[SystemSafety] OpenSSL Bug

Steve Tockey Steve.Tockey at construx.com
Mon Apr 14 01:54:08 CEST 2014 

I certainly can't speak for other countries, and I'm not a lawyer so I
can't speak for the US either. But from what I've heard, Cem Kaner (author
of a couple of good books on software testing) is a lawyer. He's
apparently on record as saying that in the US, the typical software
license agreement is unenforceable. There's a US Federal statue called the
"Uniform Commercial Code" (UCC) that establishes certain requirements on
any product or service offered for sale. The UCC takes legal precedent
over any other agreement between buyer and seller. The "implied
merchantability" doctrine in UCC essentially says that if the seller is
going to sell it then they take on a certain amount of liability that what
they sold will actually work. And if it doesn't work, then the buyer has
legal recourse--regardless of what any license agreement may or may not
state.

A software seller using open source software as a basis for their own
products can't just pass off responsibility to the OSS provider. The OSS
provider didn't ask for money, so UCC and implied merchantability don't
apply. But the software seller is asking for money, so regardless of where
the lines of code came from, the software seller is implying warrantee of
those lines of code.

Cem Kaner's point is that most people are scared by the software license
agreement, but despite what it says (at least in the US) the buyer has a
non-trivial amount of legal power over the seller. Once software buyers
learn about this, then expect the legal system to be used to force
providers of crappy software to either clean up their act or get forced
out of business.


-- steve




-----Original Message-----
From: Jan Sanders <jsanders at techfak.uni-bielefeld.de>
Date: Friday, April 11, 2014 8:10 AM
To: "systemsafety at lists.techfak.uni-bielefeld.de"
<systemsafety at lists.techfak.uni-bielefeld.de>
Subject: Re: [SystemSafety] OpenSSL Bug

 
Am Freitag, 11. April 2014 16:38 CEST, Mike Rothon
<mike.rothon at certisa.com> schrieb:
 
> Since news of heartbleed came to light a couple of questions have been
> going through my mind:
> 
> 1) How did we arrive at a situation where a large proportion of
> seemingly mission / financially critical infrastructure relies on
> software whose licence clearly states " This software is provided by the
> openSSL project ``as is`` and any expressed or implied warranties,
> including, but not limited to, the implied warranties of merchantability
> and fitness for a particular purpose are disclaimed."?
I am not aware of licence agreements which do not contain this or similar
disclaimers. I am grateful for pointers to TLS implementations which come
without a warranty disclaimers.


Jan Sanders
_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE

More information about the systemsafety mailing list