I certainly am of the opinion that this is neither the time nor the place for any involved discussion of the ins-and-outs of California law. Nonetheless, the drafters of the University of Calfornia Regents\’ license (original BSD license) almost certainly had California law in mind. Thus —if I may interject— privity of contract is immaterial to a tort complaint that bodily injury was proximately caused by a negligently designed product.

Caveat: These general remarks are not intended to be applicable to any specific circumstances. You should obtain legal advice from professionals duly licensed in the jurisdictions to which you may be subject.

@Clayton

With respect to the University of California Regents\’ license, may I be assured that you have not recommended to the House of Lords\’ committee that they should alter or abolish the present status of the State of California in Her Britannic Majesty\’s English courts? In other words, some software “aggregators” will still escape liability.

But that leads me to questions about your designs on technology licensed by institutes within the Commonwealth of Massachusetts, at Cambridge, near Boston, and elsewhere.

Despite the present interest in comity amongst Her Britannic Majesty\’s English courts and the courts of the United States, certain unique features of law and constitution seem to make it rather doubtful that US courts would enforce foreign judgments against US persons, or against assets found within the US, for publication of non-libelous expressive materials.

The software economy is a truly global one. Trade disputes over software liability could cause severe upset.

Hence there would need to be a claim of negligence, requiring a much higher degree of proof.

I would note re “j”’s point @13 that the DNS flaw is not in the DNS protocol - it is in most DNS implementations (i.e. everything I’ve heard about except djbdns) - that is that the source port for the DNS response is predictable, hence a fraudulent UDP packet is trivially constructed, The IEEE 802.11 committee would be similarly insulated as, I would expect, competent WEP implementers (that they implemented, correctly, a flawed but better than anything else we had at the time, protocol is unlikely to be actionable in the UK, at least. After SCO vs everyone, I refuse to speculate on the inanities of the US civil justice system).

I agree that this is not the right place nor the right time to argue for or against software liability, but given that you were a specialist adviser of the report, I would hope and enjoy your public clarifications to what you are promoting.

I am unfamiliar with the legal details, but I am curious if such warranties can be nullified in cases (read: open source software distributed from *any* particular country) where there is no clear evidence of any kind of contract being made between the author and/or distributer and the *potential* user (i.e. not a consumer) of the software.

How about design of software? Should IETF be held responsible for the recent flaws in the DNS protocol itself? IEEE for WEP?

All in all: advocating liability for one’s negligence for issues unknown at the moment of writing software feels like a disastrous route for the whole software development, even more so when the advocates seem to downplay public debate (yet urging the government to take the recommendation forward).

The bottom line is that warranties such as the one above can be made void by statute — and that is what has been done in almost every other area (certaiinly when individual consumers are involved).

Arguing that software is uniquely special has little intellectual merit when you consider the complexity of modern civil engineering projects or transport systems. Arguing that the industry cannot run on exactly the same lines as now is self-evident and illuminates little …

…but as I keep trying to indicate, this wasn’t a detailed post setting out all of these arguments — it was drawing attention to the latest Lords Science & Technolgy Committee Inquiry report; which considered tentative steps in this area as only one small part of the issue — and not one that can be expected to bring about change in anything other than the long term.

I am still curious about liability of individual open source developers. If I am the sole distributor of software developed by me alone, will I face, say, civil prosecution in case of fatal security issues in the software distributed directly by me?

Does this also mean that the clear-text legalities in all major open source licenses are to be interfered? A quote from the BSD-style license:

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.

Good luck reversing something that is so clearly expressed by the copyright holder.

Your considered reply is appreciated.

With your powerful gift for colorful analogy, I’m confident that you’ll command very admirable fees as a litigation consultant and expert witness. I venture to expect that you’ll earn a quite respectable fortune.

Incidentally, I have received advice that, under the common law, unilateral license or leave shall be revoked upon actual notice. Please cease and desist forthwith any and all public display of posts deemed objectionable.

Regards,

In practice, a fair amount of free software reaches the public via aggregators such as RedHat or via organisations such as the Apache Foundation. They would be the ones who would test the software, assure themselves of its quality and then stand behind it in the marketplace.

oh… and do try and be reasonably polite, or your comments will just disappear and your point of view will be unseen.

There is no Mr Clayton.

But you have to look off this blog for the record-breaker.
http://news.bbc.co.uk/1/hi/england/cambridgeshire/7510565.stm

With apologies to both our host, and to Mr Schneier, these vendor liability schemes look designed to drive free software underground.

I can kinda understand the desire to knock out Theo DeRaadt and OpenBSD. But what on earth do these people have against the FreeBSD project?

And why is Mr Clayton proposing to kill off the Mozilla project?

No matter how theoretically attractive it might seem, vendor liability isn’t going to improve security in the real world. It’ll just further cement Microsoft’s dominance. And I find it hard to believe that Mr Clayton and Mr Schneier don’t know that.