Alan Cox, one of the leading Linux kernel developers, has told a House of Lords hearing that neither open- nor closed-source developers should be liable for the security of the code they write.
Cox, who is permanently employed at Red Hat, told the Lords Science and Technology Committee inquiry into personal Internet security that both open- and closed-source software developers, including Microsoft, have an ethical duty to make their code as secure as possible.
"Microsoft people have a moral duty in making sure their operating system is fit-for-purpose," Cox said on Wednesday.
He added that it was generally accepted that no-one knows how to build a perfectly secure operating system, but that this was a research problem that someone would solve eventually, and make a lot of money in the process.
Cox said that closed-source companies could not be held liable for their code because of the effect this would have on third-party vendor relationships: "[Code] should not be the [legal] responsibility of software vendors, because this would lead to a combatorial explosion with third-party vendors. When you add third-party applications, the software interaction becomes complex. Rational behaviour for software vendors would be to forbid the installation of any third-party software." This would not be feasible, as forbidding the installation of third-party software would contravene anti-competition legislation, he noted.
Cox said that it would be difficult to make open-source developers liable for their code because of the nature of open-source software development. As developers share code around the community, responsibility is collective. "Potentially there's no way to enforce liability," he said.
The question of open-source liability becomes more complex because of how the code is used, added Cox. Open-source code is generally given away, but companies use that code to develop their own products. Cox said that there was a question of how liability would move from the initial developers to the companies.
Microsoft's national technology officer, Jerry Fishenden, who spoke at the hearing, said the responsibility for security breaches should rest firmly with those perpetrating the breaches.
"We're making software as secure as we possibly can. People don't look at window-lock makers for the responsibility for burglarythe-- responsibility tends to rest with perpetrators," said Fishenden.
Adam Laurie, an open-source developer and security researcher, told the Lords that software manufacturers had a duty to the public to make it easy to secure computers, but he added that there is always a trade-off between usability and security. Developers should be liable for code they claim is secure even when it has been proven that it is not, he said.
Developers should be held legally (and financially) responsible for their software within the context of the use for which it is intended. If you intend to create a hobbyist's platform, and someone tries to use it to support a banking system, then it doesn't seem reasonable to hold the developer to account. On the other hand, if you're hawking your wares as the next answer to enterprise computing (Red Hat?), then you most certainly should be liable for security failures or other untoward events.
Ethics, from the perspective of making people do what they really should are meaningless unless there are some penalties attached (that take you out of the business such as disbarment, loss of certification, etc.). Nothing like this exists for software developers. If someone gets my banking information because a developer screwed up, it doesn't help me too much that they feel bad for 15 minutes.
If you don't like the rules, don't play in the pool.