Shostack + Friends Blog Archive


Patches & EULAs

Security patches should not have licenses. There’s no fair re-negotiation under threat. If I bought your software, and am using it, then you find a bug, you should not be allowed to put new terms on the software in order for me to be safe using it.

Imagine a hotel which lost a master key to a known criminal, and then sent the manager door to door, asking for supplemental money to get a new lock.

I can’t imagine that such contract terms are legal, so why do vendors bother with them?

At least Microsoft, after marketing to you about the security bugs they fix, is listing the files that a patch changes.

2 comments on "Patches & EULAs"

  • NudeCybot says:

    I see your excellent point, and will raise you the following:
    The EULA and the software business model in general are not sustainable in their current form. EULAs typically contain sections that revoke some basic end user rights to copyrighted work, and grant seemingly inconceivable rights to the software owner. Remember Microsoft’s Hailstorm whereby the EULA included revoking all IP rights to information transmitted through their network. All your rights belong to us.
    I love the article in Wired “You Need a RoboLawyer”. …It is especially true given the current state of the software industry.

  • Pacanukeha says:

    Well, EULA’s are a harbinger of the approach of software-as-a-service. When network costs are low enough, there is no incentive to producers to sell shrink-wrapped boxes. Services are always governed by an agreement of some sort. So we’ll see 2 worlds: F/LOSS where you run things yourself (cuz you have the manpower and you want/need the control) and proprietary where you log in to a server. The server may be a local mirror on your network, but still black-box.

Comments are closed.