Thats so stupid. They are foolish. Eu sucks.

This move is long overdue. For years now we have had to put up with license agreements that state we do not purchase the binary code, we only pay for the right to use it and the publisher has the right to disable the binary at any time for any reason. That license also states that any error in coding or compiling is entirely the user's problem and the publisher is not responsible for losses due to bugs even if they were aware of the bug and declined to attempt a repair or patch.

I see an endless stream of "Application X can be hacked using a Buffer Overflow bug and here is how..." This hack should have been retired decades ago. The fix is to simply have every function/module/routine that writes data to a buffer either truncate at the end of the buffer or wrap. Do this and you will never have another buffer overflow hack in new code.

Many compilers do NOT generate the code that the programmer wrote. When this happens there is every possibility of a bug in the final binary since the binary is NOT the program that the coder fed into the compiler.

I still remember a bit of code that was a rewrite of a website backend. A jobshop did a "complete rewrite & added browser code". It took them 30 days and if used in any browser except IE5 would dump the database to the client browser. Not a good plan since that included every customer's data... That shop finished the job so quickly because they went through my original code rewrote 1 routine that referenced a no longer used procedure, commented out the unused procedure with an insult about bad programming and a comment that they had no idea why it was put in. Then they added 5 webpage modules with cut&paste HTML coding & database access routines, checked to see if it ran with the IE browser on there shop PCs and turned it over to the customer as tested and ready to run on the public server.

I use Opera and logged onto the site a few hours after it went live. The response I go from the customer after informing them of the result was that I had no business using Opera to view their website :P

The original code had no known bugs & worked with Opera, Netscape & all versions of IE through IE5. Not because I am a great coder, but because I put several weeks into attempting to crash or hack the final version.

With this move by the EU we may finally see compilers that generate code as written or if "optimized" code that executes according to the program designer's specifications.

As for who is responsible for a bug in an integrated system? That is the person or company responsible for producing the buggy component. Microsoft is responsible for errors in Microsoft code. Companies & individuals providing drivers are responsible for bugs introduced by the driver code. Third party application publishers are responsible for bugs in their code.

Good programmers will have no problems with this law. They test and remove bugs before release and are often able to repair faults found after release. A volunteer effort like Mozilla or Linux will have an easier time than solo programmers since they will simply make QA and bug removal part of their standard programming effort. Of course this will mean that "improvements" will come at a slower pace since they will need to actually work, but is that such a bad thing? :D

Accountability at what level though? Is Microsoft to be accountable for crashes in Vista because of shoddy nVidia drivers? Even if you know where the bug actually is, what if the bug is in proprietary libraries which the developer does not have access to? Who is responsible then, and how does one actually assign blame?

Then there are standards on the bugs themselves. What kind of priority is to be assigned to certain bugs? What kind of timetable is required to fix those bugs? Is a bug actually a "bug" or a "feature" and who can verify the claim? Should companies fix the most visible bugs or internal ones?

What if the bug is in a linked proprietary library, and is low priority for the library licenser and other licensees, but severe for just one of its users? What obligations are there to have that specific bug given high priority? What if that bug is only present because the library user takes advantage of vital-but-"undocumented" features?

To whom is this law to be extended to? Just big companies with lots of money? The companies people complain most about? Website developers? Whom?

What about the application and enforcement of such patches for the programs? Most programs do not have mechanisms for updating their programs except if the user directly applies a patch. Does it do any good to have fixes for problems, but not the means to enforce their application? For liability, what if you are the victim of a bug, but because the problem exists on other computers (like owned machines)? Are you entitled to compensation because someone else is not diligent in applying patches? What about coverage for people with illegitimate software?

These are just the legal issues.

Then there are issues with the complexity of finding and removing bugs in the first place. Computer programs are non-linear systems in a class of complexity beyond any other system, far beyond toasters, cars, even predicting the weather. Should we just give up on fixing problems in them? No. But to expect we can just enforce arbitrary laws on them presuming that the problem is like a faulty toaster or car is ridiculous.

