Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Posted Mar 4, 2021 16:40 UTC (Thu) by johannbg (guest, #65743)In reply to: Woodruff: Weird architectures weren't supported to begin with by pizza
Parent article: Woodruff: Weird architectures weren't supported to begin with
I would not be surprised if software ends up being heavily regulated in the future in similar manners as building codes/control/regulation and anything that does not follow that regulation could be deemed illegal and at that point whatever license ( open/closed ) the project has, has become irrelevant.
Posted Mar 4, 2021 17:41 UTC (Thu)
by pizza (subscriber, #46)
[Link] (25 responses)
I'm reminded of a saying attributed to the former ruler of Dubai:
"My grandfather rode a camel, my father rode a camel, I drive a Mercedes, my son drives a Land Rover, his son will drive a Land Rover, but his son will ride a camel"
Strict regulation/liability will pretty much end the "Software industry" overnight, and take most of the economy down with it.
You'll never get me to say that the "Software industry" is healthy, but this cure will be vastly worse than the disease, and everyone (especially those who control the levers of power) knows it.
Posted Mar 5, 2021 18:20 UTC (Fri)
by khim (subscriber, #9252)
[Link] (24 responses)
> Strict regulation/liability will pretty much end the "Software industry" overnight, and take most of the economy down with it.
Only if you would introduce these strict regulations overnight. But then, if someone introduced today's rules for building 300 years ago… economy would have crashed, too.
> You'll never get me to say that the "Software industry" is healthy, but this cure will be vastly worse than the disease, and everyone (especially those who control the levers of power) knows it.
At some point they would have no choice. Cost of programming errors grows larger and larger the more interconnected the world becomes. At some point either new software would have to become more reliable… or we should stop using it. The attempt to cause former may lead to latter… but government would try, anyway.
Posted Mar 5, 2021 20:03 UTC (Fri)
by johannbg (guest, #65743)
[Link] (23 responses)
It's inevitable evolution that the industry will be regulated ( which already gradually has been happening ) and people will be held accountable for what they write regardless under which license the program they wrote ends up having so if people think that F/OSS licensed program will somehow be exempt from those eventual rules and regulation they are sadly mistaken. The blame game ends with the person that wrote the code and the people that reviewed and committed it as Volkswagen already has proven [2].
1. https://thedriven.io/2020/12/22/hyundai-recalls-kona-elec...
Posted Mar 5, 2021 20:50 UTC (Fri)
by pizza (subscriber, #46)
[Link] (19 responses)
"Held accountable" how, exactly, and to what extent? Criminal liability resulting in jail time or fines? Or some sort of civil liability? Either way, where does this "accountability" end?
> The blame game ends with the person that wrote the code and the people that reviewed and committed it as Volkswagen already has proven [2].
What VW did wasn't a "coding mistake" - It was outright fraud, willfully perpetrated all the way up to the highest executive levels across at least two continents.
The "engineer" in the article didn't write a single line of code; he instead he was acting in a managerial role and signed off on stuff he knew was false -- in other words, he was one of the folks who actively lied to regulators and directly committed a crime.
Posted Mar 5, 2021 21:43 UTC (Fri)
by johannbg (guest, #65743)
[Link]
Some form of liability. The real name policy ( like google was advocating for ) are designed and implemented to go after a person(s) not a program(s).
The vehicle example I gave it's not an unlikely to happen in a F/OSS world [1].
I'm pretty sure further down the line we will see some examples in court, that show how far the term "coding mistake" can be stretched and I have no idea what exactly role he played within VW but initially VW blamed a "rogue" team of engineer within the company but obviously the entire developer team who wrote the code should have gone to jail it's not like they did not know it was unethical and illegal. All of the persons involved could have said no I wont do that, I quit or get someone else to do it etc. it's not like they can hide their heinous act behind some "management" decision.
