Software patching must work like car safety recalls, says US cyber boss Software made unsafe by dependencies should be fixed without users needing to interact with the source of the problem, according to US National Cyber Director Chris Inglis, who serves in the Executive Office of the President. Speaking to The Register at the Black Hat Asia conference in Singapore on Friday, Inglis said that …
Interesting, only because he seems not to understand the existence of Open Source and its implications.
In particular, as we've seen recently, there seems to be significant amounts of abandonware in popular shareware repositories and, worse, it is linked in as required component(s) of packages supported by other, unrelated, developers. It would be nice to know if Mr Inglis even knows that this sort of linkage exists and just who, if anybody, does he think should bear the legal responsibility for fixing buggy abandonware in such a calling sequence.
Seems to me there are four main questions that need answers:
1) what responsibility should the shareware repository owner have for providing tools that allow an author to determine who wrote shareware that his code depends on?
2) Should they refuse to accept code that's not fully documented and accompanied by a properly maintained set of unit tests with enough coverage to fully validate the shareware's operation with valid, invalid and out-of-range inputs?
3) should the abandonware author be legally responsible for removing code that they've decided not to support any longer? Who inherits this responsibility if the author dies?
4) What liability should fall on a shareware author whose product depends on buggy code written by a 3rd party and that may or may not be maintained?
This post has been deleted by its author
1, It's a rat's nest. Logically it is the authors responsibility to know what they are using in their project, but if a dependency depends on something they depends on something... It's a mess. Plus it is also a moving target, an update might completely change how something works under the hood, and it won't be noticed as long as it works the same way.
Personally, I think a coder ought to damn well know what their code is actually doing and using before inflicting it upon the world, but I don't envy them sorting out that mess. But see point 4.
2, If the repository wants to kill itself stone dead, sure. But do note the number of buffer overruns and parse failures and such in commercial closed source software. Let's see the unit test results for those, eh?
3, Absolutely not. Just because an author has given up on maintaining something does not automatically mean it is broken or has no value or purpose. To require people to remove unsupported stuff risks slaughtering a good point about open source (that being that the source is available should you want to tinker).
It also risks important consequences if an author decides to cease supporting something and removes it, immediately buggering up everything that depended upon it.
4, Ideally, responsibility should fall on the author to be aware of what his code is using. However, if one wishes to have programmers be held to the same standards and liabilities as car manufacturers, then I'm quite certain that one will be happy to pay programmers the same as people who design cars, and also perfectly willing to pay the same price for new software as for a new car. And no free updates, you have to buy each new version.
Because all that testing and design and crash test dummies? That's expense after expense. Not even remotely in the same category as this one guy in Montana that maintains something important in his spare time, for free.
Of course, all those whingers are fully able to obtain the source and contribute. Might be more useful than dreaming up ridiculous laws, but then, doing so requires mental acuity and competence. Proposing crap laws is something that any idiot could scribble on a napkin while on an expensive taxpayer funded working lunch.
Open Source doesn't have much of a defined process to address this and it needs one.
However, I think that some of your questions are questionable at this time.
I would suggest a more gradual approach. For example, create a repository of abadonware, starting with authors who can no longer be reached via their contact information or who, once reached, state that they've abandoned the project. Then ask the community whether anyone is willing to take responsibility for them.
At least then you have a baseline to start with.
I'm not sure if I've misread the article or your reply, but to me the article is saying this is about making the vendor take responsibility of the open source they use in their products, not the devs of the open source. My take is that the vendor would have two choices: work with the original author to get a vulnerability fixed or fork it and fix it themselves.
To me, this would seem a win for the original devs, as it actually gives incentive for vendors to support and fund devs of the open source software they use, rather than grab it and run.
"My take is that the vendor would have two choices: work with the original author to get a vulnerability fixed or fork it and fix it themselves."
Both of those require them to spend money, what they were trying to avoid by using open source.
It's also a case of, someone else will fix it.
"Interesting, only because he seems not to understand the existence of Open Source and its implications."
No, it seeks to enforce that they obey the terms of the licence (eg apache licence clause 7 final sentence that says :"You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.")
I have a recall on my car.
I have a notice listing all the dealers, the closest is over 2 hours drive away.
The recall? The manual lists the setting for the rear door child locks incorrectly, the on and off settings are reversed. The markings are correct on the door.
