Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
United States

Free Software at Risk Under Lemon law 393

Posted by timothy
from the officialism-and-its-discontents dept.
mpawlo writes: "Newsforge published a piece I wrote on a lemon law for software. That is - what would happen if shrinkwrap limitation of liability clauses would be banned? I think Microsoft and the GNU Project would both suffer."
This discussion has been archived. No new comments can be posted.

Free Software at Risk Under Lemon law

Comments Filter:
  • Really? (Score:5, Insightful)

    by sheldon (2322) on Sunday May 12, 2002 @02:55PM (#3506912)
    I love this little quip:
    "We all know that the open and distributed model for development described in Eric S. Raymond's book "The Cathedral and the Bazaar" is much better and creates more reliable products than any closed non-distributed development model. "

    I'm wondering if the author can substantiate this claim with facts.

    This is the primary problem with Open Source advocacy, it relies a lot upon blind faith.
    • Re:Really? (Score:3, Insightful)

      by totallygeek (263191)

      "We all know that the open and distributed model for development described in Eric S. Raymond's book "The Cathedral and the Bazaar" is much better and creates more reliable products than any closed non-distributed development model. "


      I'm wondering if the author can substantiate this claim with facts.


      I think that facts can be referenced by security incidents, patches, and accessibility on complete products. One of the problems with open-source systems: a lot don't go 1.0. If the program works great, but never goes 1.0 release then no one can critique its bugs because it is still in development.


      To be fair to closed-source projects, you cannot group Microsoft Windows into the same catagory with something like Unicos. Both are closed-source, but Unicos is particularly designed for a specific platform on specific hardware, where Windows is designed to run on a handful of platforms (NT on MIPS, PPC, etc, and "regular" Windows on x86->P4) and on just about any hardware thrown at it. Windows would be more stable (forget security for a sec) if people would keep it running on hardware designed for Windows with proper drivers sanctioned by Microsoft.


      As for open-source there are many pieces of software that just plain suck! We all need to be honest!

      • Re:Really? (Score:2, Insightful)

        by BurritoWarrior (90481)
        Windows would be more stable (forget security for a sec) if people would keep it running on hardware designed for Windows with proper drivers sanctioned by Microsoft.

        No, you have it backwards. A well designed OS would not barf all over itself and dy because of a bad driver. The driver/device might fail, but the OS would chug right along.

        As for open-source there are many pieces of software that just plain suck! We all need to be honest!

        You are right, there are plenty of open-source software projects that suck. Of course, there are plenty of closed-source software projects that suck too. I don't see the relevance at all.
        • Re:Really? (Score:2, Informative)

          by roybadami (515249)

          No, you have it backwards. A well designed OS would not barf all over itself and dy because of a bad driver. The driver/device might fail, but the OS would chug right along.

          Well, that rules out most operating systems then. Most OS's run drivers at the same privilidge level as the kernel, and hence a broken driver can crash your system.

          In fact, many hardware architectures only support two privildge levels, so it's impossible to fix this in general (though x86 supports 4, which would allow the OS to protect itself somewhat from a rogue driver).
        • Re:Really? (Score:5, Informative)

          by cscx (541332) on Sunday May 12, 2002 @04:35PM (#3507287) Homepage

          No, you have it backwards. A well designed OS would not barf all over itself and dy because of a bad driver. The driver/device might fail, but the OS would chug right along.


          Yeah, good thinking. Then we'd never see freezes like this, right?
          ---------

          Unable to handle kernel NULL pointer dereference at virtual address 00000016 printing eip: d18677ac
          pgd entry c14a1000: 0000000000000000
          pmd entry c14a1000: 0000000000000000
          ... pmd not present!
          Oops: 0000
          CPU: 0
          EIP: 0010:[]
          EFLAGS: 00010097
          eax: 00000004 ebx: c78306b8 ecx: 00000006 edx: cfaf1b40
          esi: 00000016 edi: c78306b8 ebp: c7830540 esp: c026ff14
          ds: 0018 es: 0018 ss: 0018
          Process swapper (pid: 0, stackpage=c026f000)
          Stack: 00000000 00000004 00000000 00000016 cfaf1b40 00000046 00000987
          000001a7
          00000001 c7830400 00002710 c011daa8 00000246 00000000 c02ad5a0
          003c0000
          c5829da0 24000001 00000003 c026ffa8 c010a30a 00000003 c7830400
          c026ffa8
          Call Trace: [<c011d1a8>] [<c010a30a>] [<c010a488>] [<c0107240>] [<c0107240>]
          [<c01090c4>] [<c0107240>]
          [<c0107240>] [<c0100018>] [<c0107263>] [<c010722e2>] [<c0105000>]
          [<c0100191>]

          Code: f3 a6 0f 97 c2 c0 38 c2 0f 84 d4 fe ff ff ff 44 24 08
          Kernel panic: Aiee, Killing interrupt handler!
          In interrupt handler -- not syncing

          --------

          I am so sick of this elitist bullshit around here. Software crashes!! Get it? OK?? Nothing is completely immune, you know, humans write OSes, there's bound to be a few bugs here and there. When drivers run at Kernel Level, and they fuck up, that's when shit goes haywire.

          That's the #1 reason Microsoft introduced "driver signing" in Windows 2000 and XP (and certification before that) --- to avoid shit like that. If the driver isn't certified by them, they're warning you, if shit goes wrong, it's your fault.
        • A poorly written interrupt service routine can crash almost any "well written" OS. Most people love to complain about being poorly written but they give no credence to the architecture the OS is written for. For instance it is not fair to compare Win3.1 to Win2k because the newer CPU architectures trap more problems then my old 386 could.

          However I am not claming that Win3.1,95,98, and ME were not pathetic excuses for operating systems.
    • This is the primary problem with Open Source advocacy, it relies a lot upon blind faith.
      Methinks blind faith applies to Closed Source. With Open Source you get to use your eyes.