It's a cute idea the EU has, but unrealizable. Whatever law comes out of this, if any, will be extremely watered down, or have many, many challenges in the courts. Maybe this is just a ploy for the EU to rake in more money as seems to be their prerogative these days with software companies.

A much less complex method for shaping computer programs and their bugs is to simply vote with your feet and wallet. Heaven forbid people think for themselves!

For the Rich Wargo and similar thinking:

Internet and software found way how to deal with questions if product==software is sutable for you:

1.try it before buying it some software allows you 15 days some even 60 days some (windows) even 120-180 days.

2. got to forums to check long run reputation

3.set your goals when byuing product will be sufficient for you and match with above

Law which is trying to apply any real product rules on software is simply backward thinking(out of new domain) therefore it would be contra-productive.I can imagine expensive software which nobody can affor and all of us will start using free but blacksourced software which will use different-hidden way how to get money from its users (adverts-statistics etc..)

P.S.: i know lot of companies who buy product without trying it.. such companies individuals dont understand what saftware stands for and they will have to learn their lessen regardless if this law exists i.e. it would not protect them .. others dont need it in first place.

It's about honesty. It's about accountability.

It is dishonest to just rant about users operating equipment or software in ways it was obviously not intended to work, and then ignoring the fact that there is obviously a cultural problem in the software business where quality doesn't matter.

The EU have quite rightly identified a real problem. Quite how they tackle it and how effective that is entirely another matter.

The biggest problem will be corrupt multi-national corporations throwing lawyers at the problem instead of just making an effort to improve there business culture.

Oh right, and what kind of arbitrary standard will the EU apply to such "code quality"? Are toaster makers responsible for people actively trying to jam forks into them? Are car manufacturers are to be responsible for all thefts that occur in the car? Is that how it works? Because that's pretty much what goes on with software.

Worse, you know what will happen? Software will simply check what you have and tell you it won't install on your system. "Not running an Intel processor that we did our testing with? Too bad!"

Maybe Microsoft will release Windows F-EU edition, designed only to work on certified Dell F-EU machines. Everything will be completely locked down so you can't go outside your padded cell where they might be responsible that will most likely work, but hasn't been certified yet.

Damn nanny states.

@Sean Baggaley: You are living in an illusionary world my friend, and do not understand the problem at all. SPARK is merely a language tool to *assist* in writing unambigious and secure code. Bad code can be written in SPARK just as in any other language. No language, machine, or methodology can guarantee correct operation for all code. It is a fundamental limitation of expressive languages.

If your code is so marvellous then you have nothing to worry about do you? I'm not claiming that all code out there is rubbish - just an awful lot of it.

'Don't diss <my ' - oh please! Sure, there are some great C coders out there, and maybe you're one of them, but you *know* what I'm talking about. The 'good enough' crowd (and worse). There's loads of them. UNIX was even designed that way.

Shifting the the blame to <the is pure bs. This isn't about programming languages, its about the culture of the industry. EULAs and wilfully taking no responsibility whatsoever. Maybe that's not the case in your corner of the industry, but it's definitely the case for the majority.

So am I to assume by your argument (as your business is obviously so representative of the market at large) that all embeded software is marvellous? Three words: "Mobile Phone Software".

given how slap-dash this business really is

Speak for yourself. If you write code for embedded systems then you're already responsible for it working -- you can't just throw up a dialog box and make the problem the user's.

Don't diss 'C' either. Its what used to be call (in the old days) a "systems programming language". It was never designed as a tool for applications development. The real coding nightmare out there is badly written C++ -- there's tons of it, its basically spaghetti with a gloss of respectability. Nasty stuff, and few of the coders have a clue what its doing.

One of the projects I've been involved in for 5ish years is a relatively complicated piece of simulation software. Around 70k lines of C++, some of it very complicated low-level stuff. Would you like to know how many bugs and crashed have been reported and/or found in the last 5 years of the production releases? Zero if you exclude UI spelling mistakes. Now, while there aren't millions of people out there using it, it gets a pretty good working over by those who do.

