--On October 20, 2005 9:32:44 PM +0100 Freminlins <freminlins@gmail.com> wrote:
Owen DeLong wrote:
If companies that made vulnerable OSs were held liable for the damage caused by those vulnerabilities, you would rapidly see $$ make a BIG difference in the security quality of OS Software.
How would that work for free/open source OSs/software? Who exactly would be held liable? The contributors? Free OSs are just as capable of sending out malware/virus infected emails, etc. as commercial systems.
That depends: Free closed source: I would presume the closed source provider or no one. Hard to assign liability when money did not change hands. No money, no duty to care in most cases. Product liability is pretty much limited to products that are sold. Open Source: I would expect no liability exists because... 1. No money changes hands, no duty to care. 2. End user has full access to source, so, has at least shared responsibility for fitness to purpose. 3. Full access to source means end user cannot claim that vulnerability was hidden from end user. 4. Full access to source means end user has ability to correct vulnerability as soon as identified. Finally, while your statement is theoretically true, in practice, resolutions to vulnerabilities in open source software tend to be delivered much faster than in closed source software. Even allowing for the difference in market share, the percentage of open source based systems which are owned and acting as spambots is much lower than the percentage of closed-source systems which are doing so. (note: in this, although it is hybrid closed/open, I'll even count MacOS X in the open source for this purpose). Owen