[wiremine]

> either they must provide full (FLOSS) source code and documentation

I like the spirit of this, but one problem with this is that the software stack is likely not FLOSS, and the manufacturers don't own all the software.

A second problem is that lot of the software for production IoT-devices doesn't live in the device.

Third, there are safety concerns with a lot of devices that you'd need legal productions for.

Finally, the best IoT devices use a zero-trust architecture. You'd need to support a variation of this pattern to allow users to modify the devices.

[ndriscoll]

If parts of the supply chain aren't FLOSS, then manufacturers would have to lean on those suppliers to change their licensing or find different suppliers. Same with other regulations around things like lead in consumer products. Anyone wanting to be part of consumer product software supply chains would have to start offering it as FLOSS if they want any customers, so the supply chain would adjust to the new reality.

We do need to establish common sense liability if it's not already there. If you modify your circular saw to remove the guard and injure yourself, that's your fault. If you modify some software to run outside of safe design parameters and it malfunctions/injures you, that's your fault.

I don't see why zero-trust is incompatible with user-modified devices. In fact it's in line with the spirit of zero-trust: don't assume just because something is able to talk to one of your servers (e.g. because it's on your VPN/LAN) that it's friendly. People should already always be assuming customer-owned hardware will potentially be completely controlled by a malicious actor and acting accordingly.

[joezydeco]

I'm working on an IoT device for industrial use, and we're wrestling with this very problem.

The answer we're probably going to go with is that the device is 'leased' to the customer. It's part of their subscription.

This solves a ton of problems about FLOSS and support of the same. It's now a closed device, and you have no rights to the code inside. If we go out of business, you have a brick that you don't have to pay for anymore.

[Kim_Bruning]

I think it's always better for the customer to have access to the code inside. I'll actively recommend FLOSS solutions to customers even if they're not quite as good as the competition on paper right away. Simply because a large part of the cost of industrial hardware is actually supporting it for a long time. And support is SO MUCH EASIER if you have all the source code and schematics. Of course big customers get to demand this kind of arrangement (floss, escrow, or even just "give us all the paper") while small industrial operations end up paying a premium for inferior service.

[rolph]

>> The answer we're probably going to go with is that the device is 'leased' to the customer. It's part of their subscription. <<

1000% wrong answer, unless you straight up front sell a service with an installer making a site visit to deploy chattels of service.

such as satellite television, or DSL internet.

when you swap handfulls over the counter before any contractual agreements i.e. clickthrough TOS , you are selling a hardware, that means user ownership.

[joezydeco]

No, we're straight up selling with a dealer/installer in the pipeline. We're not that stupid to try and sell direct to the customer these days.

[rolph]

i find that revealing, it seems direct enduser engagement has really stung you, is there something other than people being people, or are there onerous requirements that are not worth it?