Who knew about the virus/Culpability

[Jonathan S. Shapiro]

Both Berkeley and Sun have now impuned my credibility, which I am
sorry to say I do not find remarkable under the circumstances.  Bill
Nowicki of Sun went so far as to demand an apology:

Bill wrote:
>You made a very serious public charge when you claimed that Sun knew
>about the bug but deliberately refused to fix it.   Please post an
>apology stating that Sun never received your bug report, or else be
>prepared to have evidence to back up your claim.

First, I would like to point out that I made no statement about
whether Sun *deliberately* failed to fix the bug or not.  I merely
observed that the bug was *reported*.  I can think of several ways in
which it might come to happen, with the best of intentions, that a
reported bug of this nature failed to get fixed.  These require no
assumption of malevolence on the part of Sun.  Indeed, I think on the
whole that Sun is pretty good about this sort of thing, Mr. Nowicki's
current lack of calm notwithstanding.

As I explained to Bill, I am no longer with the organization that
reported the bug, and do not have access to the paperwork to
demonstrate that they were submitted, nor can I be sure [it has been
four years, and it wasn't very important in 1984] that the bug reports
were not made verbally.  I am nonetheless certain that a
representative of Sun *did* receive my bug report.

What is important, and evidently needs to be clarified out of my
original message, is that I do not believe that any failure to fix the
bug was intentional on the part of Sun or Berkeley.  If I gave that
impression, then I certainly do owe an apology.

Independent of who is to blame in this case, I do believe that we may
wish to consider legislation that will make companies legally
responsible for failing (willfully or otherwise) to repair such bugs
in a "reasonable" amount of time.  At the present time the customer
has very little legal support, and the bug repair process can result
in serious bugs not being fixed.  The vendors have a right to do
triage based on what they are *able* to accomplish.  There are only so
many staff hours between releases.  The question is, when the triage
call turns out to be a miscall, should the customers have legal
recourse?

I would not see this as an issue were it not for the fact that when a
*customer* installs such a fix on their own system, the vendor company
invariably refuses to support the altered software.  There are good
reasons for this, but it puts the customer in a damned if you do and
damned if you don't situation.

I know Sun and Berkeley don't like this idea.  I am quite certain that
it needs a better formulation.  I would be interested in hearing the
opinions of the *customers*.


Jon