On Fri, 25 Sep 2015 22:40:02 +0100, Dave Taht said: Sorry for late reply...
> 2) Mandate that: the vendor supply a continuous update stream, one
> that must respond to regulatory transgressions and CVEs within 45 days
> of disclosure, for the warranted lifetime of the product + 5 years
> after last customer ship.
This needs to address vendors going out of business, and also corporate
acquisitions.
Bonus points for explaining how to deal with a CVE against hardware that's 7
years and 10 months out of production (3 years warranty + 5) - that requires a
hardware engineering change to properly close.
(I once got my chops busted by somebody from the GNU project over clause
3B of the GPLV2:
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
Apparently, they were of the opinion that the mere fact that I might
die of a heart attack a year after distributing something doesn't
excuse me from complying.)
pgpAx2iDdcnJA.pgp
Description: PGP signature
_______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
