Software Realm: Recall of Defective Components
\begin{PPASTA}
It is impossible to have a defect-free world. Defects are normal parts of life. The defects continuously come and then go away. Defective products are usually the result of bugs, negligence, or unwanted features. They then go away when new releases or patches are delivered.
Complexity of the products does not allow them to have only one component anymore. Therefore, defects are practically induced by one of more components used in the product.
The question is now about the defective components themselves: How should the recall of those defective components work outside the boundary of the products? In the case of tangibles (for example, car' components), are the retailers required to take defective components off their shelves? Does the same obligation should be applied to the software retailers/repositories (for example, maven public) to required them to remove all artifacts of a defective component (like, versions 2.14.1 and below) off their shelves (downloads)? And what should be the criteria to initiate such a recall (should it be something like a CVE score equal to 10)? And would be any liability there if the retailer fails to do so?
领英推荐
Someone might argue that a component is always used within a product. Therefore, defective components have been already covered by the cycle that address defective products. However, we should not forget about many products out there that are not really a "product"; they do not have any owner, and their pipelines have been set up once but no longer are taken care of. The problem is that there are customers that are forced to use these shady products because they are the only option (for example, to access a city's service). Although a retailer/repository might not have any direct obligation for those products, they should feel obliged to protect those customers that have no other choice.
Just a thought.
\end{PPASTA}