I'll describe the problem by quoting Bruce Schneier in CRYPTO-GRAM,
October 15, 2000:
[In commercial software ...] "The market rewards better
capabilities, new features, and faster performance. The market does
not reward reliability, bug fixes, or regression testing. The market
has its attention firmly fixed on the next big idea, not on making the
last big idea more reliable."
Why it's an institutional problem: Economy of scale, aka the watering
hole effect. If 95% percent of the market is too near-sited to see
their own need for reliability and security until it bites them, what
is the other 5% to do? Buy all custom-made software? That's
prohibitively expensive and doesn't even solve the problem, niche
stuff tends to be buggier, all else being equal. Test it all
themselves? No-one could test more than a tiny fraction of their
software themselves, and a group that seriously tried to do so would
not be a customer, they would themselves be a developer.
Why don't developers change the situation? Well, suppose they were to
release a test suite with their product. Then they'd have to really
find and fix all the bugs. That's exactly what we said doesn't pay.
And because few customers base their decisions on examining and
running a test suite, the persuasive force vs their competitors'
products is very tiny.
ISTM the essence of the problem is that these aspects of commercial
software are not transparent to most customers. Because of the mass
of myopic customers, the market provides the wrong incentives for
developers.
How could alternate institutions approach the problem?
Of course, when we're talking about managing risks whose details can't
be predicted, the first idea is always insurance.
So suppose the smart 5% customers buy some sort of software insurance.
Well, it helps them spread their risk, but it doesn't change their
basic situation. The developers' incentives are still wrong.
What if software insurance was mandatory? That'd move reliability
problems directly into the price, making them transparent (as long as
the insurer can see them, but that's their job). It would therefore
create proper incentives for developers. But that seems far more
dictatorial and maternalistic than neccessary. There'd be a lot of
situations, perhaps even the majority, where it'd be more a nuisance
than a help.
So the riddle is, how can insurance not be mandatory, but still inform
the market?
One answer is to make it mandatory to announce the cost of
full-coverage insurance along with the price, even in the sense of
announcing infinite price (no-one offers insurance on it). The
customer could choose to insure it on the spot or not. Free software
could easily announce itself to be uninsured (it is anyways), and
possibly there'd be an industry of insuring free software.
In closing, this idea seems to have broader applications, but I've
focussed only on the problem Bruce Schneier described, to keep my
discussion manageable.
And I'm sidestepping any issue of free software.
-- Tom Breton, http://world.std.com/~tob Not using "gh" 1997-2000. http://world.std.com/~tob/ugh-free.html [To drop AltInst, tell: majordomo@cco.caltech.edu to: unsubscribe altinst]Received on Sat Oct 21 00:34:40 2000
This archive was generated by hypermail 2.1.8 : Tue Mar 07 2006 - 14:49:12 PST