Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 09 Oct 2014 15:19:19 -0400 (EDT)
From: "David A. Wheeler" <>
To: "oss-security" <>
Subject: Re: Thoughts on Shellshock and beyond

On Thu, 9 Oct 2014 08:28:23 -0700, Tim <> wrote:
> Seriously though, I agree with you that some form of liability ought
> to be introduced in order to create the business incentive to change
> development practices.  However, the devil is in the details, and as
> Michal pointed out, you don't want to squash open source innovation.

I am more skeptical, because unless you get the details right for liability,
the cure is worse than the disease.  One problem is that there needs to
be broad agreement on "what is not acceptable and thus is okay to sue for".
Without that, liability is just a system for enriching lawyers.

This has been challenging to do in software; process standards typically fail to keep up,
and we don't know how to ensure that product standards are met ahead-of-time.

Those interested in software liability should read
"Cybersecurity as Realpolitik" by Dan Geer (Black Hat USA 2014) at
He proposes:
0. Consult criminal code to see if damage caused was due to intent
   or willfulness.
1. If you deliver your software with complete and buildable source
   code and a license that allows disabling any functionality or
   code the licensee decides, your liability is limited to a refund.
2. In any other case, you are liable for whatever damage your
   software causes when it is used normally.

I'm skeptical of this specific list, to be honest.  It's very difficult to
identify a liability scheme that would make sense.  On the other hand,
clearly the current system could stand improvement :-).

--- David A. Wheeler

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.