[eropple]

> the only other real possibility is to legislate that such updates be made available for N years as part of the purchase conditions

I am unclear why this is not the preferential solution here. "Don't sell lemons" is a societal good.

[redwall_hp]

Laws requiring that consumer electronics not be effectively disposable is also a net good for the environment as well. I'd like my router to have active cooling (so it doesn't self destruct from heat) and run an open source firmware that will survive longer than a single manufacturer may be willing to maintain it. (They all can jointly contribute.)

Phones should have some level of modularity and repairability, so they can last a multiple of their present service life. (Think smaller scale standards like in desktop PCs.)

[ryandrake]

We would need stronger consumer protection laws and regulations around defective products. My car’s manufacturer just fixed my 10 year old airbag for free, presumably not out of the goodness of their hearts but because they are required to.

[ghaff]

They're not necessarily lemons at the time of sale though. In general, we don't legislate that products need to upgraded and maintained after they're sold. (Yes, there are lemon laws and warranty requirements for defects--which are at least related.)

However, how would you feel about legislation that required five years of dealer service to be included with every automobile sale? Or other products in a similar vein?

There is an idea of harm to the ecosystem/society with unpatched IoT and other network devices though. So perhaps a heavy-handed approach is justifiable.

[eropple]

They were lemons at time of sale, though, we just didn't know it yet. Between that and the ecosystem/society argument, I think it's a no-brainer.

> However, how would you feel about legislation that required five years of dealer service to be included with every automobile sale? Or other products in a similar vein?

This analogy doesn't work for me; software bugs are defects, they aren't something getting old and falling apart. I think that a defect in an automobile should be repaired at manufacturer expense whether it's a year old or twenty.

[__jal]

The operative difference is that intelligent adversaries are not coming up with new and better methods of making your bumper fall off.

The economics of providing 5 years of defensive patching on a $100 device simply does not work.

[snuxoll]

Maybe they need to stop shipping a dozen different $100 models with wildly different specifications and come up with a common platform to reduce support costs, like most other industries.

Support costs increase as fragmentation does, it things sold at a reasonable price and without dozens of variations it would be more feasible to maintain longer supported life cycles - but these companies have no incentive to think beyond the next quarter’s earnings call.

[aaron_m04]

> The operative difference is that intelligent adversaries are not coming up with new and better methods of making your bumper fall off.

Not yet.

[crankylinuxuser]

Then maybe they shouldn't be able to make a profit on doing society wrong in the medium or long term.

[OJFord]

It drives prices up in equivalence with subscription pricing over the typical lifespan.

(i.e. not obviously better or worse)

[eropple]

Subscriptions are ongoing cash-flow. There's no reward to doing a good job, and there's only a perverse reward to not doing a good job--it keeps people subscribed.

Frankly I think the better option might actually be the reverse: a mandatory payout to every customer for every nontrivial security defect. Not sure how you'd adjudicate it, so it's pie-in-the-sky, but take it out of the realm of the class-action lawsuit and see how serious these manufacturers become about correctness.

Businesses fear only the big stick; it should be swung on the consumer's behalf.

[ghaff]

Right. There are differences in incentives and how easy it is to make receiving updates mandatory or the default. But it's reasonable to assume that, however implemented and legislated, everyone ends up--from a financial perspective--having to pay for an ongoing support subscription.

[eropple]

Can you explain to me how a subscription, for which only subscribers get fixes, is not a perverse incentive to ship broken software?

Normal software has an argument towards subscriptions if it's adding features. But routers shouldn't be adding features. Routers should be fixing bugs.

[ghaff]

Companies seem to be doing a pretty good job of shipping broken software today without the perverse incentive of a subscription.

Companies do buy subscriptions for older software even though they may only be getting security fixes at this point.

That said, I do think bundling longer-term updates into the cost is better insofar as it means buyers don't get a choice to just use the unpatched software. But it does mean that companies can cut costs by just not patching software at all or for a short period (as today).

[eropple]

> But it does mean that companies can cut costs by just not patching software at all or for a short period (as today).

Sure. Hence the use of a very big stick.

The lack of restraint on bad actors is a societal problem, not an economic one.

[ghaff]

Of course, it's a big stick for both vendors and users. Vendors need to patch the software for N years (or whatever) and, given a competitive market, users have to pay for it.

[anderskaseorg]

Maybe the manufacturers would figure out more efficient solutions given incentives that encouraged them to do so. For example, they might decide it’d be more efficient to use OpenWrt than to do separate security maintenance for N incompatible closed platforms.