actually darky he is a nice guy and at the same time a lawyer too ...
hmm ... strange ...

.

sometimes there are quite a number of common "horror" stories in softwares/programming books about ui design , software testing/quality/safety/management , old-tales from hospitals , workshops and even on mars(or moon??cant remember) , lucky not on me and my family ...

cant find them on the net but heres some more little news complimenting the first post ::

Can Software Kill You?

A History of the Introduction and Shut Down of Therac-25

actually hard to say , i havent read them all , sooooooooo many of them , hard to digest , or maybe better me go joining the luddites ...



or is it ??

.

No, the GPL/GNU flat out states that it is an open source and comes with no promise to work. It should work yes, but if you chose to run that kind of software, as most of us here do, then you have made said choice to do just that. You know and if you did not know, as far as I know ignorance is still no excuse in the eyes of the law. So you chose to NOT read what the GPL/GNU is all about, then that is like choosing to not read your prescription and taking the wrong amount. you made that choice and paid the price.

One of the biggest problems with writing solid software is not having control of the underlying hardware. If that's not implemented perfectly as well, even the best written software will have problems.

QUOTE :: by Lleb_KCir
"No, the GPL/GNU flat out states that it is an open source and comes with no promise to work. It should work yes, but if you chose to run that kind of software, as most of us here do, then you have made said choice to do just that. You know and if you did not know, as far as I know ignorance is still no excuse in the eyes of the law. So you chose to NOT read what the GPL/GNU is all about, then that is like choosing to not read your prescription and taking the wrong amount. you made that choice and paid the price."

if all softwares , free or commercial states that they are "no promise to work" or it similar "disclaimer"(not sure about the exact termilogy) , what should we do ??
softwares do have the potential of having "software errors" that could kill , not exactly like mechanical or electronical engineering , these fields i guess are rather mature or replicable , if "faults" that kill are found , most of the times they would be rather obvious as who should bear the responsibilty , "no way to run and escape" , in fact softwares always wanted to mimic the production methods of these fields but somehow just couldnt achieved that , too soft and too human ... not that those software developers are to be blamed but those people who are affected by it(the software itself) they do have a reason if it really kills unintentonally ...


but still hard to say ...

Our discussion seems to boil down to negligence. To me, skiping a disclaimer to use OSS in airplanes without extensive testing is negligent. Failing to take it into account, either by Boeing's CEO or grandma, is irresponsible. Unless it was intentional (which is very tricky to determine), the blame applies only to the person who used it who's risking everyone's lives and Alan Cox.

The bug may be found anywhere, but it isn't the developer's fault if he didn't intend his software to be used in high risk environments. When I said "amateur", I meant that developing is fun. If the programmer didn't have the chance to test his software in high risks conditions, he can't be blamed for anything.

This is is exactly what I'm trying to say. If the developer is never directly in charge of the intended use of his code, he can't be blamed.

Even this is hard to establish...

He could have his software in permanent beta stage. His compiler could be better than anything in existence but if he stills chooses to have it in beta, no court in a democratic society could blame him for this.

The same applies to grandma or failing to read a disclaimer (which is worse).

It's more than likely that he would be blamed for not writing fool-proof software. Unless it was intentional (the quintaessence of our entire discussion) then he's innocent.

This is because law isn't really driven by gut feelings. It is necessarily biased and arbitrary. You go to the court to divert responsibilities and defend your own interests. It's not about justice.

There's another thing that makes it impossible to enforce: the internet. Programmers may be overseas. They don't even need to attach their names.

I'd like to add this:
Either you need a license to sell lemonade or you're contributing it to a college's party (for example). If someone is poisoned by the lemonade, you're investigated to determine if it was intentional. Negligence in this case applies too and no disclaimer could save you from that. But this is very different from open source. Everyone may write source code (good or bad). Banking software may be the best to illustrate this. Neither the innocent customer nor the programmer (an open source developer) intended to transfer 10 times the amount specified. Any short but clear disclaimer stating that the software wasn't tested in every banking environment and says in caps "IT MAY FAIL" is good as we can safely assume that the customer was aware of the risks. The best he can do is to notify the programmer or post to bugtraq (if he got the balls to do so). If the programmer didn't do nothing about it (provided that he's still maintaining the software), then he may be flamed for this or punished, I don't know.

Alright, now that I don't (as much) to prepare for class about, I can spend some time to reply, and there's quite a bit to get to.

Charred:
I'm glad you were amused. When talking law, you need some kind of amusement or you're going to go nuts... in a hurry. That or you drink heavily.

phil.d.g:
You mgiht be surprised at what my legal knowledge amounts to. The gap probably isn't as big as you perceive. And law school does drill into a succinct method of illustrating points. I look over my posts, and they're decent, but there's a lot of room for improvement.

alred:
Thank you for the compliment! Though, I will have to correct you about the lawyer bit. I'm still just in law school. But don't worry, there's plenty of time for school to suck out the rest of my humanity


I'll continue the liability discussion in a separate reply...

