all the OpenSource s/w are concerned only difference between Windows and Linux is Linux is cheaper by $40 and it is supposed to be a much better OS than Windows. But if we start telling them - yes we think the s/w you have there is perfect - but if your computer just happens to blow up because of one of those 1000 packages that got installed - its not our problem - its your problem because you did not go through the source code of the whole OS and all the 1000 OpenSource s/w that was in it to make sure that your machine won't blow up - I am not sure how many of those people who are trying to use Linux will continue to use it.

If a home user who pays $50 bucks feels this way what about companies that are dishing out millions of bucks - should we tell them OpenSource community thinks that along with those millions they should just put more to make sure all the things will work as expected.

I may very well be wrong - but just my 2 cents.

Re:It's Much Less Of A Problem With Open Source (0)

Anonymous Coward | more than 14 years ago | (#1443632)

I disagree completely. Negligence is negligence. It doesn't matter whether the hood is sealed shut. You sell me a piece of crap that explodes at the drop of a hat, and it's your ass that will be bitch-slapped in court with class action suits and triple damage awards.


Heisenbug (122836) | more than 14 years ago | (#1443633)

Does anyone know exactly what the extent permitted by applicable law is? (Maybe not, since a previous reply mentioned that much of this hadn't been tested in court yet)


Re:Microsoft clause to cover their errors (0)

Anonymous Coward | more than 14 years ago | (#1443634)

Who's to blame for the `virus'?
Microsoft, of course. It's their horrifically misdesigned system that lets this happen.

Re:Microsoft clause to cover their errors (0)

Anonymous Coward | more than 14 years ago | (#1443635)

Think it can't happen? Anytime there is a loss, the lawyers take a shotgun approach. Sue EVERYONE who was involved. That means you, the software developer, Micro$oft, etc la.

Give us one real world example please.

Can't? Maybe because those open source shades only show black and white.

Re:Due diligence (to what?) (0)

Anonymous Coward | more than 14 years ago | (#1443636)

To use the Melissa virus as an example, it is not necessarily MS's fault that such an exploit can be made in the first place, but they could be reasonable held accountable if they failed to address this issue after the fact.
They've known about this issue for years and years. It's a design defect, one we've understood in Unix since time immemorial. They are criminals.

Re:Double Standards (2)

jflynn (61543) | more than 14 years ago | (#1443637)

I don't think the situations are directly comparable. Microsoft pays people a lot of money to make sure a lot of folks buy their software. Given that they are paying money for it, and were talked into paying money for it, there is an implication they will get value for their money --i.e. the software will behave as claimed by the sales people.

Open source is quite a bit different. Until recently there was hardly any sales or marketing and there is still very little. People who use open source usually seek it out on their own. And they do not exchange anything for it's use. They make agreements about redistribution, but not use.

It seems to me, not being a lawyer, that there is an implied contract in the Microsoft case that isn't present in the open source case, and that this lack might hinder an attempt to hold an open source project responsible for damages consequent to use.

Re:It's Much Less Of A Problem With Open Source (0)

Anonymous Coward | more than 14 years ago | (#1443638)

Stop being a dick, Tom Christiansen.

Re:You don't buy open source software. (0)

Anonymous Coward | more than 14 years ago | (#1443639)

Yes, *what if* something happens? If you explicitly DISCLAIM responsibility, then there is nothing anyone can do. But it is perfectly reasonable to expect problems if you DON'T make a disclaimer. That is why we HAVE disclaimers.

Also, what makes Melissa and a "reverse engineered N64 emulator" any less legitimate software than anything else? Define legitimate.

Re:It's Much Less Of A Problem With Open Source (0)

Anonymous Coward | more than 14 years ago | (#1443640)

You are what I like to refer to as a fucknut. I like how you like to refer to "we" when you probably have never contributed a damn thing besides bullshit rhetoric.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?