How was this done? From the start, the code was written to precise specifications. Every function had documentation specifying exactly what it did, what it changed, etc etc. Then you build upon this - once you know exactly what the existing functions do, it's possible to be pretty sure that a new function is operating correctly. It was build from the ground up to be reliable and correct. While there are bugs and mistakes made during development (we're human, after all) they get picked up either by tests or by code review of new features prior to release. Interestingly, as a combination of the reliable nature of the code, the stringent testing, and the complexity of some of the code, we've come across dozens of compiler and library bugs. GCC 3.x is so bad that we've simply given up trying to work around all the issues and just tell the users to use some other compiler.

Of course, you can't take an existing piece of software and fix it to get this level of bug-free-ness. So the EU is going to come under extreme pressure from most of the large software developers who can't get the stable foundations without a complete rewrite of their products.

Now I'd love to live in a world where my phone didn't crash every so often, where games were actually playable before the first patch, and where compilers didn't die with "internal compiler error" when you hand them complicated source code. But that world needed to be born 30 years ago. There's just far to many companies with vested interests in existing buggy code for any push for reliable software to succeed.

I hear ya, and I actually agree with you. But you know that "ideal" situation can only occur at well established companies. that is just not a reality for the fledgling or upstart company.

This is an unattainable goal for 90% of the coding companies out there. Hell Linux can't even do it and their code submission standard is "when you get time." So even in a no pressure environment, bad code still makes it in.

Hell I can't even get Visual Basic to compile something bug free so how we expect humans to do it better is a big quandary for me?

Not trying to be a jerk, really. If someone figures this one out. Please shout to the heavens about it because I'd love to know how it got done?

"People don't intentionally write bad code, they write bad code because of having short, forced deadlines that management and marketing decide is good enough to ship."

You've just contradicted yourself. By your own admission, people DO intentionally write bad code, precisely BECAUSE of those poor management practices. (Marketing is also under management's control.)

Poor management and poor design are major problems in this industry. Marketing people come up with long bullet-lists of features and developers race to implement them. However, by changing the focus to stability and quality, the EU would rid us of this pointless race. (Seriously, how many more knobs and buttons does a word processor need?)

Gone will be the days of feature creep. Instead, marketing people and managers will focus on UI tweaks, optimisations and stability. (In fairness to Microsoft, they shot themselves in the foot by supporting an open hardware platform, which causes most of their customers' woes. Most Windows crashes are due to third-party drivers and apps, not to Windows itself. Here's a clue to the OSS people: It's open *STANDARDS* which matter. Source code is utterly irrelevant to most users.)

Yes, the EU's demands would mean more closed platforms. So? Who CARES what the labels on the damned chips inside the shiny, shiny case say? Most dedicated gamers buy dedicated, *closed*, games consoles! Do they complain they can't run a PS3 game on their DSi? No!

The PC architecture is an accident. It's the VHS of standards: it succeeded because it was cheap, not because it was any bloody good. The Commodore Amiga was doing thousand-colour, hardware-accelerated graphics on a multitasking GUI before even Windows *3* was born. And for a tiny fraction of the price.

And, for the last bloody time, IT IS POSSIBLE TO WRITE BUG-FREE SOFTWARE. Yes, it costs more. Yes, it's *hard work*. That's because so few people can do it *right* that the tools are still in their infancy. The EU's proposals would *change* that! QA tools will become hot property. Companies will rise to the challenge.

And software will be *better*.

So now no one can develop a software that can be licensed as "AS-IS"?? Ask those morons to produce an OS which is 100% bug-free. I know what all this will lead to - software developers will stop selling their products in EU altogether. EU has started being too stupid. Charging MS for including IE with their OS? So now you can't even give freebies with your product? What about Apple? Don't they bundle Safari? And what about MS paint and wordpad and calculator and iPhoto and iTunes? And now planning to hold software makers responsible for bugs? They're idiots.

EU needs to put their money where their mouth is.