      For facts, with Open Source edge and corner cases can be diagnosed and debugged AFTER release. Effectively you tend to get 1 or 2 more 9's more reliable product with minimal cost. There's no magic bullet and not even Open Source will make everything bug-free, but Open Source is probably the only effective way to deal with "scissors, paper, stone" scenarios where the is no a priori solution.


    • I don't know how that Lemon Law was written, and as a NON-lawyer, I just has this to say ...

      Think of Free Softwares as Lemons you picked from a Lemon Orchard.

      Thank of Commercially Shrinkwrapped Softwares as the one you purchase from supermarket.

      Both the Free Softwares (aka Lemons you picked from Lemon Orchard) and Commercially Shrinkwrapped Softwares (aka Lemons you bought from supermarket) _WERE_ owned by somebody BEFORE it got into your hand.

      If you ate the Lemons you picked (FREE) from a Lemon Orchard, and you got sick from it, how much right you have on SUING the Lemon Orchard owner ?

      On the other hand, if you purchased a lemon from a Supermarket, ate that thing and you got sick, I am sure you have causes to sue the supermarket owner.

      Applying the above principle, I don't think those who wrote Free Softwares (other than those who had BAD INTENTIONS) can be successfully sued - for the users of FREE Sofwares didn't pay ANYTHING to the authors.

      On the other hand, the producers of Commercial shrikwrapped Softwares might be liable for whatever harm that comes from the softwares - for the authors of the commercial softwares got PAID by the users, either directly, or indirectly.

      And let me re-iterate this - I am NOT a lawyer. Do not take what I say as fact, please !

  • by blakestah (91866) <blakestah@gmail.com> on Sunday May 12, 2002 @03:03PM (#3506949) Homepage
    I am not sure the author of this thought it through. Consider the 2 cases - the GPL software, and Microsoft software.

    GPL software liability would be born by the distributors, and not by the authors (as the article claims). Distributors of software merely need to be reasonably accurate as to the capabilities of their software. Authors of software have no real issues.

    Microsoft has a lot of its retail sales go through OEM manufacturers. Those OEMs would bear a heavy liability. So you can predict that the OEMs would rapidly reconfigure Windows to turn off all the nasties like ActiveX, auto-execution of attachments, automatic installation of servers like IIS, macro executable capabilities in Office, etc. Essentially, they would make Windows secure by default.

    But I think reasonable liability for software sellers is a good thing.
    • by Surak (18578)
      GPL software liability would be born by the distributors, and not by the authors (as the article claims). Distributors of software merely need to be reasonably accurate as to the capabilities of their software. Authors of software have no real issues.

      Yep. IANAL, but liability attorneys aren't likely to sue Open Source authors because A) there was no money actually paid to them by customers, and B) Open Source authors aren't likely to have as much in the way of financial resources as the software publishers. When you sue in a liability case, you go for the deep pockets.

      • Yep. IANAL, but liability attorneys aren't likely to sue Open Source authors because A) there was no money actually paid to them by customers, and B) Open Source authors aren't likely to have as much in the way of financial resources as the software publishers. When you sue in a liability case, you go for the deep pockets.

        How about corporations that contributed to thr free software codebase? They may just hav ethe deep pockets or insurance to cover a claim. In addiotn, with enough people writing code, *someone* may just have enough assets to cover a claim. I guess, in theory, someone could name everyone involved with the development of the code and then collect from homever has the assets. Even if you have no money, the threat of being sued may be enough to stifle development. As for companies, they'd have to think before getting involved with free software about the liability danger.
      • IANAL, but we should think more evily. Money is not always won directly. What do i mean? They may sue the Samba folks or the Mozilla pals not to take money from them, but to shut them down.

        After that they can start making REAL money. When you limit the analisis, the evil minds win.
    • by Ooblek (544753)
      Well that just solves everything! Oh, wait, without distributors, how is OS software disseminated to the general public on the scale it needs to be in order to get any market share? Oh, that would be the distributors!

      I'm going to now go out and make a distributing company! Yes, now not only do I have to peer review EVERY line of code that goes into what I distribute, but I have to accept liability for it if it screws up! Yeah, I'm sure VC would be totally into that.

    • by mjh (57755)
      GPL software liability would be born by the distributors, and not by the authors (as the article claims). Distributors of software merely need to be reasonably accurate as to the capabilities of their software. Authors of software have no real issues.

      I disagree with this. All it would take to put the fear of a lawsuit into all developers considering releasing code under GPL is one large organization who had a vested intersest in shutting down GPL code. [microsoft.com] I wonder if anyone like that exists.

    • How does GNU suffer?

      Simple. I go to my boss and say I want to do X, and package Y suits our needs. Boss runs the Software License by legal(which is standard practice in most companies) and legal tells us we can't use it because of the liability disclaimer.

      Right now everybody has one of those disclaimers, but if the law changes... that makes the commercial software all the more attractive.
      • Simple. I go to my boss and say I want to do X, and package Y suits our needs. Boss runs the Software License by legal(which is standard practice in most companies) and legal tells us we can't use it because of the liability disclaimer.

        There will always be a niche for business needs to be filled by software backed by businesses. This in no way indicates it will come without liability. Call up IBM and ask them for a service contract with liability. Or RedHat. Or any other service oriented UNIX company. GPL'd software can be gotten by distributors that will provide reasonable assurances of its function. The difference between it and proprietary software is that GPL'd software can also usually be obtained for free with no liability.
    • But I think reasonable liability for software sellers is a good thing.

      IMHO, it would be best to have a gradient of solution, depending on the problem. For a simple example, a desktop user may use unwarranted software for a shopping list, but should requiere a warranted product for shopping on the net.

      A warranted product would be a product that conforms to some fixed requirements. For example, the shopping software (or tool) should be open source, or audited, or the company selling/offering it should be liable in some cases.

      Not all products should be in the same bag. My scheduling program is important, but not as important as my bank accounts (for example).
  • If a company incorporated out of the country, would this then be nullified, or is the foreign software company subject to US laws on products sold here from there?

