Dan Geer's "comments on the national strategy to secure cyber-space", in the April 2003 issue of ;login, contains a letter to the cyber-tzars in the nation's government. One of his bullet points is the need to attach liability to claims of security. Essentially, the argument is that if a company claims that a given product is secure then they are liable for any insecurities. A very interesting way to tackle software liability even if only security is addressed.
My question is how does this or any liability affect open source? We can instantly assume that there will be vulnerabilities in open source software. That's not up for debate really. The real question is who, if anyone, is liable if an open source program is found to have been the root cause of a compromise or, in a larger sense, any failure of a system? There are a couple of ways to consider the interplay of liability and open source, and here I mention two: 1. open source is given blanket immunity. In this case open source is given immunity because users have the right to inspect the code for any issues before use. (I don't think this is too realistic, and neither will most legislatures.) Also, how many companies are willing to risk using software that is immune from the same levels of liability as closed software? I would think that at this point most closed software shops would have embarked on some kind of certification program to show due diligence. Will this leave under-funded open source projects out of the running? 2. open source is not immune. Will open source writers then be sued? Will projects that have the potential to become great but are still in the early stages be most at risk? How do we reduce this risk? Can we limit liability by following suggested best practices during development? If so, how do we really agree on these best practices? What if we follow them and then the compiler is ultimately the responsible party? Or the system libraries under Linux? --- Dustin Puryear <[EMAIL PROTECTED]> Puryear Information Technology Windows, UNIX, and IT Consulting http://www.puryear-it.com