If the EU can produce themselves a complex software product that is 100% bug free then they can go ahead with this legislature. But until they prove that this can be done they need to shut the fuck up about things they don't understand.

People don't intentionally write bad code, they write bad code because of having short, forced deadlines that management and marketing decide is good enough to ship.

So if anything, management and marketing need to be in jail, not the coder.

Oh and EU, you sound like idiots. Seriously yo?

there is no software on the entire world that has no bugs and is 100% secure, even the software the military and intelligence is using is buggy and unsecure like hell.

the private sector would not be able to afford any kind of software anymore, except for enormously expensive off-the-shelf products(with bugs and being insecure, but they have a very expensive insurance for that), customized software would be a no more in the private sector

I agree with Sheldon, basically.

Consumers don't want to pay for properly engineered software - they want to pay for something that is 'good enough' and minimal cost.

Whilst the software industry does need to grow up, a large amount of blame can be placed at the feet of the market/consumers. Expect innovation to dry up too, as any change will cost significantly more than it already does.

I think if software is buggy the company should fix it by releasing new software/update.

There are a lot of hardware companies releasing drivers that don't work so good and never release updates.

There is a lot software out there that people buy and has a few bugs and the companies never address them, and instead release a new product that they expect you to pay for.
If that bug effects your productivity in any way, or if that bug stops you from doing your work properly I don't see why it shouldn't be fixed.

But then again what happens if a game maker releases a game with a pixel glitch in the game? Will this law make the gamming company liable for the small visual glitch?

I kind of agree with some software makers being responsible for their software, but the problem is when people hack things like Microsoft Windows, their actions of hacking is out of the normal scope of the application.

I don't see how companies can be responsible for people hacking their software.

Now if you buy a security software and it is a joke, thats a different case.

The way I look at it, you are paying $100-$200 for windows in the sh**ty form it is in.

If the software wad 100% erorr/bug proof i am sure that same software would be $300 or more. Mission critical applications/business products are always more money.

Now still this law would be hard, because windows runs on a wide range of hardware. ANd new hard drive is coming out all the time. I don't know how anyone can guarantee that the software will run 100% when hardware can be buggy, and drivers can be buggy.

I think software manufactures should be responsibly for their software for a certain degree. But in reality software is like a complex equation, there are just too many variables and to predict the total outcome is sometimes impossible.

I like it I like it. But this should only apply to software that cost money. If you have to pay for it you should get what you paid for ! This should not apply to freeware or free open OS because nothing paid ,is nothing lost and use it at own risk.

I think the EU has a great idea and taking responsibility to help protect the consumers money from shoddy workmanship sounds great to me.

Hopefully this will apply to Hardware vendors that write crappy nonworking drivers like Creative and others.

And motherboard manufactures that release products with junk Bios with advertised board features that dont even WORK...like talked about and proven here -- http://www.anandtech.com/mb/showdoc.aspx?i=3471

Read the first page from link above sub heading: BIOS Ridiculousness: Everyone Say, "Thank You Gary" ...and then read the next part: Testing Ridiculousness.

This is a great example of how manufactures now take your money first and worry about problems later. Hmmmm come to think of it...I guess they just copy the Windows Market Strategy.

PLEASE EU make these greedy suckers RESPONSIBLE for once!

Banging on about open source is a red herring. Although I write open source code myself, if we want to compare ourselves to standards in other industries (which is what this is really all about), it is irrelevant. After all how many 'open source' cars etc. are on the market?

In a sane world, commercial companies could come to a reasonable arrangement with those providing open source libraries etc. (payment, payment in kind, whatever).

However, the biggest problem will be the dishonesty of software companies. They are so used to selling slip-shod goods and getting away with it, they will try anything to get around any legislation.

And now we are onto a conversation about corrupt multi-national corporations in general, so meh, whatever!

