In a message written on Tue, Jan 28, 2003 at 10:23:09AM -0500, Eric Germann wrote:
Not to sound to pro-MS, but if they are going to sue, they should be able to sue ALL software makers. And what does that do to open source? Apache, MySQL, OpenSSH, etc have all had their problems. Should we sue the nail gun
IANAL, but I think this is all fairly well worked out, from a legal sense. Big companies are held to a higher standard. Sadly it's often because lawyers pursue the dollars, but it's also because they have the resources to test, and they have a larger public responsibility to do that work. That is, I think there is a big difference between a company the size of Microsoft saying "we've known about this problem for 6 months but didn't consider it serious so we didn't do anything about it", and an open source developer saying "I've known about it for 6 months, but it's a hard problem to solve, I work on this in my spare time, and my users know that." Just like I expect a Ford to pass federal government safety tests, to have been put through a battery of product tests by ford, etc and be generally reliable and safe; but when I go to my local custom shop and have them build me a low volume or one off street rod, or chopper I cannot reasonably expect the same. The responsibility is the sum total of the number of product units out in the market, the risk to the end consumer, the companies ability to foresee the risk, and the steps the company was able to reasonably take to mitigate the risk. So, if someone can make a class action lawsuit against OpenSSH, go right ahead. In all likelyhood though there isn't enough money in it to get the lawyers interested, and even if there was it would be hard to prove that "a couple of guys" should have exhaustively tested the product like a big company should have done. It was once said, "there is risk in hiring someone to do risk analysis."
use for anything other than nailing stuff together. Likewise, MS told people six months ago to fix the hole. "Lack of planning on your part does
It is for this very reason I suspect no one could collect on this specific problem. Microsoft, from all I can tell, acted responsibly in this case. Sean asked for general ways to solve this type of problem. I gave what I thought was the best solution in general. It doesn't apply very directly to the specific events of the last few days. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org