  • Free software only has to change it's modal slightly.

    a disclaimer that states "This is beta software only and is not to be used for anything important. We guarentee that it will break, lose all your data, and possibly burn down your house and several near it. DO NOT USE THIS SOFTWARE"

    that will instantly make it immune to any "lemon law"
    • Oh sure, then when it fails to lose your data, you sue the company for false advertising ;)

      It's funny, not offtopic.

    • a disclaimer that states "This is beta software...DO NOT USE THIS SOFTWARE"

      that will instantly make it immune to any "lemon law"


      It would also instantly make it immune from any serious IT department!
  • by oPless (63249) on Sunday May 12, 2002 @03:07PM (#3506972) Journal
    huge difference (#13146)
    by Anonymous Reader on 2002.05.11 13:21

    I am not a lawyer (thankfully), but I do know that if I pay for something, and it fails, I am entitled to compensation. If it fails from negligence or designed error, then there can be punitive damages. But let's examine the case of a Linux/BSD web server, running Apache, MySQL, and PostNuke.

    To be safe, I download for free a non-commercial Linux such as Debian, or FreeBSD. I might be mistaken, but both are developed by groups of people, and anyone is allowed entry if they are competent enough coders. But a group is not a company. The whole corporation/private/public/IPO thing. I acquire, freely and legally, a copy of their work. They might have benefactors and patrons, but that isn't the same as employers.

    So I download Apache, MySQL, and PostNuke. All fall under the same category. Maybe MySQL doesn't, then just replace MySQL/PostNuke with Perl/DBI.

    So now a huge bug develops, a hole so large, it had to be coded in Redmond. I lose all my data, my competitors get my secrets, and I'm on unemployment line next to Enron execs. Who do I have to blame?

    Let's see, someone or some people worked on a project that was supposed to do some particular task. They made it freely available, source and all, so that others might work on it as well. They made no claims about it's security, stability, etc. Others may have, but they did not misrepresent the software in any way.

    I did not contribute, but I saw an opportunity to use their work. So I did. They received nothing from me, not money, not anything. And, the whole time, the company kept no secrets about the product, and in fact, by making the source available, does just the opposite.

    There was no intent to decieve, nor any misrepresentation. By not purchasing the product nor any sort of service contract, I entered into no agreement with the group.

    Going in, I understand the risks. I assume the responsibility if problems occur. This is 180 degrees different from microsoft, since they make plenty of claims, and since there is a legal agreement between a company and microsoft, and because they are marketing a product with known liabilities.

    No, free/open source software doesn't stand to be shut down, rather it stands to gain tremendously. The problem is for companies like RedHat which sell and service open source software. So, form the commercial standpoint, it hurts linux companies who don't have billions to spend on lawyers, like er um, microsoft. But it doesn;t hurt open source software.

    rob mandel
    ^^^----- Posted anonymously here [newsforge.com]
    • No, free/open source software doesn't stand to be shut down, rather it stands to gain tremendously. The problem is for companies like RedHat which sell and service open source software. So, form the commercial standpoint, it hurts linux companies who don't have billions to spend on lawyers, like er um, microsoft. But it doesn;t hurt open source software.


      I don't even think that it will hurt Red Hat too badly. Normally (except in the case of injury or death), the vendor's liability for any product is limited to the purchase price. And Red Hat's business model is to make money off the consulting services, not particularly off the CD distributions. So they should be able to cover small claims on this front. And remember, even if a huge company installs it on 250 machines and sues, they probably only bought one copy, so the liability is still small.


      Even better, the way lemon laws work gives the vendor an option: return the purchase price or fix the problem to a customer's satisfaction. If an Open Source vendor runs into a huge bug with hundreds or thousands of claims, they are also likely to have a small army of developers (which they don't have to pay) working on fixing it. And so, they can get the fix, and distribute the patch to settle the claims. Customers like that even more than getting their money back.

      • Fixing the software to the customer's satisfaction may imply a lot more than one might initially assume.

        1) Is the fix made in a timely manner? If I base my business on a webstore that you wrote in your spare time, will you be able to get me a fix within 8 hours in the middle of your final exams?

        2) Does the fix solve the customer's problem? What if it is a performance / scalability problem, you designed the app to handle 100 transactions per day and the user wants to do 10,000? It dosen't need to be a technical problem either - what if the software is just too complex to use?

        Then, consider all of the overhead that the distributer needs in order to (a) test the problem to make sure that they can reproduce the bug - you don't want your developers to get thousands of bogus bug reports (b) find and communicate the problem to the developer (c) and communicate the status to the user.

        I think that this is a larger issue than most slashdot readers realize.
    • Going in, I understand the risks. I assume the responsibility if problems occur.

      [I know I'm going to burn through more karma for this!]

      But couldn't the same be said for commercial software? I don't see the magical line between "I paid money for something [hard cash, commercial software]" and "I paid other people money [bandwidth, CDs, whatever] for something". One thing I've learned in my life is to never underestimate the law and lawyers; those that pay almost always come out on top. Open source developers do not have the money to fight such suits, and will gladly fold into oblivion if challenged (see recent Wine contributors, DeCSS, bnetd for case examples).

      To create a law which provides for liability with software (i.e., Free Speech) seems very dangerous. Even if the intent is to punish those who are making incredible sums of money by shoveling out the most bug-ridden piles of garbage imaginable, it also impunes upon the hobbiest, the casual geek and the open source divoute (if, for nothing less than the threat of a lawsuit). Joe Programmer with his wiz-bang open-source program recieves a summons to a court 2,000 kilometers away is already out the time spent there and the plane tickets -- what is he more likely to do? Give up; which is just as awful as if he'd been found guilty of writing a program (Free Speech, again) that destroyed someone's data. Furthermore, he will serve as a warning to all other programmers (writers of Free Speech) that they should never, ever, under any circumstances release software that does anything.

      For all the grief that this would cause Microsoft; it would be worse for us, if only because we don't have a team of lawyers on retainer.

    • attractive nuiscence (Score:3, Informative)

      by blonde rser (253047)
      If I build a tree house on my property that is unsafe and someone tresspasses and uses this tree house (which I haven't even said he could use) and gets hurt then I am potentially liable both crimally and civilly. It's called an attractive nuiscence.

