EU situation should be looked at by everyone
EU situation should be looked at by everyone
Posted Dec 13, 2023 10:47 UTC (Wed) by khim (subscriber, #9252)In reply to: EU situation should be looked at by everyone by Wol
Parent article: Bottomley: Solving the Looming Developer Liability Problem
> I'm all for treating the software industry like any other, and THIS ISN'T IT.
Show me one jurisdiction, when manufacturing mistakes in a car are responsibility of a car dealer and actual manufacturer is exempt and we'll go from there.
> This would up-end the entire world of commercial contracts, liability, everything.Why? It's like any other business, according to law: the guy who did the final packaging work is liable for everything, but if problem is with components (namely Debian or NPM module) then producer of said component is on the hook. And if Debian inherited bug from Linux Foundation then said Linux Foundation is responsible and so on.
AFAIK that's how all other industries operate, too: except if you sell counterfeit you may easily send all these safety requests to manufacturer if you are just a box mover.
Why should software be any different?
Posted Dec 13, 2023 11:24 UTC (Wed)
by farnz (subscriber, #17727)
[Link] (8 responses)
England & Wales has been that way forever. A manufacturing fault in a car is the responsibility of the dealer in law, and the manufacturer doesn't come into it.
In practice, dealers are unwilling to take on liability for manufacturing defects without being able to pass it back to the manufacturer, and thus sign contracts that state that - and manufacturers include "warranties" as part of selling the car to the dealer that can be transferred to the final customer, but legally speaking, if I buy a brand new BMW from Park Lane Limited tomorrow, only Park Lane Limited are liable for manufacturing faults.
Posted Dec 13, 2023 15:25 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
So as I've said elsewhere, I deal with the DEALER. Any problems, as far as I'm concerned, are the DEALER'S problem. But because the dealer was the manufacturer's agent, if there are problems I can target the manufacturer as a backstop. But that's not always true.
And because this is almost invariably hidden from the customer, any attempt BY THE DEALER to HIDE behind this would pretty much instantly be slammed as fraud or deception. (It's not a problem in the normal course of events, because it's not used in the normal course of events to evade liability. It's just a convenient legal fiction.)
Cheers,
Posted Dec 14, 2023 0:06 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (6 responses)
What happens if you buy a BMW from Totally Honest Guys Inc. that gets bankrupt and liquidated tomorrow? I'm really curious.
Posted Dec 14, 2023 9:07 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (3 responses)
Which is why you should always look seriously askance at any (sales) company that says "we guarantee our own products". If the company goes bust, the guarantee goes with it.
As was mentioned elsewhere, typically BMW will provide a guarantee with the Mini, which the dealer then transfers to you. You now have a CONTRACT with BMW, mediated by the dealer, and if the dealer goes bust BMW will guarantee the contract. Likewise if the dealer was mere agent your contract is with BMW, not the dealer.
Elsewhere you should look for companies that say "we have an insurance contract that covers our guarantees" - you now have a CONTRACT with the INSURANCE COMPANY (or will have, when the receiver transfers it over to you, which they have no choice about). Or the supplier provides a warranty - that's more hassle and grief than going through the retailer, but it least it's a back-stop.
Cheers,
Posted Dec 14, 2023 9:55 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
Cheers,
Posted Dec 14, 2023 10:05 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (1 responses)
Cheers,
Posted Dec 14, 2023 10:46 UTC (Thu)
by farnz (subscriber, #17727)
[Link]
Manufacturer recalls are slightly different; those exist because to get a V5C (registration document showing that the car is allowed on the road), you must first show that the car meets requirements.
There's two ways to do this:
This is entirely separate from general liability - it's part of having the rights to use type approval to get a V5C instead of having to use individual vehicle approval.
Posted Dec 14, 2023 9:31 UTC (Thu)
by geert (subscriber, #98403)
[Link]
Posted Dec 14, 2023 10:14 UTC (Thu)
by farnz (subscriber, #17727)
[Link]
So, first two questions (since "Inc" is not a legally protected suffix in England & Wales); is "Totally Honest Guys" a limited company or not? Second, are the debts contractual (in which case, you're an ordinary creditor) or statutory (e.g. goods of merchantable quality, in which case you're a priority creditor)?
If they're not a limited company, then you're probably stuffed; you've been dealing with a trading name used by a single individual or group of individuals, and you're limited to what you can get out of them personally; if they've got insufficient assets to cover you, you're out of luck. If their liability to you is statutory, however, you get to "go first" when it comes to their remaining assets, before the ordinary creditors; but usual rules about money from nothing apply.
If they're a limited company (i.e. have a company registration at Companies House), it gets more complicated; the liquidation is supposed to put aside a "residual" of the company to cover potential liabilities to priority creditors, which pays out to ordinary creditors as the liabilities fail to materialize. If there's not enough left to put aside a full residual, the directors were trading while insolvent, which is a criminal matter in its own right, and also puts them on the hook personally for any liabilities the residual fails to cover; trading while insolvent (at a minimum) prevents you being a company director for a period of time, and can include a jail sentence. The residual will pay out the liabilities if they occur, or will pay the ordinary creditors if the liability fails to materialize (e.g. if 7 years after bankruptcy, your car has been fine, the money that was put aside to cover the risk that your car needed repair, replacement or partial refund due to merchantability issues will have gone to ordinary creditors in full).
