Such a clause is a good idea for copyleft licenses. Yay for license innovation! I don't think it interacts a lot with the OSD or a concept of software freedom, since it at most *delays* compliance with certain license provisions under a limited set of circumstances.
However, that 90 day window is awfully long. While this is the typical embargo period, it intends to give the vendor enough time to verify, investigate, and fix the vulnerability, and to prepare the distribution of patches. This tries to balance the vendor's ability to fix the issue with the end users interest to be quickly informed about open vulnerabilities in the software. (My use of “vendor” rather than “community” here is deliberate: such an embargo mostly makes sense in the context of closed or at least cathedral-style development.) In the context of a source distribution requirement, a full 90 day embargo is unnecessarily long. At that point where a fix is first deployed by an operator, the issue has already been fixed and only distribution of patches to all operators remains to be done. It is in the interest of all users that this happens as expediently as possible. The only advantage that a long source embargo period would have is that an insider operator could deploy mitigations before a proper patch is available, but this still leaves the wider community vulnerable. There's also a user autonomy angle to this: with such an embargo, end users are more secure if they don't decide to operate their own software. I therefore think shortening that window to 30 or 14 days would be more appropriate. On Thu, 22 Aug 2019 at 17:33, VanL <van.lindb...@gmail.com> wrote: > 4.1.3. Coordinated Disclosure of Security Vulnerabilities > > You may delay providing the Source Code corresponding to a particular > modification to the Work for up to ninety (90) days (the “Embargo Period”) > if: a) the modification is intended to address a newly-identified > vulnerability or a security flaw in the Work, b) disclosure of the > vulnerability or security flaw before the end of the Embargo Period would > put the data, identity, or autonomy of one or more Recipients of the Work > at significant risk, c) You are participating in a coordinated disclosure > of the vulnerability or security flaw with one or more additional > Licensees, and d) the Source Code pertaining to the modification is > provided to all Recipients at the end of the Embargo Period. >
_______________________________________________ License-discuss mailing list License-discuss@lists.opensource.org http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org