      I didn't charge anybody anything... I didn't even give permission for it to happen. Yet I am still at fault.

      Just because I don't profit off of a transaction doesn't give me a right to put somebody at risk - financially or physically - unless perhaps I am completely forth right; and even then often not. And simply saying "Well, at your own risk," is not completely forth right, not even close.

      The only different with purchasing the product is that the legal agreement is explicit. And in an explicit agreement risk can be accepted by the customer. But in the implicit agreement it is assumed that risk is accepted only if it obvious.Otherwise you're buying the right not to be put in a dangerous situation. Which u can't buy because u fundamentally own this as a citizen.

      As for the suggestion that there can't be a law suit because there is no company - I think it is pretty clear in the american litigation system there are no lack of defendants.
  • The legislation would skyrocket production costs for Microsoft if the company were forced to release foolproof products.

    Why would this happen? Car manufacturers used the same "skyrocket production costs" argument with the lemon law with cars. But it just doesn't mean that everything needs to be perfect. Instead it just ensures some basic quality control such as practiced in Japan [loyola.edu].

    As for free software, it would just mean that some of the legal entities that support a packaged product (i.e., Red Hat) would be held to the same standards. IANAL, but if the FSF says 'this isn't a complete product' they can't be held liable any more than a tire company could be for some idiot putting the wrong tire on their car.

    • The legislation would skyrocket production costs for Microsoft if the company were forced to release foolproof products.

      Microsoft has 40 billion dollors to play with, are you telling me they can't used the money to debug thier software to without raising prices on thier software?

    • I like this analogy. However, is it fair to say that a software project like WinXP Pro (2+Billion lines of code, right?) or something as complex as an Enterprise Relational Database Engine is actually far more complex then a Car - especially when defining a "reasonable working condition". Either a car is running reasonably well, or it's not. Either it meets simple safty regulations, or it's not. With software, the functionality is not only far more complex, but the potential failures are also far more complex. Many times it takes a serious investigation just to determine which software package caused the problem (was it caused by Linux? Mod_Perl? Apache? MySql?), and even then we aren't always sure. "Best Guesses" may work for debugging and fixing a problem but it won't work in court.
  • by mikethegeek (257172) <`blair' `at' `NOwcmifm.comSPAM'> on Sunday May 12, 2002 @03:13PM (#3506996) Homepage
    While I don't favor turning the sharks loose on software companies, it is obvious there NEEDS to be some sort of liability and responsibility for bugs.

    Some sort of "lemon law" that would REQUIRE the publisher to either correct bugs, and distribute patches for free, or else refund the purchase price IS needed.

    What needs to stop is companies like MS being able to leave gaping holes in their products, then correct some of them, and releasing them as "upgrades", ala Windows 98 SE and ME... Those were not really "new" OS's, they were service releases that increased the stability of `98...

    In all honesty, the commercial software publishers have brought this on themselves. Sure, MS distributes patches for free for the worst holes (ala, the ones that make Code Red, Nimda, and Klez work), but the fact is, they let their products LEAVE the house with those bugs in the first place.

    I see bad consequences for free software out of this, created for it by the closed source companies. Perhaps there can be an exception written in for companies that release source, and in effect, have industry wide peer review of their code.

    Eventually, if such a law isn't passed, sooner or later the sharks are going to class action sue and crack away ALL such limitations in the EULA's.

    There is too much money and lost productivity happening right now due to software defects.

    What we need is a defined list of responsibilities, passed into law, that can't be EULA'ed away.
  • by adam_megacz (155700) <`moc.zcagem' `ta' `mada'> on Sunday May 12, 2002 @03:16PM (#3507012)

    Neither the federal government nor any state has ever had any sort of warranty/liability law that would affect gifts (transactions involving no payment or consideration), unless the defect was willful and intentional (ie trojans). There is no negligence protection for gifts. I highly doubt that any such software lemon law would break with this ancient precedent.

    The GPL clause disclaiming only nondisclaimable warranties exists solely for severability purposes; the "unless prohibited by law" clause appears in almost every warranty disclaimer.

  • Don't hurry to modify me as a troll, but listen up. The whole point of this law is to cause software developers to pay more attention to the software they develop their software and especially QA it. If there is a Hospital or a goverment database running on software that fails, the developers SHOULD be prosecuted by LAW for this.

    The only little detail the law is missing is that people should be expecting what they pay for. If you pay hundreds of thouthands of dollars for lots of software licenses that is ment to be run doing mission-critical operations, the developer should be held liable for his work, because he's getting quite a sum of money. This shall not applicate to Free Software, since it's duh, FREE. You don't go around asking for support for a 10-year old TV set you got for free from a friend.

    Does anyone even know for sure what exactly does this law look like ? How many revisions is it supposed to go through ?
    • Limits? (Score:2, Insightful)

      by etesla (578110)
      If there is a Hospital or a goverment database running on software that fails, the developers SHOULD be prosecuted by LAW for this. But what about the hospital or government? Shouldn't they bear a good deal of the responsibility for either selecting solid software, or hiring someone to select such? In what manner is the liability to be limited? If I install RandomLittleUtilityX and it runs fine, and then install BigCorporateAndGenerallyTrustedProgramY and it breaks all over the place but runs fine on computers that don't have RLUX installed, is that RLUX's designer's fault, BCAGTPY's designer's/distributor's fault, or mine? If I write up a quick little utility to do something on my computer and it gets onto other computers through some P2P utility unintentionally and causes problems, should I have to pay for damages?
  • by Andrewkov (140579)
    No problem, just blame the crash on the library developers and kernel hackers.
  • Even assuming that such a "lemon law" could be passed (which is, to my mind, a dubious proposition in and of itself), it wouldn't affect Free/Open Source Software (or even proprietary freeware) at all because there's no contract between the the author/distributor of the software and the user.

    While IANAL, I did consult one about this once - when you give something away, you have no obligation to the recipient. Specifically, the recipient can't sue you if the product is defective in some manner.
    • You are a moron.

