Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Posted Mar 6, 2021 11:00 UTC (Sat) by mpr22 (subscriber, #60784)In reply to: Woodruff: Weird architectures weren't supported to begin with by johannbg
Parent article: Woodruff: Weird architectures weren't supported to begin with
What we're talking about here is more along the lines of:
Person (not necessarily natural person) 1: "I released some software for free. I haven't prepared a formal proof of its correctness, nor an evidence package illustrating its suitability for safety-critical uses, so it's unsuitable for use in safety-critical systems unless you are willing to do all that work yourself."
Person (not necessarily natural person) 2: "Don't care, I'm using it in my driverless car anyway."
Person 2 is the natural target (and, in practice, probably the only worthwhile target) for civil proceedings.
Posted Mar 6, 2021 11:00 UTC (Sat)
by mpr22 (subscriber, #60784)
[Link]
Posted Mar 6, 2021 13:31 UTC (Sat)
by johannbg (guest, #65743)
[Link] (10 responses)
As software becomes more and more integrated part of the society, more rules,regulation and laws will be built around that.
If it did not do that then everybody would just F/OSS their software ( corporation and people alike ) and be free from any accountability.
It might not be what people like or want but it's inevitable evolution, just as has happened in every other industry.
Posted Mar 6, 2021 15:02 UTC (Sat)
by mpr22 (subscriber, #60784)
[Link] (1 responses)
Now, if you can prove a sufficient degree of negligence, recklessness, breach of contract, sabotage, and/or fraud on the part of whoever made the software, then it would be natural for some portion (possibly as much as 100% depending on the nature of the defective behaviour, the nature of the tortious conduct, and the adequacy of your attempts to guard against defects in the software) of the liability be transferred to them.
Any idiot who decides it would be a good idea to grab a pile of pre-existing code written by a no-name rando with a net worth of a few thousand dollars and stick it in their widget without stopping to ask themselves "should I really trust, without further verification on my part, this software written by some no-name rando whose response to a liability claim would be to declare bankruptcy because the legal fees alone would be more than their combined net worth and gross annual salary?" needs to reconnect with reality.
Posted Dec 22, 2022 6:25 UTC (Thu)
by mrugiero (guest, #153040)
[Link]
And that's, IMO, where the regulation should start and stop.
Posted Mar 6, 2021 16:25 UTC (Sat)
by pizza (subscriber, #46)
[Link]
Remember that absent the "license" you don't have the rights to use my software, period. Only that license gives you that right.
In exchange for the right to use my software, you have you have to agree to not hold me liable should your house burn down.
You chose to use my software, and your house burns down.
Who is "accountable" here, the software author who explicitly stated, in advance, that their stuff can't be trusted, or the person who chose to use it anyway?
Posted Mar 6, 2021 21:29 UTC (Sat)
by farnz (subscriber, #17727)
[Link] (6 responses)
Equally, though, at least in my jurisdiction, liability laws for anything only expect you to be liable for reasonably foreseeable consequences of your actions, and do allow for disclaimers of liability even for things like buildings and cars. Not total disclaimers, but (for example) the skylights for my house have a legally enforceable disclaimer of liability for faults other than manufacturing defects and undisclosed issues with the design.
The much more likely model for software liability here would be to copy consumer goods (everything from pens through to cars); in that model, the default liability for any product is limited to the price paid to you, and a full refund for the faulty goods is normally the limit of your liability. The only time where you have further liability beyond the purchase price paid to you is when you could foresee that the part you supplied would, when used correctly, cause the extra costs that the buyer has incurred; one way that you can foresee such things is if the buyer explicitly tells you about those extra costs.
So, for example, I buy a washing machine; it doesn't wash clothes and doesn't function. The seller's liability to me is limited to a full refund. I tell the seller that I need a washing machine that works because if I can't wash my clothes tonight, I'm going to have to spend £100 on new clothes tomorrow, and that is enough that the seller has to either refuse to deal with me (allowed, of course!), or is liable to me for £100 above a full refund.