The outcome of the recall: I get a notice to drive 4 hours to a dealer and back to _replace a page in the manual_.
When cars are routinely available for FREE, we can start to talk about some semblance of comparability between the markets.
Guess what: if someone gives you something for FREE, expect that they will be FREE of any liability. EVERY SINGLE FOSS license has such a clause. (The "Beer License" does not appear to meet the requirements to be a license in the legal sense.)
So, either this guy is a massive idiot (as are those who take him seriously), or he's talking exclusively about the commercial market. Let's assume he's talking about the commercial market. Okay, now there is some possibility that he's not..wait. He's talking about log4j. FOSS.
Some village has had its average IQ bumped. Send this one back.
This post has been deleted by its author
First they bailed out the big banks for their fuck ups. Too big to fail. So when some for profit company uses the software of someone that does this for a hobby, are they honestly expecting someone to give up their livelihood to support the for profit company?
Do these people really have any idea? Imagine, lets say that someone open sourced the design for a device that generated a huge amount of gas the at could have been used for inflating an airbag. Sure there was a design flaw that she was not aware or, one that would fire metal shrapnel with suck force that it could penetrate the skull of the driver. Is the designer to blame?
That's the good reason.
Then there's the real reason.
The ultimate aim of software corporation lobbyists is to abolish FOSS competition. Making it illegal if unpatched is a simple solution.
It's all about profit.
There's one critical point that Mr Inglis has missed. Cars and software are very different things. If he'd narrowed it down like "Software to manage critical safety functions of cars" should work like car safety recalls, or "Software to manage medical devices", or "Software to manage financial data where the financial exposure exceeds $100,000 per month", he might have had a point.
Tarring avionics software with the same brush as a suduku app on my phone with the same brush is a disservice to the industry, the economy, and to the information age.
A US national cyber director should be familiar with the concept of risk; the product of the impact, and probability of an issue in software, and issues with my suduku game should be treated the same way as car safety recalls.
Now in fairness, this isn't a US specific problem; we have this problem in the EU as well with the likes of the cookie law; laws written by politicians and lawyers, without the insight of engineers and subject matter experts who better understand the problem that needs to be solved.
If you sell a product (or a licence to it) then you're the vendor. If if you give it away and also offer a support contract, guess what, you're also the vendor (for all of the people/companies who buy the support contract.
Basically if you create a product and then take money for it then you're a vendor
Sorry I wasn't obvious enough with the "If you take money for it you're a vendor". I didn't think I needed to add "If you have not taken money for it then you're not a vendor".
For the avoidance of any doubt. If you were employed to write code, IF you retain ownership you're the vendor. If you do not retain ownership or similar rights then you're also not a vendor. Most employment contracts I've seen have clauses along the lines of "Anything you create while employed are the property of the employer"
It is always darkly humorous when fools proclaim "The world should work the way I think it should"!
It is less funny of course when said fool has real power to do real harm in society. Still as idiots with an opinion go I suppose this one is less dangerous than most. And he did stop short of putting the NHTSA in charge of developing regulations for software distribution. So that is something.
I believe the best response is to tell him because the price of diesel fuel is currently so high it is impractical to implement recalls at this time. Maybe when gas gets under $0.99 / gallon we can develop a regimen to distribute software fixes by truck.
1) Customer(s) complain/die/are injured.
2) Authorities investigate and find fault.
3) Volkswagen[1]The manufacturer swears blind that the fault isn't safety critical in itself.
4) Authorities decide not to issue a recall.
Is that the process we want?
[1] Sorry, easy mistake to make. Apparently, if your car is apt to suddenly stop for no reason in the midst of high speed traffic or have much of its brake system cease working, it's not a recall issue if it's a VW. For some reason[2] VW are also the tightest bunch on the planet for getting a spot of goodwill out of toward fixing common faults in their cheapshit componentry.
[2] Directors' bonuses are way more important than customers has to be favourite. See also: Dieselgate.
It is happening - cars are becoming as unmaintainable as phones as the amount of electronics and Google or Apple junk software increases - Just look at all the serious bugs in Teslas that are unfixable - not to mention the age old universal problems of car electronic locking and security systems that no-one bothers to recall and fix - just like insecure passwords.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
