>>>     Just as a traditional manufacturer would pay less tax by
>>>     becoming "greener," the software manufacturer would pay less
>>>     tax for producing "cleaner" code, [...]
>> And all of this completely ignores the $0 software "market".  Who
>> gets hit with tax when a bug is found in, say, the Linux kernel?
> [T]f we grant that [the idea is] appropriate for for-fee software,
> it's easy decide what happens with free software - though you won't
> like the answer:  The user of the software pays anyway.

Well, it's full of enforcement issues; with for-pay, the point of sale
is a comparatively well-regulated point at which taxes can be applied,
but there is no such convenient choke-point for gratuit software.  How
would you even *find* all the relevant users?

Also, in the open-source world, people mix-and-match software to a
degree not seen in the closed-source world.  Does everyone who ever
downloaded a copy pay?  Everyone who's still running it?  Everyone who
ever ran it?  What about people who fixed the relevant bug themselves?

The only answers I can see are (1) to completely forbid software
sharing between end users, even when it's not against copyright law, or
(2) a massive DRM-style invasion of everyone's machines, so as to
report exactly what software they're running to some enforcement
authority.  I can't see either one flying.

And, incidentally, why would you think I wouldn't like that answer?  As
far as I know I'm not under any jurisdiction considering such a stupid
idea (yes, I consider it stupid), and if some other jurisdiction wants
to break their software industry that badly, it's their lookout.

> The argument the author is making is that security problems impose
> costs on *everyone*, not just on the party running the software.
> [...externalities...]
> Imposing a tax is the classic economic answer to such a market
> failure.  The tax's purpose is (theoretically) to transfer the
> externalized costs back to those who are in a position to respond.
> In theory, the cost for security problems - real or simply possible;
> we have to go with the latter because by the time we know about the
> former it's very late in the game -

So?  Why is that a problem?  It seems to me that someone who runs, say,
Windows, with all its horrible security record, in such a way as to not
cause a problem (this is not a hypothetical case), should not be taxed,
because that user is not imposing any externalized costs on the world
at large.

There's a problem finding everyone who's offended, but it's no worse
than the problems of finding all users of a piece of gratuit software.

> should be born by those who develop the buggy code, and by those who
> choose to use it.

I can argue both ways wrt imposing it on the developers.  Often enough,
the bugs are not bugs, but rather an end user misapplying software.
I've often enough written software that was perfectly fine in its
intended application but, if misapplied, could be a risk.

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML               [EMAIL PROTECTED]
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to