* Scott Kitterman: > Sorry, I can't quite let this pass. I just went and looked at the > AGPL v3 again and one implication of the license is that you can't > locally fix a security issue without immediate disclosure. This > doesn't fit my personal ethics at all and at least IMO makes it > pretty unsuitable as a license for any network facing service.
But who can do that anyway? By definition, most people administrating machines do not have access to embargoed security information. Most organizations with teams who have access to such information cannot roll out patches because that would give hundreds, if not thousands, of people access to the availability and nature of the fix. This conflicts with the need-to-know principle that governs all handling of embargoed security information. In addition, commercial software companies are usually in the services business as well (because they have cloud offerings), and thus compete to some extent with their user base. Traditionally, there is a Chinese Wall between hosted services (include its infrastructure security part) and product security, and hosted services are treated as just another customer, without privileged access, because of concerns that sharing security information internally could be seen as unfair competition (at least by the customers who pay for security support). On the other hand, if the AGPL prevents organizations from sitting on security fixes for code they depend on because they cannot be bother to get the disclosure process going (which can admittedly be quite time-consuming), that seems a good thing to me. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87fvvh48eu....@mid.deneb.enyo.de