[Cryptography] GCC bug 30475 (was Re: bounded pointers in C)

Arnold Reinhold agr at me.com
Sun Apr 27 06:55:14 EDT 2014


On Thu, 24 Apr 2014 11:49 Izaac wrote:

> On Sun, Apr 20, 2014 at 04:19:03PM -0400, Arnold Reinhold wrote:
>> In my opinion, the GNU Project and the developers of GCC would be well
>> advised to get legal advice on their responsibilities and liabilities
>> in this matter. 
> 
> Err, no, sadly:
> 
> http://www.openssl.org/source/license.html
> 
>   * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY            
>   * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE           
>   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR            
>   * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR             
>   * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,              
>   * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT                  
>   * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;                  
>   * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)                      
>   * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,           
>   * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)                 
>   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED           
>   * OF THE POSSIBILITY OF SUCH DAMAGE.  
>    
> Leave the lawyering to the wretched slime who passed the bar.
>                                      


In the situation I was positing, someone killed or seriously injured because GCC removed a safety test, it is my understanding that commercial wavers like that are no defense against criminal prosecution. Even in civil litigation, their enforceability is limited and the situation in the U.S. varies by state. Disclaimers are generally enforceable as part of a conscious contract between knowledgable parties of comparable bargaining power, but most states do not allow a party to limit their liability for gross negligence. Members of the general public, who depend on numerous pieces of software written in C but have never heard of GCC nor seen their disclaimers, may not be bound by them.

Again I am not a lawyer; my only advice is to talk to one before you assume disclaimers like the one you quoted will shield you against any consequences of your software development activities, particularly in the security area.

Arnold Reinhold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140427/be2f2aee/attachment.html>


More information about the cryptography mailing list