作為Linux內核的首席開發人員之一,Alan Cox受雇於美國Redhat Linux公司,最近他參加了一項有關軟件作者對軟件安全負責的聽證會。該聽證會的發起者是英國參議院科學技術委員會。在聽證會中,他指出無論是開源軟件的作者還是閉源軟件的作者都無法做到對其代碼的安全性負責任。
在聽證會中,討論的項目有個人網絡安全、開源、閉源代碼開發人員對代碼的負責問題,從道德角度出發,無論開源代碼或者閉源代碼的作者都應該對他們的代碼安全負責任。特別提到的是微軟等公司應該對他們的代碼安全問題負責任,他們有責任確保他們的操作系統所做的一切都是合法的。但是要做到這點很困難,無論是開源軟件作者還是商業軟件公司。
他還說,雖然大家都知道,一個完全安全的操作系統是不大可能的,但是我們可以不斷地改進它,使得它更安全,而在這過程中可以帶來很多的利益。
Alan Cox, one of the leading Linux kernel developers, has told a House of Lords hearing that neither open- nor closed-source developers should be liable for the security of the code they write.
Cox, who is permanently employed at Red Hat, told the Lords Science and Technology Committee inquiry into personal internet security that both open- and closed-source software developers, including Microsoft, have an ethical duty to make their code as secure as possible. "Microsoft people have a moral duty in making sure their operating system is fit-for-purpose," Cox said on Wednesday.
He added that it was generally accepted that no-one knows how to build a perfectly secure operating system, but that this was a research problem that someone would solve eventually, and make a lot of money in the process.
Cox said that closed-source companies could not be held liable for their code because of the effect this would have on third-party vendor relationships: "[Code] should not be the [legal] responsibility of software vendors, because this would lead to a combatorial explosion with third-party vendors. When you add third-party applications, the software interaction becomes complex. Rational behaviour for software vendors would be to forbid the installation of any third-party software." This would not be feasible, as forbidding the installation of third-party software would contravene anti-competition legislation, he noted.
Cox said that it would be difficult to make open-source developers liable for their code because of the nature of open-source software development. As developers share code around the community, responsibility is collective. "Potentially there's no way to enforce liability," he said.
The question of open-source liability becomes more complex because of how the code is used, added Cox. Open-source code is generally given away, but companies use that code to develop their own products. Cox said that there was a question of how liability would move from the initial developers to the companies.
Microsoft's national technology officer, Jerry Fishenden, who spoke at the hearing, said the responsibility for security breaches should rest firmly with those perpetrating the breaches. "We're making software as secure as we possibly can. People don't look at window-lock makers for the responsibility for burglary — the responsibility tends to rest with perpetrators," said Fishenden.
Adam Laurie, an open-source developer and security researcher, told the Lords that software manufacturers had a duty to the public to make it easy to secure computers, but he added that there is always a trade-off between usability and security. Developers should be liable for code they claim is secure even when it has been proven that it is not, he said.
The Lords inquiry will present its findings in the summer.
來自:linux.chinaunix.net