      Free and Open Source software is distributed under a contract [gnu.org]. The only software that's not distributed under a contract is public domain software.

      • And you sir are an imbecil! :)

        I am a lawyer, and as such I know what a contract is. Last time I checked, it requires mutual consideration. If you allow people to download your software for fee, it's a gift, not a contract.

        Maybe you should check your facts before calling someone a moron.
      • If you read the GPL, which you link to, you will find that paragraph 5 states:

        You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.

        I might be way off, but As far as I can tell, that clause allows me to ignore the GPL, as long as I don't want or need the permissions it gives me. And those are for distributing and modifying, not using. You got the right to use the software when it was given to you.

        That's how I read it anyway.
      • No, you're the moron.

        A contract is a legally binding agreement made for mutual consideration.

        The GPL is a license given to redistribute a copyrighted work and derrivatives of it. It is unilateral permission given by an author to do that which a person normally cannot. There is no mutual consideration and no mutual obligation.

    • While IANAL, I did consult one about this once - when you give something away, you have no obligation to the recipient. Specifically, the recipient can't sue you if the product is defective in some manner.

      IANAL either, but I did take a business law course taught by a lawyer. What you said is not quite true (at least not in NY state). When you give somebody something (not for any consideration), then you are not liable for negligence. However, you are liable for gross negligence. Gross negligence is defined as negligence which "shocks the conscience of the court".

      My understanding is that it is very difficult to shock the conscience of the court, especially when you're giving something away for free. I suspect that as long as one doesn't knowingly include genuinely malicious code and keep quiet about it, that a software developer who gives away their code for free will be more than fine.

      I suspect, though this is just a guess, that RedHat could probably take the position, as long as they made it clear to purchasers, that they are providing an installation and aggregation service, they are not actually selling the code that they didn't write. Thus they would be liable for bugs in the packaging or installation but not in the aggregated software. This would be reasonable, IMHO, and probably legally OK, too. Of course, that's just pure speculation on my part.

  • The lemon law applies if you have no recourse but expensive repairs at you own expense to a product which doesn't function as advertised.

    Granted Apache should serve up web pages and FTP should transfer files and php should work on the server to generate HTML pages or whatever else you programmed it for. AS ADVERSITED...

    But, with open source code, you get the source code, you get access to the entire open source community.

    With open source, you get to roll you own on if you want a particular product to something nobody ever thought of making that product do.

    With M$ or anyother canned software company, you'd better be able to convince them that its in their interest ($) to provide it.

    With open source, you get to take out features you don't want in the product.

    With M$ or anyother canned software company, you're fucked . Features NEVER disappear regardless of how stupid, downright bug-riggen, security hole prone or outright nefarious they are.

    GPL'ed software comes with the source. Feeling screwed? You can DO something about it.
    • Actually, I can say that I am advertising exactly what the code is expected to do, in a unambigous language -- The source itself is more than simply a statement of what the software does. It is the software itself.
      I think, that in this case, under a properly written lemon law, the distributer will be liable only if the binary does not match the source, and therefore caused damage.
  • by Tim Ward (514198) on Sunday May 12, 2002 @03:25PM (#3507049) Homepage
    ... their lightplane industry before inventing any new product liability laws.

    It got so that anyone who flew whilst drunk and crashed a plane that he hadn't maintained for years could sue the manufacturer for many millions with a fair chance of winning. And even if the manufacturer won their legal costs would wipe out the profit on many aircraft. So basically the US lightplane industry closed down. (It has since started up again, as a shadow of its former self, following some law changes.)

    OK, that didn't affect all that many people. Closing down the software industry would be a different game altogether.
  • Let's say I write some super-important thing using the ABC and XYZ toolkits. My program fails and bad stuff happens. Do the people suing me have to prove that it was my code, and not in ABC or XYZ, that failed? Do I have to prove that it was not my code? And finally, how the hell could you prove something like that, anyway? [Especially if it was not repeatable - what if it was the OS, or the hardware, or something else entirely?]

    I really don't understand why this is called a lemon law, actually. A car that's a lemon doesn't work, or works for a while and then throws a rod or something. I don't quite see the analouge between that and software.

    In fact, someone mentioned a web server dying at some important moment, and the users of that web server losing a lot of money (ebay or amazon or something). Does this qualify under a lemon law? If I have to get somewhere important, and my car doesn't start, can I actually sue the makers of the car?
  • The difference... (Score:5, Insightful)

    by Anonymous Coward on Sunday May 12, 2002 @03:27PM (#3507067)
    ...is that Microsoft spends a lot on marketing to tell you that their stuff will streamline your business, keep your toilet from clogging, and whiten your teeth while you sleep.

    Meanwhile, their EULA practically says that you're better off playing Russian Roulette with five bullets and only one empty chamber, than to trust their software in a mission/enterprise-critical environment. We can't get access to their source code to check it for bugs ourselves, which would shift liability to us if we could do so, did, and then okayed it for use-- we just have to take them at their word, and hope that the server farm doesn't melt down and bankrupt our company.

    Free software, on the other hand, is just 'out there'-- it's like finding a still-wrapped condom on the street. Sure, you can pick it up and use it, but if bad things happen, well, how is that anyone's fault but your own?

    Liability-eliminating EULAs are an affront to any kind of truth-in-advertising regulations. A software company should definitely be able to be held financially liable for losses caused by failings in its products-- not to a degree that would instantly put them out of business, but a fair amount. Say, equal to their annual marketing/advertising budget?

    Let's look at it with the car company analogy. Suppose Ford's commercials said that the airbags in their cars would save you and your family's lives? Okay, now suppose someone dear to you was killed in a head-on collision while driving a Ford. How would you feel if, when you tried to sue, Ford said, "But wait, your loved one agreed to the EULA by deploying the airbag... let me read you this paragraph from it that says, if the airbag does not work as we said it would, we aren't liable."
    • Remember what got the ball rolling with car manufacturer liability. Ford manufactured a car that roasted its occupants when hit from behind. Ford figured it would be cheaper to pay the victims than it would be to fix the car. When this surfaced, public outcry did the rest.

