That's assuming, though, that the company that's selling the software is the company that wrote the software. If that's not the case, where does the liability lie? One would assume the liability goes with the party making the claim of security, but if as you suggest, security is implied from the point of creation, then I wouldn't know where to guess that blame lies.
I still prefer to think of open source software as being on the same level as something that was developed in-house (like 90% of all the other software that's ever written). Using OSS is very close to "owning" it, just as owning your own custom software. I have seen some noise about the push for software liability, but I'd be really surprised if the MS lobby allows this to happen. It seems to be counter to the push for binding shrink-wrap licenses of the DMCA/UCITA likes. On Mon, 2003-04-21 at 09:04, Dustin Puryear wrote: > If you haven't noticed there has been a recent trend that is pushing for > software companies to have liability. :) If that occurs then having a > simple "We are not liable" statement would not protect the software > developer. This would be similar to a car company having a "We are not > liable" sticker on the front door of their car. They can have the sticker > but it wouldn't mean anything. > > At 08:39 AM 4/21/2003 -0500, you wrote: > > >Most open source software (and closed too, for that matter) that I've > >come across has a disclaimer of liability for any damages. If this > >weren't the case, then Microsoft could probably have been sued into > >oblivion by now. However, I do see potential appeal in a piece of > >software that has a set guarantee of security, with some sort of > >compensation to a victim if the software is compromised. > > > >This could actually be an interesting business idea. Take some open > >source security product that already has a community trust. Start a > >business that does a few things. First, you sell installation and > >support contracts for the product. Then, you bundle insurance. For a > >monthly fee, all your customers are in an insurnace co-op for the > >product, and they could potentially claim against it if they get > >compromised via the product. With the revenues from the support and > >insurance premiums, you'd be able to fund programmers to enhance and > >further secure the products. Of course, like any insurance company, > >there's a risk of getting sued for more than you could cover, but maybe > >there's a way to protect against that, possibly with a 3rd party > >insurance policy or bonding. > > > >On Mon, 2003-04-21 at 08:14, Dustin Puryear wrote: > > > Dan Geer's "comments on the national strategy to secure cyber-space", in > > > the April 2003 issue of ;login, contains a letter to the cyber-tzars in > > the > > > nation's government. One of his bullet points is the need to attach > > > liability to claims of security. Essentially, the argument is that if a > > > company claims that a given product is secure then they are liable for any > > > insecurities. A very interesting way to tackle software liability even if > > > only security is addressed. > > > > > > My question is how does this or any liability affect open source? We can > > > instantly assume that there will be vulnerabilities in open source > > > software. That's not up for debate really. The real question is who, if > > > anyone, is liable if an open source program is found to have been the root > > > cause of a compromise or, in a larger sense, any failure of a system? > > There > > > are a couple of ways to consider the interplay of liability and open > > > source, and here I mention two: > > > > > > 1. open source is given blanket immunity. In this case open source is > > given > > > immunity because users have the right to inspect the code for any issues > > > before use. (I don't think this is too realistic, and neither will most > > > legislatures.) Also, how many companies are willing to risk using software > > > that is immune from the same levels of liability as closed software? I > > > would think that at this point most closed software shops would have > > > embarked on some kind of certification program to show due diligence. Will > > > this leave under-funded open source projects out of the running? > > > > > > 2. open source is not immune. Will open source writers then be sued? Will > > > projects that have the potential to become great but are still in the > > early > > > stages be most at risk? How do we reduce this risk? Can we limit liability > > > by following suggested best practices during development? If so, how do we > > > really agree on these best practices? What if we follow them and then the > > > compiler is ultimately the responsible party? Or the system libraries > > under > > > Linux? > > > > > > --- > > > Dustin Puryear <[EMAIL PROTECTED]> > > > Puryear Information Technology > > > Windows, UNIX, and IT Consulting > > > http://www.puryear-it.com > > > > > > > > > > > > _______________________________________________ > > > General mailing list > > > [email protected] > > > http://brlug.net/mailman/listinfo/general_brlug.net > > > > > >_______________________________________________ > >General mailing list > >[email protected] > >http://brlug.net/mailman/listinfo/general_brlug.net > > > --- > Dustin Puryear <[EMAIL PROTECTED]> > Puryear Information Technology > Windows, UNIX, and IT Consulting > http://www.puryear-it.com > > > > _______________________________________________ > General mailing list > [email protected] > http://brlug.net/mailman/listinfo/general_brlug.net