Posted Mar 5, 2021 22:36 UTC (Fri)
by kleptog (subscriber, #1183)
[Link] (17 responses)
The question of liability is the easy part and already done: whatever entity sells the product/service to the customer is liable. They bear full responsibility. They may try to legally pass off the risk onto any of their suppliers for different parts, but for the consumer that is irrelevant, they sue the entity they bought the product/service from. If the supplier chooses to use Free Software, then they are also liable for its proper functioning, unless they can find someone to accept the risk for them.
Regulations would be required if it turns out that just apportioning liability is not enough. Since no manufacturer is ever required to use free software, I don't see how there is likely to be any issue there.
Now, software companies get away with disclaiming liability because that's seems to work and not too many people complain about it. Regulations tend to be written in blood so unless we see a situation where lots of people start dying due to dodgy software I don't see a lot of regulation occurring outside of where it is already, eg cars, planes, medical devices.
Posted Mar 5, 2021 23:04 UTC (Fri)
by johannbg (guest, #65743)
[Link]
You see, the things is that governments have a tendency to become very unhappy if they suddenly find out that someone, out of kindness of their heart was helping them backup their data or ensure they meet their environment commitments by shutting down the nations power grid etc. despite it all being done in good faith and the nations best interest. :)
Posted Mar 6, 2021 0:23 UTC (Sat)
by pizza (subscriber, #46)
[Link] (15 responses)
See, I'm fine with that. There's an existing supplier<->customer relationship.
But how exactly can I, by virtue of writing a random pile of F/OSS that I published on my web site, when I have no relationship with the end-user or the company that manufactured $widget_x, be held liable for that widget failing and injuring the end-user, especially when I state up front that my pile of F/OSS comes with no warranty, little testing, and might randomly fail and kill your cat? [1]
If I'm to be held liable for <whatever> then I need to be compensated in proportion to that risk, or I'd have to be downright stupid to do it.
> Now, software companies get away with disclaiming liability because that's seems to work and not too many people complain about it. Regulations tend to be written in blood so unless we see a situation where lots of people start dying due to dodgy software I don't see a lot of regulation occurring outside of where it is already, eg cars, planes, medical devices.
Sure, but it's not "software" failing, it's "safety-critical product X (that happens to be partially implemented using software) failing".
That's the key difference. You're not regulating *software*, you're regulating *product that contain software*.
[1] Yes, I actually state that in the documentation. Should I somehow be liable because the user didn't read the documentation too?
Posted Mar 6, 2021 8:30 UTC (Sat)
by johannbg (guest, #65743)
[Link] (14 responses)
If a person creates a lemonade and that person then makes her or his lemonade publicly available and accessible under a sign "Free lemonade, drink at your own risk" and all the kids in the neighborhood see "Free lemonade" on the street corner, grab themselves some lemonade and start dying because that person decided to mix some acid into his or hers lemonade.
Is that person free of any responsibility and accountability because that person put up a lemonade stand and had a sign that says "Free lemonade, drink at your own risk" and allowed everyone to watch how she/he poured acid into the lemonade as she/he was mixing the lemonade.
The answer to that is no and one of the reasons why food regulations and laws surrounding that exist in the world.
Posted Mar 6, 2021 11:00 UTC (Sat)
by mpr22 (subscriber, #60784)
[Link] (13 responses)
What we're talking about here is more along the lines of:
Person (not necessarily natural person) 1: "I released some software for free. I haven't prepared a formal proof of its correctness, nor an evidence package illustrating its suitability for safety-critical uses, so it's unsuitable for use in safety-critical systems unless you are willing to do all that work yourself."
Person (not necessarily natural person) 2: "Don't care, I'm using it in my driverless car anyway."
Person 2 is the natural target (and, in practice, probably the only worthwhile target) for civil proceedings.
Posted Mar 6, 2021 11:00 UTC (Sat)
by mpr22 (subscriber, #60784)
[Link]
Posted Mar 6, 2021 13:31 UTC (Sat)
by johannbg (guest, #65743)
[Link] (10 responses)
As software becomes more and more integrated part of the society, more rules,regulation and laws will be built around that.