      Most cases aren't as clear-cut. Continuing on the car industry example, can you hold a vendor liable if you're not wearing seatbelts, and suffer serious injury as a result? Probably not. Can you sue if you are injured in a parking accident by the airbag? Probably not. Now, why were you injured in the first place by said airbag? Because they are inflating with the power required to restrain a person not wearing seatbelts. Anything wrong with this picture? You bet. The consumer has a responsibility of his own, in this case: wearing the seat belt.

      Liability is eventually determined by a judge and a jury, and in corner cases it's just a lottery, which is why car manufacturers err on the side of safety -- theirs, not the safety of the customers who are wearing seat belts.

      The same thing is looming on the horizon when a software lemon law gets introduced. Vendors will still go to great lengths to skirt their responsibility, and even if that works to "improve" the product, chances are the consumer will be hurt in the end.

      For a preview of things to come, look at Microsoft's security fix to Outlook. It is available, so like seat belts, common sense holds that if you don't apply it, you willfully accept the consequences. But unlike seat belts (which are at worst an inconvenience), applying this patch will cripple Outlook beyond being usable.

      You can't win this one. Frankly, I'd settle for a law that demands truth in advertizing w.r.t software products.
  • Many of you are discussing this and saying it doesn't apply to OSS.
    Technically, under thet respect, it doesn't apply to Microsoft either.
    If you buy a uesd car, and in the next couple months have to put a lot of money into it to keep it running (i.e. a prime candidate for the 'lemon law'), you don't sure Ford/GM/whoever for making a crappy car that no longer works, you sue the person who sold it to you. In effect, you sue the distributor for charging you for a crappy product, not the publisher.
    It should be the same with software. Microsoft ships software to retailers and OEMs, windows get sold to consumer, consumer is unhappy, consumer sues retailer/OEM. After this, the OEM will no longer buy windows from Microsoft, so the quality of the product and the strength of the corporation will be indirectly affected, but it shouldn't be directly. If 50 owners of windows sue Microsoft, many will lose as they don't have the resources to beat out a large corporation in a legal battle. If Dell or HP/Compaq stopped selling windows with its PCs because they got a very large bad review from those consumers who bought their PC, it will have a much larger impact on Microsoft and its lines of products.
    In this case also, with OSS, the writers would not be the ones who can be sued, but the corporations (RedHat, Hummingbird, Ximian et. al)
  • Perpetual Beta? (Score:3, Interesting)

    by Digitech (572815) on Sunday May 12, 2002 @03:30PM (#3507084)
    Most open source software seems to be in the perpetual beta state anyway, but if a lemon-law were to pass, maybe the commercial vendors would move toward this as well. Never releasing a "finished" version, just alphas, pre betas, betas, preview editions, release candidates, etc, etc, etc.

    If this were to happen, it might actaully help the public, forcing the commercial vendors into a system where they actaully have to admit that thier product is never finished. Maybe then the public would stop shelling out money every time the latest edition comes out, lining the pockets of Gates and company.
  • That is - what would happen if shrinkwrap limitation of liability clauses would be banned?

    Any company without $40 billion in cash to pay for lawsuits would go out of business. Microsoft would rule the world.

  • The analogy of the automotive lemon refers to a specific instance of a car that has faults. When ever single car of that type has a fault it is a design flaw, and can lead to a recall in the extreme cases. Of course in software, there are only global design flaws.

    But software systems are complex, and they will always have bugs. And the industry is too powerful to permit a law that would not recognize this and regulate it the same way simpler products are regulated.

    All of us who have written software know why we want to disclaim liability, and people who use it know why they accept those disclaimers. It's a hard problem to figure out if there is a middle ground that will satisfy both user and author.
  • Fitness of use for open-source software that is commercially sold is a perfectly reasonable proposition, and it is duplicitous and disingenuous of the "open source community" to oppose it.

    If sensibly implemented, this would put the burden of responsibility on commercial distributors of open source software. If I download an open source product from some coder's website, there's no transaction, there's no contract, and no liability. However, if I pay $100 to RedHat to purchase the same software, that should be treated the same as if I paid Microsoft for the same, and they should bear the burden of responsibility.

    I would even go so far as to say that such a law would be good for open source developers, if not the open source "community" which is full of many leeches. Many of the companies that sell open source software these days are playing the "something for nothing" model; they take open source software that someone else has written, put it in a box, and charge for it, without undertaking development themselves. (See, for example, the controversy over OpenOSX.com.)

    This is, of course, a much better business model than conventional software development... they get all of the money for none of the work. These are the people who would be most hurt by product liability laws... and forcing people who profit from the open source community to be responsible for it as well doesn't seem like such a bad idea to me.

  • This simply is not something we ever have to worry about. I'm sure Microsoft owns enough congresspeople that they could get it laughed off the floor. And they have significant interest in doing so, because they are going to be the first company the sharks go after if something like this becomes law.

    Microsoft is our friend here. :)
  • by nniillss (577580) on Sunday May 12, 2002 @03:56PM (#3507162)
    Why couldn't one limit the maximum liability to, say, 10 times the license / distribution price? So a typical private MS customer might claim some thousand dollars while a company or school (with a single contract covering thousands of machines) could start multi-million dollar lawsuits. Obviously, the risk for authors of free software is then still zero. For linux distributors, the liability might be limited to the non-free software parts (like yast in SuSE) and to the editing process (identification of alpha/beta/production grade software). In any case, big money will only be at stake for companies which make big money.
  • Ultimately, however, the burden of proof will be where this law fails. Say Windows crashes. Who is at fault? What program were you using when it crashed? Was it Microsoft Certified? What hardware do you have in your system? One slightly faulty RAM chip can cause lots of crashes. Is that Microsoft's fault? Oftentimes Linux will be able to handle the fault better than Microsoft. Does that make Windows a Lemon?
    What about drivers, programs with Ring0 access? Giving a program access to the hardware is an inherent liability because it can cause a crash. Then you get into the interactions of various drivers..I've had cases with DriverA running HardwareA and DriverB running HardwareB. There was a crash, and removing HardwareB solved the problem, but so did simply upgrading DriverA. Who's at fault?

