And to answer your question more directly, the flour itself causes the damage. The vulnerability is only damaging if a malicious actor takes advantage of it.
Food safety practices only became standardized after regulation was enacted.
> pre-approved and comparatively trivial recipes
That sounds like most software development.
I think you are unwittingly making the case that software development is a lot like food production. Software development is only beginning to get regulated because it is only now reaching the level where it is hazardous to public safety, unlike food production which reached that a long time ago.
Because you actually can standardize them. Software isn't so simple.
"> pre-approved and comparatively trivial recipes
That sounds like most software development."
Lol no that does not. Why wouldn't high school graduates or drop outs work in software instead of at fast food? The number of languages, frameworks, patterns, etc are much more complex than basic sanitation and time/temp/acidity.
It isn't simple due to choice, not due to the nature of software. Software is relatively simple compared to other meat-space engineering disciplines. Software engineering is an relatively immature engineering discipline, but it is implicated in enough safety critical systems these days that it is about time to start maturing.
It will be painful but I welcome more software regulatory standards, because it is necessary for our trade to mature.
For example, one might require some software to undergo various degrees of planning, testing, analysis, support, documentation, etc.
Right now, the amount of planning, testing, analysis, support, and documentation required by law is generally zero. This might be fine for someone's hobby project, but it is not okay for software that human lives depend on.
I personally think that any criteria that SQLite and Curl can't pass is too strict.
On what basis do you make this claim? If you do the same degree of optimization in software that is routinely applied in physical engineering disciplines that have some of most complex system dynamics problems, such as chemical engineering, the dynamics of software systems are qualitatively much more complex. We expect chemical engineering to design systems that asymptotically approach theoretically optimal efficiency along multiple dimensions. In software we rarely see anything approaching similar optimality except for small and exquisitely engineered components that are beyond the ken of most software engineers. In large software systems, the design problem is so complex that computational optimization to the degree we see in physical engineering is completely intractable, so similar approaches do not apply.
In chemical engineering, the measure of system complexity is roughly the size of the system of differential equations the govern the total dynamics of the system. Computers then solve for the system, which can be computationally intensive. We do this routinely, with some caveats. An optimal design is not computable but we can get asymptotically close via approximation.
In software engineering, the equivalent would be formal optimization and verification of the entire program. The complexity of doing this for non-trivial software is completely intractable. Software has so many degrees of freedom compared to physical systems that they aren’t even the same class of problem. It is arguable if it is even possible in theory to achieve similar degrees of design robustness and efficiency that we see in physical engineering systems.
Unlike physical engineering, where a computer takes a set of equations and constraints, crunches numbers, and produces an approximately optimal design, no such thing is possible in software.
A regulator doesn't really care about the internal complexities of an LLM and whether or not that is more difficult than cracking petroleum. They care more about how those things interact with the rest of the world. Software is pretty limited in how it interacts with the rest of the world.
How does someone know that a particular application is something lives depend on? Either your lawyer, insurance company, or regulator explicitly tells you.
Why? I don't know. Is the medical world just messed up? Or is there something wrong with licensure?
Seems like you are over simplifying the process and goals of those creating new regulations and law makers often have to care about the internal complexities because they care about the consequences new regulations will have.
When a law maker is making regulations for an industry they should care about the internal complexities since that determines the long term effects of the regulation. Law makes should care if new regulations kill small businesses or, in an extreme case that is not happening with the CRA, kills of an industry, since that effects the economy of the the country they are law makers for in addition to directly impact people represented by those law makers.
To make an analogy to the physical world. We have a company, B, that makes bolts, they publishes the characteristics of that bolt but do not certify it for any particular use.
Company C makes cars and decides to use bolts form company B. It turns out that is not a good choice since company B bolts do not have the characteristics that are need to use in a car.
The CRA from the a simple reading used in the discussions here[1], holds company B responsible for company C using the bolts in a way where peoples lives depend on it.
This sort of reuse can be much more common in software than it is bolts for example and just like company B did not control how company C used their product after buying it open source developers do not control how others use there software but CRA might make them liable for it.
This does not make sense to me, company C should be liable for their choice of bolt, company B should be liable for any false or incorrect claims for the characteristics of their bolt. Company B should not be held liable for the misuse of their bolt by company C which is what the CRA seems to do.
[1] >>38788919
Our profession is still in a very early stage, sort of like the era of barbers performing surgery.
They will seek feedback from industry experts to determine if their rules should be refined, which is what is happening. The details of any internal complexity of an industry is entirely delegated.
I agree with what you're saying. I don't have enough of knowledge of EU law or the full text of the CRA to make a judgement about it specifically. I was just sharing my point of view on software regulation generally.
> Company B should not be held liable for the misuse of their bolt by company C
Putting aside this specific analogy, but on this topic: I do generally think that implied warranties are a good thing, and I don't think it should be legal to disclaim them in all scenarios. Most other professionals are held to professional liability standards, and it is expected that they follow certain basic standards when they practice.
Consider basic best practices, like testing and documentation. It probably is fine if a hobby video game developer doesn't do these things, but if you are putting out software that claims to be intended for "enterprise" or "commercial" use, it is certainly reasonable for others to expect that this software is "fit for this particular purpose", and was built with good software engineering methodology.
I do think it shouldn't be permissible to hide behind a shrink-wrap liability disclaimer when publishing software claimed to be of "commercial" or "enterprise" quality that doesn't even meet basic standard of rigor.
What software really needs right now is a standardized way to measure development quality, and some legal guardrails around standards for dependency management.
We may be working with different definitions here. If they did not care they would not delegate away the details of the internal complexity.
I am not sure that "commercial" or "enterprise" implies anything in terms of quality or should. "enterprise" for example is defined as "Enterprise software, or enterprise application software, is computer software used by organizations rather than individual users." by the following aws page[1].
Aerospace software already has to follow aerospace regulations, medical software already has to meet medical regulations.
Holding a company responsible for selling software with implicit claims but a liability disclaimer makes sense to me. Clarity in contracts, advertisements, terms of service, and similar makes sense. The CRA currently seem to to hold non commercial entities or individuals who are not making claims and explicitly going out of their way to disclaim liability responsible. That does not make sense to me and seems counter productive to the goal of safe software as well as a productive economy.