In practice, BMW probably step in to protect their brand in either case, if it's a new car; "Totally Honest Guys" is, if selling new cars, almost certainly trading as "BMW New City" or similar, and BMW want you to be talking about how they stepped in to help you out, not about how you bought a new BMW and had a really bad experience when "BMW New City" went bankrupt.
Posted Dec 13, 2023 11:28 UTC (Wed)
by mb (subscriber, #50428)
[Link] (14 responses)
Under German law that is actually possible:
https://www.ihk.de/darmstadt/produktmarken/recht-und-fair...
>Händler sind aber immer dann unbeschränkt haftbar, wenn sie die fehlerhaften Produkte von einem Importeur gekauft haben, der aus einem Drittland importiert und dessen Name nicht feststellbar bzw. auffindbar ist. [..]
Deepl translation:
>However, retailers are always liable without limitation if they have purchased the defective products from an importer who imports from a third country and whose name cannot be determined or traced. [..]
Posted Dec 13, 2023 11:46 UTC (Wed)
by khim (subscriber, #9252)
[Link] (13 responses)
Thanks for being constructive and offering concrete evidence and not just your ideas about how world should work and not about how it works. Yes, if dealer imports something from abroad and court couldn't reach an actual manufacturer then importer may be held fully responsible, which makes perfect sense: court would love to make the actual guy who does “bad things” responsible, but if they are out of read… importer would have to shoulder that responsibility. Makes sense. I guess that idea would be applied to software, too. Hmm. This would mean that if forges would just leave EU they may avoid all the blame. I wonder what would be the next step, though. Make use of Debian or Gentoo, directly downloaded from outside of EU illegal? We'll see, I guess.
Posted Dec 13, 2023 13:01 UTC (Wed)
by bluca (subscriber, #118303)
[Link] (12 responses)
Posted Dec 13, 2023 14:01 UTC (Wed)
by farnz (subscriber, #17727)
[Link] (11 responses)
The difficulty is that Debian can be both a component supplier and a seller to consumers itself; for the purposes of the CRA, me downloading a binary ISO for personal use from debian.org can count as a sale of a product (this being how the CRA intends to prevent - for example - free trials of a proprietary product, or advertising-supported products that are also free at point of distribution from being exempt from the CRA). Whether or not it counts depends on the details of the CRA.
Now, me acting as an employee and downloading Debian is not guaranteed to be a purchase of a product for the purposes of the CRA, because my employer is not a private individual, and thus for business-to-business transactions like that, the contract terms matter.
Posted Dec 13, 2023 14:55 UTC (Wed)
by Wol (subscriber, #4433)
[Link] (9 responses)
And any attempt to make Debian, or Gentoo, or Sourceforge ... liable to J Random Downloader will make a complete mockery of contract law. It's not going to happen.
Absent SOME sort of contractual relationship between the user of the software and developer or download site, nothing will be able to stick. All this angst about liability will only come to pass if there is some sort of fraud, or deception, or otherwise attempt to benefit without taking responsibility.
Writing software for pleasure and giving it away cannot in any way be construed as malicious, fraudulent, deceptive practice, or whatnot. Absent that, a contract is an absolute minimum for transfer of liability. Absent both of those, you're untouchable (well, maybe not, anybody can sue for anything, but European courts are far more likely to call that for what it is - a malicious plaintiff, and then they're not facing the wrath of their victim, they're facing the wrath of the court, which is NOT a nice place to be!)
Cheers,
Posted Dec 13, 2023 14:59 UTC (Wed)
by farnz (subscriber, #17727)
[Link] (8 responses)
Offering a download to all comers is a contractual relationship, as to do so you need to grant permissions under copyright law. It's not a very strong relationship, but it exists - else by downloading it, you're breaking copyright law, and the offerer has acted to incite you to breach copyright.
Posted Dec 13, 2023 16:06 UTC (Wed)
by Wol (subscriber, #4433)
[Link] (7 responses)
"Offering for download" is NOT "mutual consideration".
Cheers,
Posted Dec 13, 2023 16:07 UTC (Wed)
by farnz (subscriber, #17727)
[Link] (6 responses)
There is a mutual exchange of consideration; Debian offers you a copyright licence, and you agree to be bound by its terms. It's not a big exchange, but it is an exchange of consideration, and enough to establish a contract.
Posted Dec 13, 2023 16:36 UTC (Wed)
by bluca (subscriber, #118303)
[Link] (3 responses)
Posted Dec 13, 2023 16:42 UTC (Wed)
by farnz (subscriber, #17727)
[Link] (2 responses)
It owns a copyright on the aggregation of the software into a single ISO image (the editorial choices about what to include and omit) - it can give you a licence to that. It can't give you a custom licence on the code inside the aggregation, though. And it's a licence for that aggregation that it's offering, in return for you accepting Debian's terms.
