Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: What could have been done differently?

  • From: Leo Bicknell
  • Date: Tue Jan 28 11:27:38 2003

In a message written on Tue, Jan 28, 2003 at 10:23:09AM -0500, Eric Germann wrote:
> Not to sound to pro-MS, but if they are going to sue, they should be able to
> sue ALL software makers.  And what does that do to open source?  Apache,
> MySQL, OpenSSH, etc have all had their problems.  Should we sue the nail gun

IANAL, but I think this is all fairly well worked out, from a legal
sense.  Big companies are held to a higher standard.  Sadly it's
often because lawyers pursue the dollars, but it's also because
they have the resources to test, and they have a larger public
responsibility to do that work.

That is, I think there is a big difference between a company the
size of Microsoft saying "we've known about this problem for 6
months but didn't consider it serious so we didn't do anything
about it", and an open source developer saying "I've known about
it for 6 months, but it's a hard problem to solve, I work on this
in my spare time, and my users know that."

Just like I expect a Ford to pass federal government safety tests,
to have been put through a battery of product tests by ford, etc
and be generally reliable and safe; but when I go to my local custom
shop and have them build me a low volume or one off street rod, or
chopper I cannot reasonably expect the same.

The responsibility is the sum total of the number of product units
out in the market, the risk to the end consumer, the companies
ability to foresee the risk, and the steps the company was able to
reasonably take to mitigate the risk.

So, if someone can make a class action lawsuit against OpenSSH, go
right ahead.  In all likelyhood though there isn't enough money in
it to get the lawyers interested, and even if there was it would
be hard to prove that "a couple of guys" should have exhaustively
tested the product like a big company should have done.

It was once said, "there is risk in hiring someone to do risk analysis."

> use for anything other than nailing stuff together.  Likewise, MS told
> people six months ago to fix the hole.  "Lack of planning on your part does

It is for this very reason I suspect no one could collect on this
specific problem.  Microsoft, from all I can tell, acted responsibly
in this case.  Sean asked for general ways to solve this type of
problem.  I gave what I thought was the best solution in general.
It doesn't apply very directly to the specific events of the last
few days.

       Leo Bicknell - - CCIE 3440
        PGP keys at
Read TMBG List -,

Attachment: pgp00022.pgp
Description: PGP signature

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.