And note that these only apply if the seller is acting as a business, not as a private individual; if I sell you my home-made 6m band dipole aerial, then caveat emptor applies (unless I'm producing aerials as a business).
For a practical example of how all of that interacts, consider the engines sold by Honda for other people to build into products. If I buy an iGXV800 from Honda on their normal terms, they are liable to me if the engine does not function, or fails in use, to the cost of refunding me for the engine in full. However, if I build that engine into a motorbike of my own design and sell it to you, Honda don't acquire any additional liability; if you have a catastrophic engine failure while riding it, Honda are still only liable for the cost of the engine, as they did not foresee the extra consequences of a failure while using it in a motorbike (it's not sold for that use). Had I bought a Honda CB300R motorbike, and sold it to you, Honda could now foresee the consequences of a catastrophic engine failure while riding it, and would have the extra liability that results.
Translated to open source terms, most projects would have no liability still - the default position is that you're liable to supply a full refund if it doesn't work, but as no money has changed hands, that's a non-effect. Samsung would be on the hook, however, if the software in a Samsung phone does not work, even if it includes open source, because money changed hands; even then, the normal limit is the money I paid for the phone. Tesla, on the other hand, could be on the hook for far more money, even if their FSD software is mostly open source, and even if the failure is caused by an open source component, because Tesla could predict that it might crash. The developer of (say) a computer vision component used in the FSD software, however, is only liable to Tesla for what they agreed to (as part of a contract), or the money paid by Tesla to them for the software (probably nothing if it's open source).
Posted Mar 6, 2021 22:28 UTC (Sat)
by johannbg (guest, #65743)
[Link] (5 responses)
Arguably Microsoft in this case should be held accountable for their own negligence towards the US government, it's tax payers ( which probably have spent billions in license fees ) and of course the rest of the world as well.
People also need to realize that as open source has become more widespread and used, it has also
https://cyber.dhs.gov/ed/21-02/
Posted Mar 6, 2021 23:25 UTC (Sat)
by mpr22 (subscriber, #60784)
[Link] (1 responses)
That liability model breaks down with free software because identifying an entity to which you can both reasonably(1) and usefully(2) attach civil liability will frequently lie somewhere between "difficult" and "impossible".
(1) "Reasonably" meaning that it is fair and equitable to hold the identified entity responsible in tort for the incident that has occurred.
(2) "Usefully" meaning the plaintiffs have a realistic prospect of recovering a useful percentage of their damages from the defendants identified, rather than just bankrupting the defendants to the sole benefit of the lawyers.
Posted Mar 7, 2021 14:11 UTC (Sun)
by Wol (subscriber, #4433)
[Link]
Take sendmail (seeing as we're talking about MS Exchange Server) as a case in point.
Allman wrote it in the kinder, gentler days of the gentleman's internet. Lots of people modified it to do things Eric never thought of. Then came the crackers who abused it.
Is it Allman's fault - for not forseeing the future? Is it the fault of the people who re-purposed it to suit themselves? Is it the fault of the distros, or the software repositories, who made it freely available? Is it the fault of the people who didn't understand how to configure it securely?
Even identifying who those individuals are is fraught with problems.
Cheers,
Posted Mar 6, 2021 23:44 UTC (Sat)
by farnz (subscriber, #17727)
[Link] (2 responses)
And, taking that Microsoft Exchange server issue as an example, Microsoft are the final vendor; by default, unless they could reasonably foresee the issue, they'd be liable to at most a full refund for the licence fees everyone has paid them for licences for those instances. Of course, they could be liable for more - but no amount of disclaimers will limit their liability below the sum paid in my local jurisdiction.
This doesn't mean that it will affect open source - Exchange is a product, but there's no liability on (e.g.) the RSGB for publishing circuit diagrams in RadCom that could be dangerous if constructed badly. That said, it will affect people like Canonical, SUSE and Red Hat - if you're selling open source software (even just as a bundle with support), you become liable to ensure it works, or to refund people.