    Windows, by itself, is actually quite stable. If these laws come about, what would end up happening is that Microsoft would always shove off the blame for a "lemon" on a third party, and they'd have the money and lawyers to do it.
  • Haven't you ever seen the phrase, "In no case shall [provider]'s liability be construed to extend further than the price paid for the product." If I buy RedHat from LinuxCentral.com for $10, I don't think I can reasonably expect to sue them for a million dollars. Can't they explicitly state that I can't?

  • I'm usually on the "left" of most arguments, but software is one area where the "market" should be allowed to make these decisions. If someone doesn't like a piece of software, go use something else! If anything, bad commercial software being allowed to exist only pushes FS/OSS software usage way up anyhow. :)

    The only instance I'd be ok with this is in embedded systems for medical devices, etc, where if stuff doesn't work... people DIE. So in this case, the problems of intervention are definitely outweighed by the possible weight of what could happen if the gov't doesn't stand in. As it is, most embedded systems like this do have a good reputation (if they didn't, they'd cease to exist), but when actual lives are at stake, it's a different issue, so the added weight of punishment for negligence, etc, is acceptable.
  • How can you be sued for providing information to someone?

    If this does come to pass, it'll mark the last time I distribute a binary, that's for damn sure.

  • Limiting Liability (Score:3, Informative)

    by fidget42 (538823) on Sunday May 12, 2002 @04:12PM (#3507211)
    The company for which I work develops custom software. IANAL, but one of the ways we limit liability is through collecting and documenting requirements for the software, and testing that those requirements were met. We also follow a strict software development process, which supports out ability to develop a quality product. By developing this documentation, we are able to pass liability off to our customers. I.e., They have agreed that our software meets their requirements and our tests are sufficient to prove that it does. Now, if we knew our software didn't meet the specification, that is different (usually called FRAUD).

    I would think that something like this would work for the larger Open Source projects. If they could have the requirements of the project documented (i.e., what it is suppose to do) and have tests written to verify this, then they may have a out. The problem is M$ case is that they know of the problem, or their quality process is not sufficient, and do nothing about it.
  • This was one of the complaints that people had about UCITA. It made software distributed over the net more liable while traditional software companies were not held liable because the shrink wrap license nullified all responsability.

    I think any liability laws would unfairly punish smaller companies.

    Some people are in favour of Lemon Laws specifically because they dislike Microsoft and think that Microsoft software is insecure. This is stupid and shortsighted.

    Deal with Microsoft's monopoly abuses seperately. Monopolies come and go but bad legislation is forever.

    Create laws that arm consumers with security information. Perhaps a grading scheme where software that doesn't connect to the internet is given a A rating. If it is a client then it gets a B rating. If it is a server it starts at C then for every three exploits within the last year the rating increments by one.

    After you have informed the consumer you can let the market decide. If they still use software with a G rating then that's their own problem.

    • Create laws that arm consumers with security information. Perhaps a grading scheme where software that doesn't connect to the internet is given a A rating. If it is a client then it gets a B rating. If it is a server it starts at C then for every three exploits within the last year the rating increments by one.

      I think this sounds pretty nice, but it has problems. For instance, clients are not necessarily more secure than servers, a well-written anonymous ftp server could theoretically be infinitely more secure than a poorly-written web browser which downloads and executes code without express permission.

      Also, most linux distributions would minimally start at a "C" rating under this scheme, while windows 98 would begin at "B" (without enabling "file/printer sharing"). Which do you consider to be more secure on the average? Do the ratings reflect that?

      These problems are indicative of a greater flaw in this scheme, software doesn't have to rigidly conform to _any_ model, be it client/server, P2P, etc. Laws take a long time to be changed, software can be changed in weeks (witness Microsoft's court history.. pretty soon they might be stopped from producing Windows 95 ;) - if we draft laws or even form committees which define certain software paradigms as insecure, software will simply change paradigms to achieve a higher rating until the ratings-board is able to change criteria to match.

      Alternatively, we could have panels of elected security-analysts pore-over every piece of software that is voluntarily-submitted for a rating (in source form), at a cost to the software producer (based on some criterion I don't know), and they could arbitrarily grant ratings based on their findings.

      I don't know that this is the best solution, but it sounds more practical, it's similar to other analogous (movie ratings, supreme court, etc.) systems for ideal-compliance which are already in place and doing a reasonable (not perfect) job.

      Thoughts?

  • Many people claim these laws would force MS to fix their bugs/security holes...but don't they already? The problem I see is that no one patches. Look at Code Red. The patches for it were out a long time before it hit. If everyone patched it would have been a big non-event.

    I say companies should fire incompetent people that don't maintain systems. That last thing we want is regulation in the software industry.
  • by Anonymous Coward
    If the software behaves as promised, no liability laws can affect you. Therefore, it only makes sense to specifically promise that the behavior of the program is documented by the accompanying source code. Since source code is the ULTIMATE documentation, there can be no false representation. For free software, this is not an issue because it's distributed with the code.

    Ask Microsoft to ship full source code with their products for a full disclosure of what it actually does. Since they're not willing, you have to take their word for it, which is hardly comforting.
  • All MS has to do is ask these questions:

    1) Is all of your hardware HQL approved?

    2) Are you running only Microsoft products (if you have a single custom ASP page running on your server answer no)?

    3) Are you running the current versions of all software and protocols used?

    4) Do you have all current updates and service patches applied?

    5) Was/Is your installation completed and maintained by someone who is MSCE for every aspect, component, and method of use for the MS software and protocols you are using?

    If you have answered no to any of these questions, you are TSOL.
  • Such a law would be good in the context of a reformed liability law. Right now if someone is .001% liable they can still pay 100% of the damages. This applies if they didn't know or intend the outcome.

    Open Source software can be much like a public park. There should be an exemption for free, public *anything* that doesn't involve criminal negligence. If you don't pay admission, it would be up to you to make sure you don't do anything stupid on the play equipment.

