On Thu, Aug 22, 2019 at 11:40 PM Lukas Atkinson <[email protected]> wrote:
> In the context of a source distribution requirement, a full 90 day embargo > is unnecessarily long. At that point where a fix is first deployed by an > operator, the issue has already been fixed and only distribution of patches > to all operators remains to be done. It is in the interest of all users > that this happens as expediently as possible. The only advantage that a > long source embargo period would have is that an insider operator could > deploy mitigations before a proper patch is available, but this still > leaves the wider community vulnerable. > Note that the time window must consider more than a single vendor. Assume (very hypothetically) that some TCP/IP flaw is found that affects many operating systems. Linux vendors have their game together, and release fixes within a week. But Microsoft and Apple need more time. The window in CAL needs to be long enough so that the Linux vendors don't need to publish source code before Microsoft and Apple released their fixes. In general I'd say a longer window is better here. Most will want to publish their source as soon as they are allowed anyway. henrik
_______________________________________________ License-discuss mailing list [email protected] http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org