Posted Mar 7, 2021 0:07 UTC (Sun)
by pizza (subscriber, #46)
[Link] (1 responses)
This is a key point -- If your jurisdiction decided to change the law to override disclaimers of warranty and/or liability waivers, it would affect far more than the likes of Microsoft or "software". I don't think it's an exaggeration to say that it would send most of the economy to a screeching halt, and any software/products/services offered under the new regime will come with a _much_ higher price point, proprotional to the heightened, un-waiveable liability the seller/producer/manufacturer is potentially responsible for.
This distinction is why you can buy device that measures your pulse for $20, but a "medical device" that does the same thing (with the same fundamental components!) costs $2000. The "medical device" is sold with explicit promises of merchantability, reliability, and accuracy, and there are major penalties if it fails even if there was no malice or negligence involved. The development and certification process necessary to meet those requirements is quite extensive, and therefore quite expensive. Plus you have to carry significant amounts of insurance to ensure you can meet those liabilities.
> That said, it will affect people like Canonical, SUSE and Red Hat - if you're selling open source software (even just as a bundle with support), you become liable to ensure it works, or to refund people.
"works" for what purpose, exactly? That's going to have to be explicitly spelled out...
Posted Mar 7, 2021 20:13 UTC (Sun)
by farnz (subscriber, #17727)
[Link]
Disclaimers of warranty are already overriden by local law here, and have been since the 1970s (coming up to 50 years). A product has to be of a reasonable standard given the price charged, and to last a reasonable time, again taking the price into account; it is expected to function as advertised before the sale.
So, the $10 pulse oximeter I own calls out what I can expect of it on the packaging - high error margins, low reliability. There's no disclaimer of warranty, nor a liability waiver; instead, there's setting of expectations so that the company selling the device is clear that they're not liable for anything beyond the functionality of the device, and that the functionality is about what you'd expect for a $10 device. If it doesn't do what they've promised it does to a reasonable standard for a $10 device, then my options are limited to a repair, replacement or full refund at the vendor's discretion in the first instance (I get a right to a refund if they cannot repair or replace) - so $10 at most. The similar device a local hospital uses does indeed cost a lot more - but as you say, that is because they are promising a lot more.
The net effect is that companies become very clear about what functionality you can expect from a device, because full refunds are not something you want to give very often. For Canonical, Red Hat, etc, the result is that you advertise a lower expectation, because you can be held to that; so Exchange would have to be advertised as insecure to escape liability for the hack.
Posted Mar 6, 2021 16:18 UTC (Sat)
by pizza (subscriber, #46)
[Link]
I agree completely; (though "worthwhile" in this context should mean "going after anyone else will get you laughed out of court and on the hook for the other parties' else's legal fees)
Every single scenario suggested as a reason we need "accountability/liability" has been malicious in nature (ie involving mens rea &| actus reus). I have yet to see anyone explain what sort of liability should flow from accidents, why that should extend all the way to the individual software authors (instead of the "owners" of the software) and how the software profession can possibly survive that.
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
You provide a paid product or service? Either you can prove who provided your supplies or you're directly liable. In other words, a proper regulation wouldn't be about what's required for you to do something, but what's required for those who are supposed to "guarantee" it works correctly.
One of those requirements is have a face and name for everyone involved in the making. If you can't do that for an open source project, then don't use it for your product or you're liable for any defects it may have. The author of such code should still be one with full choice about whether to remain anonymous, it's you as downstream that's responsible of picking only the public ones. Anyone who decides to use the anonymous' code is legally responsible for doing so.
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
become increasingly affected by societal issues, including, both ethical and political issues ( US gov + Huawei + Google case is probably a good example of such political issue ), all of which will affect how the future framework ( rules and regulation ) surrounding it and how the rest of the software sector is shaped in the future.
https://www.microsoft.com/security/blog/2021/03/02/hafniu...
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Wol
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with
Woodruff: Weird architectures weren't supported to begin with