Posted Dec 13, 2023 17:17 UTC (Wed)
by bluca (subscriber, #118303)
[Link] (1 responses)
Posted Dec 14, 2023 11:57 UTC (Thu)
by paulj (subscriber, #341)
[Link]
Without a clear and explicitly worded exception for things like Debian the CRA we may end up having to wait for cases to arise in a few member states. We do know the likes of ASF believe the CRA is /designed/ to apply to foundations like them, as they have directly engaged with relevant EU legislators on the issue. In the worst case, we may need to wait till a case goes to the ECJ to get clarity.
Posted Dec 13, 2023 21:00 UTC (Wed)
by xtifr (guest, #143)
[Link] (1 responses)
No. All Open Source licenses (or licenses which comply with the Debian Free Software Guidelines) are distributor licenses, not user licenses! The licenses grant Debian the right to give you the programs, but you are under no obligation to accept or comply with those licenses! Of course, without the permission granted by those licenses, you cannot make copies for others (or in the case of the AGPL, run the code on a public-facing server), but unless you want to make copies for others, that's a non-issue, and you can ignore the licenses rather than accept them. The GPL even explicitly states that you need not accept it and can instead choose to be bound by normal copyright law--which means no making copies. And if you do choose to accept the license terms and distribute the code, that's between you and the copyright holders! Aside from code Debian actually wrote (apt, dpkg, etc.), Debian didn't offer you any licenses! They merely passed along the license offers. There is no agreement between you and Debian regarding the kernel or the shell or python or X or anything. Debian merely exercised their rights under the license to give you a copy; their involvement basically ended when the download finished!
Posted Dec 13, 2023 21:24 UTC (Wed)
by farnz (subscriber, #17727)
[Link]
But Debian aren't just offering me the software; they're also offering me their arrangement of that software into a compilation, which itself has a form of copyright applying to it. The licence I accept from Debian may well be implied, rather than explicit, but I need some form of permission to allow me to copy that arrangement.
In EU law, there's certain licences that are granted automatically as a matter of law, but they're still enough to function in terms of the offer, consideration, acceptance set required to form a contract - Debian, in this case, is offering me a licence (which it presumably has permission to do) that permits me to download the installer image.
Posted Dec 13, 2023 16:21 UTC (Wed)
by bluca (subscriber, #118303)
[Link]
Those clauses are clearly and explicitly defined to catch freeware/lite/ad-free/platform/base versions given out in the course of a business venture. So it does not apply at all to Debian: there is no "full" or "ad-free" version of Debian that you can get if you sign a contract, there is no business to the side that benefits from giving away the images, there's nothing at all, it's all just there. It very clearly does not fall into that category.
Posted Dec 13, 2023 11:48 UTC (Wed)
by Wol (subscriber, #4433)
[Link] (2 responses)
This is EXACTLY how box movers get clobbered for selling counterfeit goods. The box mover has a contract with their supplier, and passes the buck back up the chain. If the box mover tries to pass liability to the manufacturer, they just reply "counterfeit" AND THE BOX MOVER IS ON THE HOOK!
Cheers,
Posted Dec 13, 2023 11:56 UTC (Wed)
by khim (subscriber, #9252)
[Link] (1 responses)
Let us see if Debian would succeed in declaring that copies used in NAS boxes are counterfeit or not 🤪.
Posted Dec 13, 2023 14:57 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
Cheers,
Posted Dec 13, 2023 12:29 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
Why is the producer of said components on the hook? NO CONTRACT - NO LIABILITY. END OF.
At the end of the day, if "the guy who did the final packaging" needs to pass liability onwards, then he needs a contract that allows him to do so. Without a contract, he's SOL.
Cheers,
EU situation should be looked at by everyone
EU situation should be looked at by everyone
Wol
EU situation should be looked at by everyone
EU situation should be looked at by everyone
Wol
EU situation should be looked at by everyone
Wol
EU situation should be looked at by everyone
Wol
EU situation should be looked at by everyone
EU situation should be looked at by everyone
UK liabilities during bankruptcy
EU situation should be looked at by everyone
>Der Händler haftet natürlich auch immer dann, wenn er selbst Importeur aus einem Drittland ist und die Ware vertreibt.
>Of course, the retailer is also always liable if he himself is the importer from a third country and sells the goods.
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
Wol
EU situation should be looked at by everyone
EU situation should be looked at by everyone
Wol
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
Debian offers you a copyright licence, and you agree to be bound by its terms.
EU situation should be looked at by everyone
EU situation should be looked at by everyone
Debian would have to start selling access to Debian++ "now built with -O4 for extra speed!!11" and using the "slow" version to entice new customers to fall afoul of those rules.
EU situation should be looked at by everyone
Wol
EU situation should be looked at by everyone
EU situation should be looked at by everyone
Wol
EU situation should be looked at by everyone
Wol