And drinking alcohol is against my religion, so what choice do I have? Go nuts, of course!

Reminds me of the old song:
"But I'd rather have a bottle in front of me
Than have to have a frontal lobotomy.
Just different ways
To kill the pain the same..."

primo:
I've had an epiphany. The epiphany is: I am dense. We are much closer to agreement in many respects than I previously thought. I can't speak for you of course, but you might think the same after a make a few clarifications.

First, the weight of my helmet sometimes interferes with the ol' thought process. You stated, rather clearly I might add, that the law should hold developers of negligently written software liable. That is the only argument I've been putting forward, and I glossed over your comment because I thought your rebuttals were counterarguments to the negligence arguments. That caused me to reiterate some informal definitions I was using, hoping that I might clear up what I was defining negligence as.

So, just to be thorough, here's a more formal definition of negligence. Negligence occurs in law when a person has (1) a duty to another; (2) breaches that duty; (3) the breach is causative of (4) damages to the other person. The term negligence is also thrown around when discussing the duty-breach combination. For instance, I can be negligent by driving my car at twice the posted speed limit. However, I am not liable to anyone for my negligence unless the negligent act causes damages to someone else. (Anybody reading this, please don't substitute negligence for illegality. Speeding is illegal whether damages are caused or not. We're talking multiple, distinct charges for the same act. So if I was speeding and hit someone, then not only was I negligent, but I've violated several other laws. Each violation can lead to a distinct, separate charge.)

The duty present is for developers to provide functional code when it's provided to the public. That can be a point of difference between us, because the argument about the disclaimer addresses the existence of the duty. Specifically, the disclaimer is trying to say, "Yes, normally there is a duty, but this section of the license nullifies and/or revokes that duty."

The breach of duty is the reasonable person standard: what actions did the developers take in an effort to provide stable code, and what does the law recognize as reasonable procedures to meet the goal of stable code. If the developers do not meet or exceed that standard, then they are in breach of their duty. This is where I've been making my arguments and observations from.

The causation and damages elements are pretty straightforward. Damages must be suffered (physical, monetary, whatever) and the breach of duty must be the cause of the damages suffered.

That ends everyone's crash course in tort law negligence

There are no other civil actions available to people (that I'm aware of) regarding the malfunction of software. Negligence is sort of a catch-all when some wrong is committed where the legislature has not enacted a specific law to address. There may be laws on the books now regarding software, but I am not familiar with them. We can speculate about it all day long, but I won't be able to provide any accurate insight.

So, if we both agree that negligently designed software should be held liable, then there's no more debate That's all I've been advocating.

Second, we've stumbled upon another grey area apart from the reasonable person standard for breach. And that area is scope of purpose. We both touched on it with you making mention of the software being used in situations the developer could not anticipate, and I made mention of it with the reactor business. So the problem is defining what is beyond the scope of a given piece of software? I would say, to a large extent, that is for the developer to claim. Again, if I put my software out for public use and claim it's intent is to convert Kelvin to Fahrenheit, it's pretty clear that it's inappropriate to plug my software into a system that wants a conversion between Kelvin and Celsius. An analogy would be trying to attach a compact car's tire to the landing gear of an aircraft. The court would dismiss a liability claim against the maker of the car tire in record time. And it would probably also shut down the court for the next day and a half while the judge cries from laughter. So, where does the line get drawn? With the airplane there are clearly ranges of tolerance being exceeded. But what if the car's tire were used on a truck? or a motorcycle? Is it reasonable for the car's tire to make the "outside of intended scope" argument in that case?

The same thing applies to software. If I put out my software and say it's for converting temperatures, then I really can't say "outside of scope" if it's used for the stated purpose in a refrigerator, a radiator, or a nuclear power plant. In the end, it's the guys in the black robes that say what the developer could (or should) reasonably believe the scope of the software's use would be.

The software cannot be in permanent beta because of the rationale behind skirting liability. If the developer does not have time to fix the bugs, then the software should be removed from download. There are two issues here: (1) the developer is actively making the source available to the public and (2) is making no effort to fix or correct bugs. If both of those issues are combined, it's not a stretch to infer that this person is intentionally, knowingly distributing a faulty product to the public. If it's truly beta, then the developer would be able to show active efforts to correct bugs (feature additions would not likely count as bug fixes). Or, the developer would restrict access to the software to the development/testing team. An example might be setting up a password protected CVS server. Keep in mind, the developer isn't restricting access if he sets up a CVS server and then tells the password and server IP to anyone that asks. That's not removing it from public consumption; that's trying to clothe public distribution in the guise of restricted access.

