[LWN Logo]
[LWN.net]

Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests


Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters
All in one big page

Other LWN stuff:
 Daily Updates
 Calendar
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Archives/search
 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- GaŽl Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials


The war requires closed source? Consider, for a moment, this eWeek article, which covers Microsoft VP Jim Allchin's testimony at the antitrust trial:

A senior Microsoft Corp. executive told a federal court last week that sharing information with competitors could damage national security and even threaten the U.S. war effort in Afghanistan.

Mr. Allchin, of course, is worried about the technical disclosure requirements that the nine dissident states are trying to work into the antitrust settlement.

A high-profile, upstanding, public company like Microsoft would certainly never dream of using the war in Afganistan just to avoid some commercial discomfort, so one concludes that this threat must be real. The national security of the United States, it would seem, is dependent on the continued security-through-obscurity of closed source code.

Of course, there is no way, really, to know if that claim is true or not. The code is closed, so we will never know where the problems might be until somebody breaks it. The public does not know, the government does not know. There is no way to verify the security of code that is running in truly mission critical situations. Not cool.

The time for entrusting one's security to closed code has certainly passed. That time has passed whether the system in question is used by the kids to play games, is a corporate web server, is used by the CEO to play games, or is used by a general to run a military operation. If you cannot look at your software, you are depending entirely on the "trust me" claims of a corporation which has its own interests at heart. That is not a good position to be in, and it is increasingly unnecessary. The sooner that free software finds its way into "mission critical" applications, the safer we will all be.

Software and warranties. Software is a strange business, in that it manages to escape the consequences of its mistakes in a way that few other industries can manage. If your disk drive explodes, your car's wheels fall off, your toaster catches fire, or your beer fails to make you attractive to the opposite sex, you can sue the manufacturer for damages. Well, maybe the brewer will get away with it. But, in general, vendors cannot escape liability for the things they sell - except for software vendors.

There is a rumbling in the distance, however, that suggests that pressure for change is increasing. The National Academy of Sciences has called for software vendors to be liable for defects in their products. Bruce Schneier has also called for liability as a way of reducing security problems:

If we expect software vendors to reduce features, lengthen development cycles, and invest in secure software development processes, they must be liable for security vulnerabilities in their products.

No doubt liability would change life for software vendors; they would be forced to concentrate far more attention on reliability and security. The cost of software would go up to fund that effort and to pay for liability claims. It would be a different world.

Life would change for free software too, however. If a developer can be sued for a bug which appears in software which was released for free, the supply of free software will dry up in a hurry. Free software developers do not have the resources for fanatical quality control procedures or to buy insurance against liability suits. The free software development process depends heavily on users to help find problems.

Distributors of free software also have much to fear from exposure to product liability suits. Some Linux distributors are more careful than others, but they all package up vast amounts of software that they did not write, and for which they are in no position to write guarantees.

The software business as a whole, perhaps, is not yet in a position to assume liability for its products. The state of the art in software development remains primitive. Yet it would be a good thing to encourage software producers to focus more on the reliability and security of their offerings. But any such change must be done in a way that does not destroy the free software ecology.

One possible position to take could be that closed-source software, being a proprietary black box, should come with warranties and liability coverage. By making its source available (not necessarily with a free license) a company could enable others to audit its software, and, in the act, transfer liability to the users of that software. All free software would, thus, retain its current "no warranty" status. Don't expect proprietary software companies - and the congressmen they buy - to be pleased with that idea, however.

2600 case appeal denied. A U.S. Federal Appeals Court declined to review the 2600 DVD case, leaving the lower court ruling unchanged. Thus, it is still illegal to post the DeCSS code, or even a link to it. The one remaining option at this point is to appeal to the Supreme Court; no decision, yet, has been announced as to whether that course will be followed or not.

The LWN.net Weekly Edition will not be published next week so that the LWN staff can enjoy the Memorial Day holiday, and so we can finish up a surprise that we hope to make available soon. The daily updates page will be maintained as usual, and the Weekly Edition will return on June 6.

Inside this LWN.net weekly edition:

  • Security: Goodbye rlogind; fingerprint scanners; OpenSSH and Mailman releases
  • Kernel: New quota code; the end of /dev/port, misusing copy_*_user.
  • Distributions: Clustering and the Linux distribution; ClosedBSD.
  • Development: GCC 3.1, MnoGoSearch 3.2.4, Analog 5.23, Guikachu 1.2.0, OpenSSH 3.2.2, AlsaPlayer 0.99.70, WaveSurfer 1.4, Netscape 7.0 Preview Release 1.
  • Commerce: FSF Files Brief Amicus Curiae in Eldred v. Aschroft Supreme Court Case; Ericsson Joins Open Source Development Lab.
  • Letters: Outlawing markers; RMS and GNU/Linux.
...plus the usual array of reports, updates, and announcements.

This Week's LWN was brought to you by:


May 23, 2002

 

Next: Security

 
Eklektix, Inc. Linux powered! Copyright © 2002 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds