On Thu, Aug 22, 2019 at 11:35 AM Thorsten Glaser <[email protected]> wrote:
> > It might address the topic, but I have a really hard time wrapping > my head around all the restrictions and terms used. > You mention that it must be necessary for people to get the patch. That is this part: > You may delay providing the Source Code corresponding to a particular modification to the Work for up to ninety (90) days (the “Embargo Period”) if... This is permissive. It does not *prevent* people from sharing the patch, it just adjusts the timing. So there would be no problem with providing the patch to a user, nor that user putting the patch into production during the embargo period. Now, most of the language is about avoiding gaming of the provision: > a) the modification is intended to address a newly-identified vulnerability or a security flaw in the Work, This must be a *new* security issue. You can't withhold non-sensitive patches, and you can't withhold patches for old issues. > b) disclosure of the vulnerability or security flaw before the end of the Embargo Period would put the data, identity, or autonomy of one or more Recipients of the Work at significant risk, The security issue must be significant enough to put people at risk. Not every patch, nor even every vulnerability, would suffice. > c) You are participating in a coordinated disclosure of the vulnerability or security flaw with one or more additional Licensees, and The focus of this is allowing coordination of operator-users. It doesn't allow unilateral withholding of the source by a single operator-user. If there is only one operator user, they can just roll out the fix! No need to coordinate. > d) the Source Code pertaining to the modification is provided to all Recipients at the end of the Embargo Period. This doesn't change the requirement to provide source code, it just temporarily modifies the timing. Thanks, Van
_______________________________________________ License-discuss mailing list [email protected] http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org
