[Cerowrt-devel] some comments from elsewhere on the lockdown
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Wed Sep 30 15:56:59 EDT 2015
On Fri, 25 Sep 2015 22:40:02 +0100, Dave Taht said:
Sorry for late reply...
> 2) Mandate that: the vendor supply a continuous update stream, one
> that must respond to regulatory transgressions and CVEs within 45 days
> of disclosure, for the warranted lifetime of the product + 5 years
> after last customer ship.
This needs to address vendors going out of business, and also corporate
acquisitions.
Bonus points for explaining how to deal with a CVE against hardware that's 7
years and 10 months out of production (3 years warranty + 5) - that requires a
hardware engineering change to properly close.
(I once got my chops busted by somebody from the GNU project over clause
3B of the GPLV2:
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
Apparently, they were of the opinion that the mere fact that I might
die of a heart attack a year after distributing something doesn't
excuse me from complying.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 848 bytes
Desc: not available
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20150930/8f7af489/attachment.sig>
More information about the Cerowrt-devel
mailing list