[License-discuss] Coordinated release of security vulnerability information.

[VanL]

Hi John,

Thanks for your input.


I'd be a little worried about what people might define as a "fix". Is
> there any opportunity there to shoehorn other things into that category
> / what's the check on that? Since many companies have over the years
> called things security fixes or bundled things with security fixes that
> are either clearly not or that very much depend on who is defining both
> "security" and "fix".


I am very worried about that too. That is why most of the clause is
limitations designed to prevent gaming of the provision:

- It has to be new
- It can't apply to all modifications only to a "particular" modification
addressing a security vulnerability
- It has to significantly affect a user
- It has to be part of a coordinated release with others (so it isn't just
one licensee's idea of a "fix")
- And it doesn't prevent sources from being released, it just delays them
by a set amount of time

But I would be open to any other anti-gaming provisions as well.

Thanks,
Van
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-discuss_lists.opensource.org/attachments/20190823/55f67584/attachment.html>