What your argument touches on here is a concept called contributory negligence. Specifically, that the share of blame does not lie solely on the developer - the user also bears some of the blame. And it may be that the argument holds some weight because a jury would be the one to determine whether contributory negligence existed. However, it is exceedingly rare these days for a claim of contributory negligence to put all the blame on grandma. That was the case years ago. If a defendant could show the plaintiff was even the least bit negligence on their own, the plaintiff was denied any recovery - even if the ratio of responsibility was 1% plaintiff and 99% defendant. These days, the courts have moved to something called comparative liability. In the previous example, if the plaintiff suffered $1,000 in damages, the plaintiff would have to swallow 1% of it (because of their own contribution to the problem) and the defendant would have to cough up 99%. So, in general, this approach limits damages but does not remove liability. However, the defendant (the developer in this case) needs to prove negligence on grandma's part. The crux of that argument is the disclaimer, and if the court doesn't recognize the disclaimer, the contributory negligence vanishes.

You might be surprised.It's unfortunate that the public's opinion of the legal system is formed by media reports because regardless of what the media says, they are interested in selling newspapers and/or ads. Examining the headlines gives an idea of what I'm getting at. "Politician X slams politician B over his remaks." "Bird flu pandemic 'very high'" Pandemic? Ummm... I've only read of one reported case so far. That hardly counts as "widespread." Many headlines are exagerrated attention-getters, and facts are conveniently left out to make stories seem more sensational than they are. The typical explanation for the omission of facts is the claim that the story needs to be brief, and something needs to go.

Remember the McDonald's coffee lawsuit? The media never reported that McDonald's maintained its coffee at significantly higher temperatures than other restaurants, and did so in spite of a 10 year history of severe burn claims against them because of the coffee. The media also neglected to identify that the coffee caused severe burns when it spilled into the woman's lap. Think about the sensitive nature of that area. Also think about how burn scars in that area might affect a person's romantic relationships and their psychology. All the media was interested in reporting was that this woman sued McDonald's because her coffee was "too hot" and won $2.8 million. The media made no mention that the judge limited the damages to $640,000 after the verdict (which they are capable of doing), and that the woman and McDonald's later settled for an undisclosed amount. All of that seems pretty important to get an accurate picture of how the legal system worked in this particular case. What the media reported can easily be interpreted as a system exploited by money-grubbing opportunists that sue at the drop of a hat. That's just not the case. And there's even a growing sentiment in some jurisdictions to sanction attorneys and clients that bring frivolous lawsuits.

All of that just to say that the public's perspective of the legal system may not be accurate.

You're right. The arm of the US judicial system only extends to the edge of the US borders. Any of those developers within those borders are liable. For civil claims (like negligence) there's probably very little grandma can do if the responsible party is not in the US.

Lleb_KCir:
Let's step back for a second and forget all about software, grandma, lemonade, etc., and focus on this disclaimer business. In general, should society allow someone to excuse themself from liability to another. The answer to that question is "yes" as long as the other person is knowledgeable and agrees. If that person says, "Ok, you and I are going to do X, and I understand the risks. So what you're asking for makes sense. Yes, I'll release you from liability." And just like that, liability disappears. The requirement is that the other person must voluntarily agree to that release. Now we need to discuss what methods of agreement are possible. The law recognizes verbal agreements (witnesses are usually required though), but the most preferred method would be in writing with signatures. Well, with the advent of computers, people are trying to fashion a new way of establishing these agreements. It's just not practical to exchange signatures, right? So there are some folks that put forward the idea of "click acceptance." That by clicking this button or that link, the person is expressly agreeing - the click is substituting for a signature. There are some concepts in contract law that support that approach, but there are also others that oppose it. I don't know if there's any landmark decsion on the subject yet. For the purposes of this illustration, let's say it is binding; that a click on a button or a link can substitute for a signature.

Ok, so it looks like I've painted myself into a corner. The developers just need to insert a web page that shows the disclaimer and gives the user a button to click on that indicates acceptance and understanding of the risks outlined in the disclaimer. By clicking, the user has given their signature, and the developer is free from liability. The developers of the world all decide to put an "I'm not liable" statement with their software in sufficiently confusing, archaic legal terminology, and declare victory.

Except (and this is sort of what alred was alluding to)...

If that worked, why aren't other industries doing it? I mean, if this is the silver bullet to all liability worries, why hasn't the auto industry picked up on this? Why isn't every customer required to sign a disclaimer excusing the auto maker of liability before they can buy the car? There isn't even this business of a click substituting for a signature. The auto maker can get a hard copy of the real thing - an authentic signature.

It doesn't work because the courts don't recognize these disclaimers when the product is distributed to the public at large. And that's exactly what the software developers are doing. Anybody in the world can download the software. You can't get much more public than that.

