[ghaff]

Right. There are differences in incentives and how easy it is to make receiving updates mandatory or the default. But it's reasonable to assume that, however implemented and legislated, everyone ends up--from a financial perspective--having to pay for an ongoing support subscription.

[eropple]

Can you explain to me how a subscription, for which only subscribers get fixes, is not a perverse incentive to ship broken software?

Normal software has an argument towards subscriptions if it's adding features. But routers shouldn't be adding features. Routers should be fixing bugs.

[ghaff]

Companies seem to be doing a pretty good job of shipping broken software today without the perverse incentive of a subscription.

Companies do buy subscriptions for older software even though they may only be getting security fixes at this point.

That said, I do think bundling longer-term updates into the cost is better insofar as it means buyers don't get a choice to just use the unpatched software. But it does mean that companies can cut costs by just not patching software at all or for a short period (as today).

[eropple]

> But it does mean that companies can cut costs by just not patching software at all or for a short period (as today).

Sure. Hence the use of a very big stick.

The lack of restraint on bad actors is a societal problem, not an economic one.

[ghaff]

Of course, it's a big stick for both vendors and users. Vendors need to patch the software for N years (or whatever) and, given a competitive market, users have to pay for it.