If it did not do that then everybody would just F/OSS their software ( corporation and people alike ) and be free from any accountability.
It might not be what people like or want but it's inevitable evolution, just as has happened in every other industry.
Posted Mar 6, 2021 15:02 UTC (Sat)
by mpr22 (subscriber, #60784)
[Link] (1 responses)
Now, if you can prove a sufficient degree of negligence, recklessness, breach of contract, sabotage, and/or fraud on the part of whoever made the software, then it would be natural for some portion (possibly as much as 100% depending on the nature of the defective behaviour, the nature of the tortious conduct, and the adequacy of your attempts to guard against defects in the software) of the liability be transferred to them.
Any idiot who decides it would be a good idea to grab a pile of pre-existing code written by a no-name rando with a net worth of a few thousand dollars and stick it in their widget without stopping to ask themselves "should I really trust, without further verification on my part, this software written by some no-name rando whose response to a liability claim would be to declare bankruptcy because the legal fees alone would be more than their combined net worth and gross annual salary?" needs to reconnect with reality.
Posted Dec 22, 2022 6:25 UTC (Thu)
by mrugiero (guest, #153040)
[Link]
And that's, IMO, where the regulation should start and stop.
Posted Mar 6, 2021 16:25 UTC (Sat)
by pizza (subscriber, #46)
[Link]
Remember that absent the "license" you don't have the rights to use my software, period. Only that license gives you that right.
In exchange for the right to use my software, you have you have to agree to not hold me liable should your house burn down.
You chose to use my software, and your house burns down.
Who is "accountable" here, the software author who explicitly stated, in advance, that their stuff can't be trusted, or the person who chose to use it anyway?
Posted Mar 6, 2021 21:29 UTC (Sat)
by farnz (subscriber, #17727)
[Link] (6 responses)
Equally, though, at least in my jurisdiction, liability laws for anything only expect you to be liable for reasonably foreseeable consequences of your actions, and do allow for disclaimers of liability even for things like buildings and cars. Not total disclaimers, but (for example) the skylights for my house have a legally enforceable disclaimer of liability for faults other than manufacturing defects and undisclosed issues with the design.
The much more likely model for software liability here would be to copy consumer goods (everything from pens through to cars); in that model, the default liability for any product is limited to the price paid to you, and a full refund for the faulty goods is normally the limit of your liability. The only time where you have further liability beyond the purchase price paid to you is when you could foresee that the part you supplied would, when used correctly, cause the extra costs that the buyer has incurred; one way that you can foresee such things is if the buyer explicitly tells you about those extra costs.
So, for example, I buy a washing machine; it doesn't wash clothes and doesn't function. The seller's liability to me is limited to a full refund. I tell the seller that I need a washing machine that works because if I can't wash my clothes tonight, I'm going to have to spend £100 on new clothes tomorrow, and that is enough that the seller has to either refuse to deal with me (allowed, of course!), or is liable to me for £100 above a full refund.
And note that these only apply if the seller is acting as a business, not as a private individual; if I sell you my home-made 6m band dipole aerial, then caveat emptor applies (unless I'm producing aerials as a business).
For a practical example of how all of that interacts, consider the engines sold by Honda for other people to build into products. If I buy an iGXV800 from Honda on their normal terms, they are liable to me if the engine does not function, or fails in use, to the cost of refunding me for the engine in full. However, if I build that engine into a motorbike of my own design and sell it to you, Honda don't acquire any additional liability; if you have a catastrophic engine failure while riding it, Honda are still only liable for the cost of the engine, as they did not foresee the extra consequences of a failure while using it in a motorbike (it's not sold for that use). Had I bought a Honda CB300R motorbike, and sold it to you, Honda could now foresee the consequences of a catastrophic engine failure while riding it, and would have the extra liability that results.
