Neil Brown
Safety features for open source projects is an interesting one, and I wish I had a better answer.
Do the lead developers of a project have an obligation - legal? ethical? moral? - to build safety features into their codebase. To bake in "safety by design"?
Even if they don't think that they, personally, need those features - which may be privilege talking, or it may be that their specific use case doesn't demand it, but others use the software differently.
Neil Brown
I've definitely seen an operator-centric analysis a lot and, from an English law point of view, it looks like that's the way a legal obligation might arise.
I'm not sure that it's the only, or even the "right", answer though, perhaps especially when the author promotes uptake of the software for community uses. It feels a bit artificial then.
Chris Shaw
@neil it's the operator of the software who is responsible for safety features, not the author.
If software does not contain the appropriate safety features to operate according to regulations in their marketplace, the operator needs to commission them.
In the case of open source of course, they can either ask the initial author to implement them, or do it themselves.
Chris Shaw
@silverwizard @neil I don't think any FOSS developer would ever claim that their software is fit for any purpose. It's supplied "As is" to whoever wishes to make use of it.
Even in the commercial world, the SLAs have various force majeure and 'get out clauses' to evade responsibility if unexpected things happen during its use.
Aerik
Building on your statement: Isn't that kind of the proposition of open source anyway? That you can look under the hood and *see for yourself* if it is as safe as you need? And *change it yourself*?
Versus commercial software which very obviously has certain legal and ethical obligations.
(I realize commercial software *can* be open source, but delving into those distinctions is not relevant to the point I'm trying to make)
Chris Shaw
@sldrant @silverwizard @neil I think that it's clear that legal obligations lie very much with the operator, not the supplier.
Neil is also coming at the question from other angles like ethical.
Another way of framing that question is "is it unethical to deploy software without safety" and "is it unethical to distribute software without safety".
The answer to the first is almost certainly yes. The answer to the second is less clear cut.
Anton Piatek
@chrisshaw @silverwizard @neil yeah, was going to add that most software agreements, even big corporate ones, limit any liability massively, and any warranty is a paid for discretionary extra. Can't see how safety features would be any different
Chris Shaw
@sldrant @silverwizard @neil I'm sure there are open source components used in planes and medical devices. But they are regulated, so no-one can use them until compliance is demonstrated to the relevant authority.
Having just read Neil's blog on this subject, one critical question is whether putting something on GitHub constitutes offering a service.
I don't think it should, any more than a research paper on arvix should be considered one.
Source code is knowledge. Binaries are applications.
Anton Piatek
@silverwizard @neil @chrisshaw I've never worked on life crtitcal software, but planes and medical devices do have these guarantees. None are open source though. Perhaps you get what you pay for?
Chris Shaw
@silverwizard @neil @sldrant but I'm guessing you didn't hold the original authors of the open source to account?
Neil Brown
I am very wary of suggesting that additional burdens should be placed on people who write software for fun, and release it under FOSS licences: that, to me, already feels like a significant public good.
But I've also heard arguments that made me think, that releasing insecure but readily deployable software is worse than releasing no software.
Neil Brown
@silverwizard @sldrant @chrisshaw
This is fascinating and, to my mind, a separate issue. The original post was not about defects in the code or infringement issues (the typical "no warranty" scenarios), but about whether developers of platforms designed for user interaction (for example) should build in user safety features up front.
Definitely some overlaps, but I'm certainly not suggesting "developers of FOSS should be liable for bugs", or anything like that.
Neil Brown
@silverwizard @sldrant @chrisshaw
I spend much of my time in the world of FOSS, and the tech of my business is built on FOSS, so that would be madness :)
Neil Brown
@silverwizard @sldrant @chrisshaw In some cases - eg core utilities - yes, sure.
In the context of a platform intended to be used for public multiparty video conferencing, with a reference implementation exposed to the Internet with encouragement for people to use it for "actual" video events, perhaps less grey?
Neil Brown
@silverwizard @sldrant @chrisshaw
Hmm... I'm still reasonably clear in my own mind about the distinction between inherent risks in a choice of language, or the risk of bugs, and the design decisions around what a project should consider up front.
I'm certainly not of a mind to push more on people who are already doing amazing things by making their code so readily available, but I am trying not to conflate what I perceive as to separate issues.
翠星石
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.