当前位置:Linux教程 - Linux文化 - Alan Cox:软件代码安全谁负责?

Alan Cox:软件代码安全谁负责?


  作为Linux内核的首席开发人员之一,Alan Cox受雇于美国Redhat Linux公司,最近他参加了一项有关软件作者对软件安全负责的听证会。该听证会的发起者是英国参议院科学技术委员会。在听证会中,他指出无论是开源软件的作者还是闭源软件的作者都无法做到对其代码的安全性负责任。

  在听证会中,讨论的项目有个人网络安全、开源、闭源代码开发人员对代码的负责问题,从道德角度出发,无论开源代码或者闭源代码的作者都应该对他们的代码安全负责任。特别提到的是微软等公司应该对他们的代码安全问题负责任,他们有责任确保他们的操作系统所做的一切都是合法的。但是要做到这点很困难,无论是开源软件作者还是商业软件公司。

  他还说,虽然大家都知道,一个完全安全的操作系统是不大可能的,但是我们可以不断地改进它,使得它更安全,而在这过程中可以带来很多的利益。

  Alan Cox, one of the leading Linux kernel developers, has told a House of Lords hearing that neither open- nor closed-source developers should be liable for the security of the code they write.

  Cox, who is permanently employed at Red Hat, told the Lords Science and Technology Committee inquiry into personal internet security that both open- and closed-source software developers, including Microsoft, have an ethical duty to make their code as secure as possible. "Microsoft people have a moral duty in making sure their operating system is fit-for-purpose," Cox said on Wednesday.

  He added that it was generally accepted that no-one knows how to build a perfectly secure operating system, but that this was a research problem that someone would solve eventually, and make a lot of money in the process.

  Cox said that closed-source companies could not be held liable for their code because of the effect this would have on third-party vendor relationships: "[Code] should not be the [legal] responsibility of software vendors, because this would lead to a combatorial explosion with third-party vendors. When you add third-party applications, the software interaction becomes complex. Rational behaviour for software vendors would be to forbid the installation of any third-party software." This would not be feasible, as forbidding the installation of third-party software would contravene anti-competition legislation, he noted.

  Cox said that it would be difficult to make open-source developers liable for their code because of the nature of open-source software development. As developers share code around the community, responsibility is collective. "Potentially there's no way to enforce liability," he said.

  The question of open-source liability becomes more complex because of how the code is used, added Cox. Open-source code is generally given away, but companies use that code to develop their own products. Cox said that there was a question of how liability would move from the initial developers to the companies.

  Microsoft's national technology officer, Jerry Fishenden, who spoke at the hearing, said the responsibility for security breaches should rest firmly with those perpetrating the breaches. "We're making software as secure as we possibly can. People don't look at window-lock makers for the responsibility for burglary — the responsibility tends to rest with perpetrators," said Fishenden.

  Adam Laurie, an open-source developer and security researcher, told the Lords that software manufacturers had a duty to the public to make it easy to secure computers, but he added that there is always a trade-off between usability and security. Developers should be liable for code they claim is secure even when it has been proven that it is not, he said.

  The Lords inquiry will present its findings in the summer.