Translated to open source terms, most projects would have no liability still - the default position is that you're liable to supply a full refund if it doesn't work, but as no money has changed hands, that's a non-effect. Samsung would be on the hook, however, if the software in a Samsung phone does not work, even if it includes open source, because money changed hands; even then, the normal limit is the money I paid for the phone. Tesla, on the other hand, could be on the hook for far more money, even if their FSD software is mostly open source, and even if the failure is caused by an open source component, because Tesla could predict that it might crash. The developer of (say) a computer vision component used in the FSD software, however, is only liable to Tesla for what they agreed to (as part of a contract), or the money paid by Tesla to them for the software (probably nothing if it's open source).
Posted Mar 6, 2021 22:28 UTC (Sat)
by johannbg (guest, #65743)
[Link] (5 responses)
Arguably Microsoft in this case should be held accountable for their own negligence towards the US government, it's tax payers ( which probably have spent billions in license fees ) and of course the rest of the world as well.
People also need to realize that as open source has become more widespread and used, it has also
https://cyber.dhs.gov/ed/21-02/
Posted Mar 6, 2021 23:25 UTC (Sat)
by mpr22 (subscriber, #60784)
[Link] (1 responses)
That liability model breaks down with free software because identifying an entity to which you can both reasonably(1) and usefully(2) attach civil liability will frequently lie somewhere between "difficult" and "impossible".
(1) "Reasonably" meaning that it is fair and equitable to hold the identified entity responsible in tort for the incident that has occurred.
(2) "Usefully" meaning the plaintiffs have a realistic prospect of recovering a useful percentage of their damages from the defendants identified, rather than just bankrupting the defendants to the sole benefit of the lawyers.
Posted Mar 7, 2021 14:11 UTC (Sun)
by Wol (subscriber, #4433)
[Link]
Take sendmail (seeing as we're talking about MS Exchange Server) as a case in point.
Allman wrote it in the kinder, gentler days of the gentleman's internet. Lots of people modified it to do things Eric never thought of. Then came the crackers who abused it.
Is it Allman's fault - for not forseeing the future? Is it the fault of the people who re-purposed it to suit themselves? Is it the fault of the distros, or the software repositories, who made it freely available? Is it the fault of the people who didn't understand how to configure it securely?
Even identifying who those individuals are is fraught with problems.
Cheers,
Posted Mar 6, 2021 23:44 UTC (Sat)
by farnz (subscriber, #17727)
[Link] (2 responses)
And, taking that Microsoft Exchange server issue as an example, Microsoft are the final vendor; by default, unless they could reasonably foresee the issue, they'd be liable to at most a full refund for the licence fees everyone has paid them for licences for those instances. Of course, they could be liable for more - but no amount of disclaimers will limit their liability below the sum paid in my local jurisdiction.
This doesn't mean that it will affect open source - Exchange is a product, but there's no liability on (e.g.) the RSGB for publishing circuit diagrams in RadCom that could be dangerous if constructed badly. That said, it will affect people like Canonical, SUSE and Red Hat - if you're selling open source software (even just as a bundle with support), you become liable to ensure it works, or to refund people.
Posted Mar 7, 2021 0:07 UTC (Sun)
by pizza (subscriber, #46)
[Link] (1 responses)
This is a key point -- If your jurisdiction decided to change the law to override disclaimers of warranty and/or liability waivers, it would affect far more than the likes of Microsoft or "software". I don't think it's an exaggeration to say that it would send most of the economy to a screeching halt, and any software/products/services offered under the new regime will come with a _much_ higher price point, proprotional to the heightened, un-waiveable liability the seller/producer/manufacturer is potentially responsible for.
This distinction is why you can buy device that measures your pulse for $20, but a "medical device" that does the same thing (with the same fundamental components!) costs $2000. The "medical device" is sold with explicit promises of merchantability, reliability, and accuracy, and there are major penalties if it fails even if there was no malice or negligence involved. The development and certification process necessary to meet those requirements is quite extensive, and therefore quite expensive. Plus you have to carry significant amounts of insurance to ensure you can meet those liabilities.
