Hi Lukas, Thanks for your reply. Based on your response, as well as the other responses here, it seems like the structure of this clause is non-problematic.
However: On Thu, Aug 22, 2019 at 3:14 PM Lukas Atkinson <opensou...@lukasatkinson.de> wrote: > However, that 90 day window is awfully long... In the context of a source > distribution requirement, a full 90 day embargo is unnecessarily long. At > that point where a fix is first deployed by an operator, the issue has > already been fixed and only distribution of patches to all operators > remains to be done. It is in the interest of all users that this happens as > expediently as possible. The only advantage that a long source embargo > period would have is that an insider operator could deploy mitigations > before a proper patch is available, but this still leaves the wider > community vulnerable. > I see this point. Having been inside a SaaS vendor, though, I am sometimes astounded that anything gets done at all. My thinking is that conforming with "standard" timeframes is most likely to encourage proper behavior by vendor/operators, even if it would not be ideal in isolation - thus increasing welfare on average. We could also do something like 60 days, which is shortened, but still long enough to allow for slow corporate processes. Thoughts on this response? Also, any thoughts from others? Thanks, Van
_______________________________________________ License-discuss mailing list License-discuss@lists.opensource.org http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org
