Date: Thu, 09 Oct 2014 15:19:19 -0400 (EDT) From: "David A. Wheeler" <dwheeler@...eeler.com> To: "oss-security" <oss-security@...ts.openwall.com> Subject: Re: Thoughts on Shellshock and beyond On Thu, 9 Oct 2014 08:28:23 -0700, Tim <tim-security@...tinelchicken.org> wrote: > Seriously though, I agree with you that some form of liability ought > to be introduced in order to create the business incentive to change > development practices. However, the devil is in the details, and as > Michal pointed out, you don't want to squash open source innovation. I am more skeptical, because unless you get the details right for liability, the cure is worse than the disease. One problem is that there needs to be broad agreement on "what is not acceptable and thus is okay to sue for". Without that, liability is just a system for enriching lawyers. This has been challenging to do in software; process standards typically fail to keep up, and we don't know how to ensure that product standards are met ahead-of-time. Those interested in software liability should read "Cybersecurity as Realpolitik" by Dan Geer (Black Hat USA 2014) at http://geer.tinho.net/geer.blackhat.6viii14.txt https://www.youtube.com/watch?v=nT-TGvYOBpI He proposes: 0. Consult criminal code to see if damage caused was due to intent or willfulness. 1. If you deliver your software with complete and buildable source code and a license that allows disabling any functionality or code the licensee decides, your liability is limited to a refund. 2. In any other case, you are liable for whatever damage your software causes when it is used normally. I'm skeptical of this specific list, to be honest. It's very difficult to identify a liability scheme that would make sense. On the other hand, clearly the current system could stand improvement :-). --- David A. Wheeler
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.