Yes. That all sounds reasonable.
We DO timely releases to all (and we pre-announce so people know they’re
coming).
It’s just this extra category of people who get the patch separately, early.
There’s extra overhead in that. And it removes one motivation to update.
I’m kind of inclined to advocate the RoR approach or no pre-notification, but I
accept the argument that in big enterprises it’s just not realistic to require
people to keep up to date. It just feels like $$$ outsourcing work they should
be doing without actually covering the cost of that.
I don’t see it as pay-for-access: beyond getting pre-notification you get no
privileges. More it’s due-diligence. Using end-of-life software is arguably
negligent. Companies doing it just need to take on the extra costs.
However… those are just thoughts… the wind goes the other way. No problem!
Thanks both.
> On 3 Oct 2018, at 11:17, Markus Holtermann <i...@markusholtermann.eu> wrote:
>
> Can: yes. Should: no.
>
> I would be really saddened to see companies being able to buy security by
> throwing money at us. That makes us look like we can be bought. And that
> sends the wrong signal, from my perspective. Timely security updates should
> be available to everyone.
>
> Should enterprises sponsor the DSF, open source projects, or the open source
> community in general: yes, absolutely.
>
> What we could think about is something where companies above a yearly revenue
> of US$ x need to sponsor in order to be on a pre-notification list. But the
> moment we do that we put people's data at risk. A company that doesn't want
> to pay for that sponsorship and thus won't get pre-notifications may remain
> on an insecure version longer that they should or would if they had received
> a pre-notification. And that's terrible as well.
>
> My 2¢
>
> Markus
>
> On Wed, Oct 3, 2018, at 9:14 AM, Carlton Gibson wrote:
>>
>> On Sunday, 30 September 2018 06:51:41 UTC+2, James Bennett wrote:
>>>
>>> Does anyone else have feedback on this? I'd like to push it forward.
>>>
>>
>> I don't know if this would fly but, given that pre-notification is mainly
>> thought of for large-scale ("enterprise"?) deployments that can't
>> realistically "Just Update!",
>> could we make Corporate Sponsorship of the DSF a requirement for
>> pre-notification? (These are big companies, with payroll. A sponsorship is
>> loose change in this context, and may at least encourage trying to
>> update...)
>>
>> (Just a thought.)
>>
>> C.
>>
>> --
>> You received this message because you are subscribed to the Google
>> Groups "Django developers (Contributions to Django itself)" group.
>> To unsubscribe from this group and stop receiving emails from it, send
>> an email to django-developers+unsubscr...@googlegroups.com.
>> To post to this group, send email to django-developers@googlegroups.com.
>> Visit this group at https://groups.google.com/group/django-developers.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-developers/b3f4aa4c-9b00-41ac-8668-87ffa570f2d6%40googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/AAC3433C-65FF-41AD-AB40-C53EF7A6FB02%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