> That said, it will affect people like Canonical, SUSE and Red Hat - if you're selling open source software (even just as a bundle with support), you become liable to ensure it works, or to refund people.
"works" for what purpose, exactly? That's going to have to be explicitly spelled out...
Posted Mar 7, 2021 20:13 UTC (Sun)
by farnz (subscriber, #17727)
[Link]
Disclaimers of warranty are already overriden by local law here, and have been since the 1970s (coming up to 50 years). A product has to be of a reasonable standard given the price charged, and to last a reasonable time, again taking the price into account; it is expected to function as advertised before the sale.
So, the $10 pulse oximeter I own calls out what I can expect of it on the packaging - high error margins, low reliability. There's no disclaimer of warranty, nor a liability waiver; instead, there's setting of expectations so that the company selling the device is clear that they're not liable for anything beyond the functionality of the device, and that the functionality is about what you'd expect for a $10 device. If it doesn't do what they've promised it does to a reasonable standard for a $10 device, then my options are limited to a repair, replacement or full refund at the vendor's discretion in the first instance (I get a right to a refund if they cannot repair or replace) - so $10 at most. The similar device a local hospital uses does indeed cost a lot more - but as you say, that is because they are promising a lot more.
The net effect is that companies become very clear about what functionality you can expect from a device, because full refunds are not something you want to give very often. For Canonical, Red Hat, etc, the result is that you advertise a lower expectation, because you can be held to that; so Exchange would have to be advertised as insecure to escape liability for the hack.
Posted Mar 6, 2021 16:18 UTC (Sat)
by pizza (subscriber, #46)
[Link]
I agree completely; (though "worthwhile" in this context should mean "going after anyone else will get you laughed out of court and on the hook for the other parties' else's legal fees)
Every single scenario suggested as a reason we need "accountability/liability" has been malicious in nature (ie involving mens rea &| actus reus). I have yet to see anyone explain what sort of liability should flow from accidents, why that should extend all the way to the individual software authors (instead of the "owners" of the software) and how the software profession can possibly survive that.
Posted Mar 5, 2021 21:18 UTC (Fri)
by Wol (subscriber, #4433)
[Link] (2 responses)
That should NOT be possible. And that's one of the big problems with this - too many people think this is the correct solution when it is provably disastrous. An autonomous vehicle should be exactly that - autonomous! If it relies on external back-up, then that backup will *inevitably* fail when it is needed. Muphrys law and all that ...
Cheers,
Posted Mar 5, 2021 21:54 UTC (Fri)
by johannbg (guest, #65743)
[Link]
Posted Mar 5, 2021 22:12 UTC (Fri)
by mathstuf (subscriber, #69389)
[Link]
Is this a British thing? I think you're referring to Murphy's Law. Muphry's Law seems to be:
> If you write anything criticizing editing or proofreading, there will be a fault of some kind in what you have written.
and a deliberate misspelling of the other one.
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
2. https://www.reuters.com/article/us-volkswagen-emissions-s...
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
You wrote the code.
You made the code publicly available/accessible.
You end up having to take responsibility/accountability for it.
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
You provide a paid product or service? Either you can prove who provided your supplies or you're directly liable. In other words, a proper regulation wouldn't be about what's required for you to do something, but what's required for those who are supposed to "guarantee" it works correctly.
One of those requirements is have a face and name for everyone involved in the making. If you can't do that for an open source project, then don't use it for your product or you're liable for any defects it may have. The author of such code should still be one with full choice about whether to remain anonymous, it's you as downstream that's responsible of picking only the public ones. Anyone who decides to use the anonymous' code is legally responsible for doing so.
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
become increasingly affected by societal issues, including, both ethical and political issues ( US gov + Huawei + Google case is probably a good example of such political issue ), all of which will affect how the future framework ( rules and regulation ) surrounding it and how the rest of the software sector is shaped in the future.
https://www.microsoft.com/security/blog/2021/03/02/hafniu...
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Wol
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Wol
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with