As a software developer of quality works, I think this is the most asinine law proposed to the software industry.
If this passes, open source will shutter its doors the day this goes into effect. This law will require a not-for-profit industry to guarantee what it cannot, since they would need to pay additional folks to QA their works before it ever reached the end users' hands. You can also watch as all new software stops being released, all innovation is stopped or the perpetual Beta becomes the norm. Don't expect Google to EVER produce any software that comes out of BETA and expect to wait 5-7 years for new releases of Windows. Expect Apple to do quite well, since it has a closed platform already - expect it to become more closed. Also, expect the rise of closed-systems popping up everywhere because it is only in those systems that there will EVER be a guarantee of a set of operations that won't cost 3-5x the current cost of software.

Beware of this, ye regulators - you might just get what you want. When that day comes, demand for my skill will skyrocket and I will make approximately 2-3 times what I do now, because I will be in high demand.

Thanks EU!

Sounds for me like someone tries to square a circle. Already finding out who is responsible if a problem surfaces is a daunting task if you have thousands of programs installed and BEFORE you think about a tampered system...

Software developers clearly aren't capable of putting their own house in order; if anything, the reliability and stability of software has been getting worse, not better.

I spent years as a programmer myself and used to pride myself on the quality of my work. I would stand by it and guarantee it. (I used to write games back in the days of the Spectrum and Commodore Amiga.)

When I realised it was no longer possible to do this -- due to the need to rely on layer upon layer of other people's code (none of whom were willing to guarantee the quality of their work) -- the attraction of programming melted away. I actively *hate* it now. There's really no excuse for such shoddy workmanship and insulting EULAs.

It *is* possible to guarantee code quality and get it right -- the ADA-based "SPARK", for example. However, the continued reliance on dumb, flat text files and other 1960s-era tools are part of the problem. (Any computer scientist who thinks inventing yet another programming language is a 'solution' needs to be taken out and shot.)

Another problem is the rise of the FOSS movement, whereby support is treated not merely as *a* revenue stream, but as the *only* revenue stream. This actively *discourages* design and software quality -- there's no money to be made in FOSS which is beautifully designed, is totally stable, and works entirely as advertised, out of the box.

The EU are doing the right thing. Whether they'll implement it well is another matter -- the EU has compromise designed-in -- but the intent is one I wholeheartedly agree with. It's about damned time the development industry grew the f*ck up.

I've been in the end user support for years and I have been seeing a law like this coming for years.

I have always felt that the software industry has never been accountable for their products.

Don't get me wrong it is impossible to make 100% perfect code but I do see that flaws that have been discovered rated as critical will now be a forceful fix and there should never be critical bugs/flaws that will sit for years and never get patched.

I don't believe that the EU will force perfect code since there are plenty of products in the physical world that aren't perfect. This law will definitely help in getting companies like Microsoft to write new code that is not vulnerable to old hax. Ever wonder why there are flaws that affected Windows 2000 and affect even Windows 7 which is not released, yes the old hax need to be slightly adapted for the new OS but it is using an old flaw which MS brings to every new version of windows released.

Billions are lost every year because of shoddy software and IT practices. Hey this may force IT to actually be accountable now and hiring the fresh out of highschool $8/hrs who can only click next, next, next, finished and think they are techs may no longer happen.

It is inevitable that this would happen it only took a few trillion dollars lost before something like this came to be.

Yes, we're well aware of all the winging that will result from this proposal from all the C and Perl coders out there!

Maybe if software companies were liable for their products, the industry could finally grow up. Any emphasis on quality can only be a good thing, given how slap-dash this business really is.

I applaud the EU's efforts to force software vendors to address quality issues.

I guess all you lazy code monkeys who don't want to bother with QA because it's just not fun will have to learn how to play in the REAL world. Or should we all just continue to be held sway by your greed-generated opinions?

If you won't stand behind your product, then we as a society have every right to FORCE you to in order to protect OURSELVES. Otherwise, go away and leave us alone.

No software developer can guarentee 100% security, it's impossible to do, and insane to suggest it.

Politicians, eh?

They actually do already?... engineers too.

Great idea! Now they need to extend it to Doctors and Lawyers and Judges and Teachers and ....

If Microsoft would be responsible for all their bugs, there would be weekly public executions...