From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <Valdis.Kletnieks@vt.edu>
Received: from omr1.cc.vt.edu (omr1.cc.ipv6.vt.edu
	[IPv6:2607:b400:92:8300:0:c6:2117:b0e])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by huchra.bufferbloat.net (Postfix) with ESMTPS id 9AAE921F2D8;
	Wed, 30 Sep 2015 12:57:09 -0700 (PDT)
Received: from mr3.cc.vt.edu (mr3.cc.ipv6.vt.edu
	[IPv6:2001:468:c80:2105:0:2b9:e1ff:8be3])
	by omr1.cc.vt.edu (8.14.4/8.14.4) with ESMTP id t8UJv5g9026818;
	Wed, 30 Sep 2015 15:57:05 -0400
Received: from auth1.smtp.vt.edu (auth1.smtp.vt.edu [198.82.161.152] (may be
	forged))
	by mr3.cc.vt.edu (8.14.4/8.14.4) with ESMTP id t8UJuxcI017119;
	Wed, 30 Sep 2015 15:57:04 -0400
Received: from turing-police.cc.vt.edu
	([IPv6:2001:468:c80:2103:c013:a846:19ac:7baa]) (authenticated bits=0)
	by auth1.smtp.vt.edu (8.14.4/8.14.4) with ESMTP id t8UJuxVF015274
	(version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO);
	Wed, 30 Sep 2015 15:56:59 -0400
X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.6+dev
To: Dave Taht <dave.taht@gmail.com>
From: Valdis.Kletnieks@vt.edu
In-Reply-To: <CAA93jw7FrGr+GCuNnOh6ugGrA_81KN07+s6zTenuMX56pG_vzg@mail.gmail.com>
References: <CAA93jw7BwXeHhftQy9CGWxVB5Mwxs5MLQjDXz2tHPVsL4Db+hQ@mail.gmail.com>
	<49d53a3e-b7a0-4069-a87b-d9778bb8a229@reed.com>
	<CAA93jw7FrGr+GCuNnOh6ugGrA_81KN07+s6zTenuMX56pG_vzg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_1443643019_2322P";
	micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Wed, 30 Sep 2015 15:56:59 -0400
Message-ID: <16684.1443643019@turing-police.cc.vt.edu>
X-Spam-Status: No, score=-0.0 required=5.0 tests=T_RP_MATCHES_RCVD
	autolearn=disabled version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mr3.cc.vt.edu
Cc: make-wifi-fast@lists.bufferbloat.net, fcc@lists.prplfoundation.org,
	"cerowrt-devel@lists.bufferbloat.net" <cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] some comments from elsewhere on the lockdown
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2015 19:57:32 -0000

--==_Exmh_1443643019_2322P
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

On Fri, 25 Sep 2015 22:40:02 +0100, Dave Taht said:

Sorry for late reply...


> 2) Mandate that: the vendor supply a continuous update stream, one
> that must respond to regulatory transgressions and CVEs within 45 days
> of disclosure, for the warranted lifetime of the product + 5 years
> after last customer ship.

This needs to address vendors going out of business, and also corporate
acquisitions.

Bonus points for explaining how to deal with a CVE against hardware that'=
s 7
years and 10 months out of production (3 years warranty + 5) - that requi=
res a
hardware engineering change to properly close.

(I once got my chops busted by somebody from the GNU project over clause
3B of the GPLV2:

    b) Accompany it with a written offer, valid for at least three
    years, to give any third party, for a charge no more than your
    cost of physically performing source distribution, a complete
    machine-readable copy of the corresponding source code, to be
    distributed under the terms of Sections 1 and 2 above on a medium
    customarily used for software interchange; or,

Apparently, they were of the opinion that the mere fact that I might
die of a heart attack a year after distributing something doesn't
excuse me from complying.)


--==_Exmh_1443643019_2322P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Exmh version 2.5 07/13/2001

iQIVAwUBVgw+iwdmEQWDXROgAQLLBg/8DRZoGTbTK7r4dwM+qOea/UDvown9r17R
UpnXIH6VU+mCvbRhcrViGbeSI7W5p48IxDXEy+kmFE5FgaKIaAh6Cnzlefe4w3ky
YSe7NZNkXM7dMIIc+MEHpjiqqyAH4LFp+pKC3jd35HAx52gLiJ/ETPHvsS3Z4cU9
5aBlI2fwoSgvpbrJ/41dE1Wa49WJDDn/GQ57y9rm0poocMenv0gAsEoUY2UTqsel
1qhh+i3r3yzLuBKGiNoRjOokb8eOJgP7PSxvhS7CkvL7Cp0VbbHOlry5ifdAhAGC
bVP95yG3IGMwRav2tk/4K9fnVgnBKZAIwBQElenkIc7km+Qd6FwMNxBBiTt/3nVx
05z/W1Kx+Q4rINhAMnPSSpKQxJIA6FtbqDLv5oTL5lBDoNS+qY1LIu3EfhMWvPyF
NQvEhmTqSG75gRaSnhiLf/IQyPGQJ5f9eIWSWUMAgN96drIugqRJVHFnRGVvRc9H
CEm05nDO3wtP7nDuNcrJ6E9JrwhDbpTGKWaTX1Qbv43nfBLoi86b1oylY59yAbSN
8G/xqs/Ouq0pAYxC/4Ao0RoK4xmrcK5Kv6oNJSOTEBAARL69XI/P+JUAnIh4jV8T
tghNJRyo8vWyL0t5oBd/bn9VelxJkFt0PDq7kh4vOci8B0d7olraGx62X085ubkB
1JyJYECdnhk=
=GqkW
-----END PGP SIGNATURE-----

--==_Exmh_1443643019_2322P--