    At that point, Red Hat, SUSE, etc. can assume as much or as little liability as they want as they add a paid layer on top of the commons.

    Further, Source is stuck somewhere being a device (like a toaster) or a book. If you don't like the ending of a book, or how the cake turns out, the book is in no way defective. If you can't follow instructions, or even if you simply won't, or the instructions are wrong or dangerous, you normally can't sue the author. You can sue if the toaster is defective and is actually an ignition source when used as directed.

    An EULA in the usual form Microsoft uses basically declares it to be a device. If I can't read it or analyze it or quote it, but only use it, it is a device and not a book. Also it says you don't even own it (even the single copy as under copyright).

    GPL on the other hand says lets discuss, improve, analyze the work, and by the way, you can run it and maybe use it to do something useful (like a recipe in a cookbook). It might be used as a device, but it is still a "book". And I think you could tweak the GPL if necessary to make it legally fall into the same liability category as a book.

    Between tort reform, and resolving the device / artistic work dichotomy, I think GPLed software would thrive.

    But we do not have wise leaders, and Microsoft sends more money to prevent clear thought on the part of our legislators.
  • At least for Free Open Source Software.

    It doesn't include "It's free, use it on your own risk, it's not final version"

    In general it excludes licenses like commercial, GPL, FreeBSD, etc. as they are now, but it can't exclude open wide beta testing, prerelease promotion. So, with adding to GPL restrictions clause like that, that would define software as such, would be possible to avoid lemon law restrictions.

    Software in development never matures to it's final stage. Yes, I know people like 1.0, 2.0 etc. But where is the final stage? Simply defining always "Development in progress, but this is what it's done so far", would avoid that kind of law. On the other hand people have no signed contract or receipt to show that as evidence at the court.

    I know that in case such law would be passed, I would just make a clause on my web page. "ENTER" if you.... "LEAVE" if you.... Works for XXX pages.

    Putting on web page something likethat is easy. Here is an example
    "Enter if you're interested in this software, but by entering you agree that this software hasn't matured to it's final stage (at least out of legal points, which don't allow free software to be passed on in different way, then being treated as work in progress), you also agree that software has provided you with license which defines how this software should be treated regarding distribution, usage etc. just the same as this software would reach it's final stage.
    Considering legal points passed by "lemon law", this clause and describing maturity state of this software, it's unfortunate necessity for this software being able to be passed on freely."

    Of course, I'm from Europe and I'm not concerned with stupidity like that. :-)

    Hope somebody is not offended with my bad English...
  • IANAL, so I'm not going to comment on whether what this article claims is going to happen or not, but at least one free software project has closed down because of concerns about liability: Broadcast 2000. The page describing the situation is here. [heroinewarrior.com]

    Now I don't know if his fears are well founded or not, but I'm sure he had some reason for taking the action of yanking the previously available source. Perhaps an anti-lemon law with an explicit "software made available for no cost is exempted" would be better, although even then I'm not so sure it's a good idea. Should Red Hat be held responsible if one of the beta products in the distribution is buggy (say, the situation with Mozilla a year ago)? Besides, what level of bugginess is okay? Is 99% uptime sufficient? 99.999%? 100%, every crash results in a lawsuit? I just don't know about this...

  • by Animats (122034) on Sunday May 12, 2002 @09:49PM (#3508212) Homepage
    I've written on this previously. [downside.com]

    First, warranties only are meaningful in the context of a commercial transaction. There's no reason to expect a warranty on a free good. So this is not a problem for free software.

    Second, warranties aren't that expensive to manufacturers. Under 5% of the cost of a car is in the warranty. More to the point, in the gambling industry, where full financial responsibilty for errors and downtime is the norm, GTech, which runs lottery systems, pays out about 0.3% of revenue in penalties.

    Compensatory damages and blame management are real issues. But this comes up in other areas, and the suppliers work it out between themselves, as in the Ford vs. Firestone tire failure issue. In computing, we should expect full warranties on the OS from manufacturers who preload an OS. Let Dell and Microsoft argue between themselves who's responsible.

    Finally, manufacturers who don't offer a full warranty should have to put a giant "AS-IS" on the box, like those signs that appear on used cars.

  • by Lambdaknight (180569) on Monday May 13, 2002 @04:07AM (#3509082) Homepage

    Something that really bugs me is the comment that this lemon law could kill "OpenSource and Free Software" alltogether. In the case you guys from the US haven't noticed: There are other countries with other laws.

    Of course here in Germany a vendor or producer is liable for what he sells, too. But this liability has limitations! In Germany you CANNOT sue McDonald's because you failed to notice that coffee may be hot and McDonald's hasn't provided you with that information! You CANNOT sue a toy company for selling Superman capes without providing a warning that those capes won't give you the ability to fly! And even if you can sue a company for liability (i.e. because they failed to give notice about poisons or side-effects in their products), you won't be rich!

    German jurisdiction mostly follows the customs and the common sense. That means: if you pay 1000 Euro for product A it is NOT regarded in the same way as product B which you got for free.

    Besides: do you really think that OpenSource and Free Software are dead the same moment the US leaves the building?

  • lemon law (Score:3, Insightful)

    by jrennie (79374) on Monday May 13, 2002 @08:55AM (#3509727) Homepage
    The author makes a very poor argument. Consumers have a reasonable expectation of performance from (e.g.) MS Windows because they pay for it. You can't make the same argument for software that you get for free.

    This bill cannot kill open source *development*. It may, however, make the selling of open source software much more difficult. If this bill passes, companies like RedHat would now be liable for bugs in Linux. Of course, RedHat can (and does) take a snapshot of Linux and make lots of modifications and tweaks before making a release, but there's no way they're going to catch all of the bugs. They're best bet would be to get heavily involved in the system of releases of open source software. This will be very tricky, though, as developers will not be happy to see a company have such control...

    Jason

GREAT MOMENTS IN HISTORY (#7): April 2, 1751 Issac Newton becomes discouraged when he falls up a flight of stairs.

Working...