Subject: Re: EROS and liability
From: Ian Lance Taylor <ian@airs.com>
Date: 30 Jun 1999 11:34:51 -0400

   From: shapj@us.ibm.com
   Date: Wed, 30 Jun 1999 11:13:59 -0400

   The empirical evidence is that a judge/jury *will* accept what Ian says under
   two conditions:

   1. There was the clearly stated contract.  I.e. I sold a contract that said "you
   modify it and you take all the burden"

   2. I can prove that you modified it.

   The sad reality is the burden of proof in this situation will fall on the
   defendant, thus my question about methods for determining if modification
   occurred in the face of configurable binaries.

I still don't why see why it matters that you are using free software,
as opposed to other software distributed in source code form.  Did
Stephen describe your concerns in this regard correctly?


I can't imagine any process that would start from a random binary and
convincingly determine whether it was compiled from sources which were
only modified in certain ways.


I can imagine a procedure like this: modify your Makefiles so that
every time you compile a file, you add a .note section to the .o file
holding an MD5 digest of the source code you just compiled (cc -E |
md5sum).  Let the final link accumulate all those notes in some
way--ideally, keep them separate, but that might take up too much
space, so you might have to combine them.

If the notes aren't in the final binary, you know that the customer
modified the Makefiles.  If the notes are there but the values are
wrong, you know that the customer changed the sources in some
unapproved way.  In the context of a court case you can get the exact
sources the customer used, and you can verify using the MD5 digest
that you did get the exact sources.  You can then determine just what
sorts of changes the customer made, and determine whether they are
approved.

This is vulnerable to intelligent and unethical cheating.  I'm
assuming that you don't find it necessary to block that.  Is that
true?

Does anybody see any other holes?


Of course, there might still be a compiler bug.  But at least you'll
be able to blame the compiler rather than your sources.


Unfortunately, as I expect we all know, if IBM tries this technical
defense in front of a jury deciding a case where somebody died because
of a pacemaker software failure, IBM will lose.

Ian