Jon Callas <j...@callas.org> writes: > On Apr 29, 2014, at 10:20 AM, d...@geer.org wrote: > >> >> I cannot resist quoting The Register: >> >> Are software licensing "agreements" that say that by using this >> product you agree that it's all your fault, that it's only broken >> to the extent that it ships 'as is' and therefore if you think >> it's broken you accepted that this was the case when you bought >> it, and anyway you agreed it wasn't and you didn't buy it anyway, >> because it's still ours..." >> >> Er, where were we? But you know what we mean. Software licensing >> agreements are an outrage and it's high time the law made vendors >> face up to their responsibilities and told them to shove their >> licences up the appropriate end. That'd play with the public. > > Sure. Sounds great. But what about the side-effects? > > What happens to the OpenSSL people? Or GNUTLS? Or heck, K&R, since > it's all their fault, anyway.
I am quite sure that liability does not work that way. If you find lead paint on your toys, you might go to court against the toy company, but probably not against the lead mining company. Lead is useful after all. Did the OpenSSL people sell any software containing bugs? Did the GNUTLS people do such stuff? If not, why should anyone hold them liable? In any case, on what moral grounds should a buyer who relies upon a seller to select software to fit a specific request not be given any assurances? > And if there is liability for bugs, isn't there liability for > improperly making them public (for some suitable definition of > "improper")? Surely publicizing Heartbleed before it was fixed with a > chance for deployment was just as damaging as the bug in the first > place? Shooting the messenger always makes the world more insecure, long-term. I sincerely hope that weev's TRO LLC idea is going to show how full disclosure can be profitable without selling to government black hats. > And wouldn't there be liability for selling or hosting a site with > crap software on it? I mean, that's just as bad as writing it -- being > a conduit for it. Writing crap software should be covered by freedom of specch. Selling crap software, not so much. In fact, I may be selling software I wrote for medical (diagnostic) purposes some time and one step along that route is going to involve a lawyer. I fully expect this to be unprofitable if the software has bugs. > The most toxic cultures I have been in were blame-based ones. I raise > an eyebrow at seeing how blame is going to get us out of this. I > suspect it will work about as well it does for other ills like > violence, drugs, sexually transmitted diseases, and so on. This is not about playing a blame game, but about changing incentives. -- Nils Dagsson Moskopp // erlehmann <http://dieweltistgarnichtso.net> _______________________________________________ langsec-discuss mailing list langsec-discuss@mail.langsec.org https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
