On Fri, 25 Sep 2015 22:40:02 +0100, Dave Taht said:

Sorry for late reply...


> 2) Mandate that: the vendor supply a continuous update stream, one
> that must respond to regulatory transgressions and CVEs within 45 days
> of disclosure, for the warranted lifetime of the product + 5 years
> after last customer ship.

This needs to address vendors going out of business, and also corporate
acquisitions.

Bonus points for explaining how to deal with a CVE against hardware that's 7
years and 10 months out of production (3 years warranty + 5) - that requires a
hardware engineering change to properly close.

(I once got my chops busted by somebody from the GNU project over clause
3B of the GPLV2:

    b) Accompany it with a written offer, valid for at least three
    years, to give any third party, for a charge no more than your
    cost of physically performing source distribution, a complete
    machine-readable copy of the corresponding source code, to be
    distributed under the terms of Sections 1 and 2 above on a medium
    customarily used for software interchange; or,

Apparently, they were of the opinion that the mere fact that I might
die of a heart attack a year after distributing something doesn't
excuse me from complying.)