[tibbon]

Right - if the hardware is no longer selling (due to missing sales targets) then there's little incentive for the companies to still invest significant resources into maintaining it. Of course one option would be to open source it entirely and turn it over the community for long term support, but the companies like holding onto whatever little bits of IP they can (even if they are largely just implementing open source software to begin with, and nothing super speceial).

This is a problem. I don't know the solution, except that companies should really commit to LTS support of things no matter the sales targets.

[mschuster91]

> This is a problem. I don't know the solution, except that companies should really commit to LTS support of things no matter the sales targets.

The EU and US could mandate that all products sold in the EU/US have their firmware source code, working toolchain as a virtual machine image and all relevant documentation (including SoC docs, BOM and schematics, as well as case and other parts' 3D specs and any digital certificates and private keys) be held in trust at the national public libraries. When the manufacturer ceases to support the device - including not fixing critical security bugs at 90 days post disclosure - the complete archive is released to the public as open source.

Additionally, the US and EU could mandate that any Internet connected device's firmware as well as its development process must pass an audit at certified organizations such as TÜV or UL. We're doing this for electrical and gas appliances already due to the risk these things pose to the general public, it's time to do the same for IT.

Products developed as open source can be exempted from the audit requirement to incentivize open source development.

[beerandt]

I've had similar ideas, but with IP/DMCA rights/enforcement being conditional on depositing keys and source code with the Library of Congress, to hold in a sort of public escrow. Maybe even require it for FCC certification, or for courts to to recognize/enforce EULAs or other claims.

If you want to enjoy the public protections of IP, the public needs to get a copy of source code and meaningful device access, upon whatever definition of un-patched software or device abandonment.

Obviously there's a lot to work out, but philosophically, I like the idea better than introducing new jurisdictions of regulatory power, especially when the relief sought should already be attainable under the public contract made in seeking government enforced IP protection.

[mschuster91]

> Obviously there's a lot to work out, but philosophically, I like the idea better than introducing new jurisdictions of regulatory power, especially when the relief sought should already be attainable under the public contract made in seeking government enforced IP protection.

Putting your code into escrow does not imply it's going to get audited or that it was developed under somewhat reasonable conditions (aka with code reviewing and testing).

We have seen way, way too much damage, to the tune of billions of dollars and everybody's personal data ending up in hacks "thanks" to shoddy software now, it's a matter of national security to create ad enforce regulations.

Maybe we can create exemptions for small companies and startups, but as soon as you hit 10k users in general population you should have at least basic security processes implemented.