Agreements between a limited number of parties - enforceable. When distributing to the public at large - not likely.

Brian Knoblauch:
You're absolutely right. What good is a liability party for software if we can't invite some hardware guys too!
Yeah, hardware comes into it, and hardware can be designed and/or built negligently. The hardware is just another layer of fault location. You can determine the point of failure by using methods similar to detecting whether the compiler created a faithful machine code representation of the source, or the OS honored the software's system requests as documented. Getting to the hardware is just one layer deeper.

Mmm, yes, but to me this is impossible to determine with open source as it is. Negligence has a more broad definition than intentionality. If the programmer used a insecure function that makes the software vulnerable, I don't think he/she should be tried at court. I was stressing the relevance of a disclaimer which is (to some people) implicit and for this reason overlooked and understimated.


The disclaimer states that the software may well not work. Is it possible to bind programmers to provide robust code all the time? The good-faith nature of open source makes it a special case because programmers risk their reputation. There is a very natural mechanism of selection at work. Messing with it it's likely to pop up mechanisms that counter the new threat so it continues to grow.

This standard exists, really. But it's not enforced at the court's level. Rather than thinking of software as a polished and finished product, one may think of it as the base that everyone's using. If someone finds a bug, he may:
1- notify the developers
2- write a patch for it
So everyone benefits from this model. If you're benefiting and suddenly you suffer an unintended consequence of a bug in this code, it's unfair to sue Alan Cox for this.


My point is that adequate disclaimers may protect programmers in this case.

I was pointing at the fact that a programmer, if he/she could be held accountable, wouldn't like the fact that his compiler would be used in a high-risk mission, or even in a reactor... who knows? Alan Cox is an old hippie

You're talking about policying the development process. Is it a right thing to do? I don't think so. And it is impossible to enforce. Programmers aren't forced to be online each day and be informed of everything. There are many outdated pages on the web. It's just impossible. Most developers risk their career is they don't patch source code.


If the disclaimer is some day ruled as relevant, everyone would be compelled to read them.

There's these previous posts of yours (where I agree with you) related to the role that society has assigned to the courts:

What I dislike about the legal system (and let me say that I didn't want to be rude before) is precisely these sudden changes in perception. This proves that 2+2 may sometimes be 4 or some other pseudo-random value. We agree that society must be protected, but isn't it at work by the natural mechanisms that currently exist? Most people just don't update their software... and let's not talk about Microsoft and their abusive policy to stop supporting software. My view is that open source is model where developers design and fix all for fun, and without paranoia. The reason for its success is that everyone may add on it, fix things, etc. It's an open environment where the developers expect the same thing they're offering.

Forgot... I have a feeling the auto maker disclaimer example I used will garner a, "but the auto maker is a for-profit entity" response.

Here's a free equivalent.

Let's say there's some auto mechanic gets an inheritance from a well-off relative. The money is enough that the mechanic never has to work another day in his life, and the will also stipulated that he inherit a large number of abandoned scrap yards. Being of the charitable type and loving to build cars, the mechanic sets out to provide the public with transportation by building cars from these spare parts and giving them to anyone that comes and asks for one. Whenever someone comes to pick up a car, he gets them to sign a disclaimer saying he's not liable for any injury or damage caused by use of the car. Should the law recognize this disclaimer?

Heh.... I doubt it. More likely than not, the tiremaker would be forced to pay a massive award to the plaintiff for failing to explicitly and prominently warn that its tires were not suitable for use in aviation, the aircraft manufacturer would similarly be found negligent for failing to design a wheel rim in such a way to prevent accidentally installing a car tire on the plane, and the airline that was operating the plane would be found liable for hiring incompetent mechanics. This obviously isn't the way things should be, but unfortunately, in the US, anyone can sue anyone else for any reason, real or imagined, and when you consider certain cases, it seems that simple common sense wasn't even a consideration in determining the outcome.

Yes, the key issue here is about disclaimers (which are thought to protect open source developers from liability: the thing that motivated the 1st post after all).

There are many things that can be done. The programmer would do his best to ensure by every possible way that the user is aware of the dangers. Digital signatures may turn out to be a nice and the better way some day.

If you agree with the click idea, why do you think programmers should be liable?

Developers should be aware of this disclaimer idea too. They're loose on this. For this reason I think that the user should be educated on open source in general.

You can't blindly download a banking program and just use it without browsing documentation. Sadly, this is the case. There's people that don't know about troyan horses. It isn't the developer's fault if the user didn't take the time to read the disclaimer (although sometimes it is obscured purposedly so you stop reading and you go on to agree to anything in it).

There's no point with real world examples that don't fit exactly when you compare them. Computing is a wide subject in itself.