The Python Software Foundation on European cybersecurity

Posted Apr 26, 2023 12:14 UTC (Wed) by Wol (subscriber, #4433)
In reply to: The Python Software Foundation on European cybersecurity by farnz
Parent article: The Python Software Foundation on European cybersecurity

Did I say it's hard to impossible?

But they've presumably solved that with things like car radios, Ford aren't liable for aftermarket replacement radios. Even though those radios are clearly designed only to work in cars.

(In that case, it's two separate transactions, with consideration going in two directions. In the library example, it's the same supplier and you have to buy the licence to activate the software. One payment, one supplier.)

Cheers,
Wol

The Python Software Foundation on European cybersecurity

Posted Apr 26, 2023 15:07 UTC (Wed) by farnz (subscriber, #17727) [Link]

The solution with aftermarket radios is standard interfaces, and an obligation to meet those interfaces whenever you sell a component - if a car uses a non-standard wiring setup, then it's on the car maker to document how you go from the non-standard version to the standard versions.

We could go for that solution with computing, where all APIs and ABIs must be standardised, and you must specify how to convert your internal stuff to the standard stuff, but that's got its own costs that we'd prefer not to pay; the only reason it works for in-car entertainment is that the interface was well-understood for a good 20 years before we insisted it be standardised, whereas if you look at ABIs from 20 years ago, we've changed all sorts of things.

And in the library example, it's also two suppliers - one payment to DodgySoft Limited to buy the core library that makes everything else work, with the software you need coming from DodgySoft Research for free. Two different sources, legally speaking, and DodgySoft Limited is only on the hook for the core library, not the bits you got from DodgySoft Research - even though the bits you want are from DodgySoft Research, and you're only buying the tiny core from DodgySoft Limited because without it, you can't use the bits from DodgySoft Research.

Fundamentally, we have two conflicting goals to reconcile:

Don't kill the Open Source goose - it should be possible to give away software for people to use for any purpose without incurring liability, since we've observed that good things happen when individuals can supply small drive-by improvements to code they care about.
Make the entire supply chain of any commercial product liable for the security flaws contained in the parts they supply. The goal here is that I'm only ultimately liable for my parts of the product, and my suppliers are responsible for the things I use.

The conflict is that we don't want to make people gifting code as Open Source liable, but we do want all commercial users of that code to have liability that they have to deal with somehow - whether through support contracts, insurance, or just being good at avoiding security issues. In turn, this means that we need to be careful to avoid loopholes that let you disguise commercial supply of code as an Open Source gift.