[License-discuss] Coordinated release of security vulnerability information.

Tom Callaway tcallawa at redhat.com
Thu Aug 22 14:57:39 UTC 2019


FWIW, I think this is well structured and would address this concern
adequately.

As always, this is my personal opinion and not that of my employer or
associated communities.

Tom



On Thu, Aug 22, 2019 at 10:46 AM VanL <van.lindberg at gmail.com> wrote:

> Hello all,
>
> The following caught my eye:
>
> On Wed, Aug 21, 2019, 5:09 PM Thorsten Glaser <tg at mirbsd.de> wrote:
>
>>
>> Incidentally works covered by the AGPL are being removed from a
>> lot of institutions now due to the inability to deploy embargoed
>> security fixes. This isn’t just a licence issue, but the ability
>> to operate securely is clearly also relevant. (This was also ob‐
>> served near Debian.)
>>
>
>
> This is a perspective that I had not considered relative to the CAL.
>
> What would everyone here think of the following exception to the CAL's
> requirement to provide source code:
>
> 4.1.3. Coordinated Disclosure of Security Vulnerabilities
>
> You may delay providing the Source Code corresponding to a particular
> modification to the Work for up to ninety (90) days (the “Embargo Period”)
> if: a) the modification is intended to address a newly-identified
> vulnerability or a security flaw in the Work, b) disclosure of the
> vulnerability or security flaw before the end of the Embargo Period would
> put the data, identity, or autonomy of one or more Recipients of the Work
> at significant risk, c) You are participating in a coordinated disclosure
> of the vulnerability or security flaw with one or more additional
> Licensees, and d) the Source Code pertaining to the modification is
> provided to all Recipients at the end of the Embargo Period.
>
>
> Good policy? OSD compliant? I think so, but would like to hear other's
> thoughts.
>
> Thanks,
> Van
>
> _______________________________________________
> License-discuss mailing list
> License-discuss at lists.opensource.org
>
> http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-discuss_lists.opensource.org/attachments/20190822/1f27a7f8/attachment.html>


More information about the License-discuss mailing list