[shitloadofbooks]

And who do we fine for all the bugs in Open Source software then. The most serious vulnerabilities of late have all been in Open Source packages: - ShellShock - Heartbleed - etc

Do we fine the person who committed the faulty logic, the reviewers, the entire community who "peer reviewed" it?

[syshum]

>ShellShock - Heartbleed - etc

How many systems where actually compromised in an unrecoverable manner costing thousands or millions, maybe even billions of damage due to any of those Vulnerabilities?

All of them combined to not even come close to the damage that occured over the weekend

Shellshock, heartbleed were a inconvenience for some sysadmins and click bait for the tech press

[tomstockmail]

Heartbleed and ShellShock were serious but nowhere near the seriousness of WannaCrypt. Don't let the top headlines of HN and a fancy logo be how you rate vulnerabilities.

[gggmaster]

Thanks for the transparency of open source you have learnt those buzzwords. Wish you the best of luck with your black boxes.

[bigiain]

I'd be happy enough to go with "you fine whoever wrote the invoice or cashed the cheque". You wanna sell it? Take responsibility for it. You scratch your own itch and give it away for free? Good on you.

[21]

It doesn't quite work like that.

If I give away "free lemonade", but people get sick because I've made it in dirty conditions, I will not get away just because it's free.

[bigiain]

Maybe...

What's your alternative? Are you suggesting we _do_ fine all the OpenSSL contributors? Or that we do not hold anyone except end users responsible for software/hardware security?

I'm not sure metaphors or comparisons between software and lemonade are entirely helpful - although they do push the discussion along, which is at least interesting... (So if I didn't _make_ the lemonade, but published my "4 lemons pulped, 1/2 a cup of sugar, and 2 teaspoons of rat poison" lemonade recipe on github - then you made it and got sick... Who's in the firing line then? What if the README says "this recipe is satire"?)

[dotancohen]

Redhat and Canonical will be in a world of hurt.