Re: [SystemSafety] OpenSSL Bug

From: Steve Tockey < >
Date: Sun, 13 Apr 2014 23:54:08 +0000

I certainly can't speak for other countries, and I'm not a lawyer so I can't speak for the US either. But from what I've heard, Cem Kaner (author of a couple of good books on software testing) is a lawyer. He's apparently on record as saying that in the US, the typical software license agreement is unenforceable. There's a US Federal statue called the "Uniform Commercial Code" (UCC) that establishes certain requirements on any product or service offered for sale. The UCC takes legal precedent over any other agreement between buyer and seller. The "implied merchantability" doctrine in UCC essentially says that if the seller is going to sell it then they take on a certain amount of liability that what they sold will actually work. And if it doesn't work, then the buyer has legal recourse--regardless of what any license agreement may or may not state.

A software seller using open source software as a basis for their own products can't just pass off responsibility to the OSS provider. The OSS provider didn't ask for money, so UCC and implied merchantability don't apply. But the software seller is asking for money, so regardless of where the lines of code came from, the software seller is implying warrantee of those lines of code.

Cem Kaner's point is that most people are scared by the software license agreement, but despite what it says (at least in the US) the buyer has a non-trivial amount of legal power over the seller. Once software buyers learn about this, then expect the legal system to be used to force providers of crappy software to either clean up their act or get forced out of business.

-----Original Message-----
From: Jan Sanders <jsanders_at_xxxxxx Date: Friday, April 11, 2014 8:10 AM
To: "systemsafety_at_xxxxxx <systemsafety_at_xxxxxx Subject: Re: [SystemSafety] OpenSSL Bug  

Am Freitag, 11. April 2014 16:38 CEST, Mike Rothon <mike.rothon_at_xxxxxx  

> Since news of heartbleed came to light a couple of questions have been
> going through my mind:
> 1) How did we arrive at a situation where a large proportion of
> seemingly mission / financially critical infrastructure relies on
> software whose licence clearly states " This software is provided by the
> openSSL project ``as is`` and any expressed or implied warranties,
> including, but not limited to, the implied warranties of merchantability
> and fitness for a particular purpose are disclaimed."?
I am not aware of licence agreements which do not contain this or similar disclaimers. I am grateful for pointers to TLS implementations which come without a warranty disclaimers.

Jan Sanders

The System Safety Mailing List

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Mon Apr 14 2014 - 01:54:19 CEST

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:06 CEST