Point 1: "Who pays for fixes?"

The reason that most of the fixes come from the big companies is simple: The big companies (Red Hat, Suse, etc.) have *hired* the people that wrote the code in the first place.

It's silly to conclude that "there would be no fixes without the big companies." The code existed before the big companies, and will continue to exist (and be fixed) long after the big companies dry up and blow away.

You might try to say "these hackers/projects fixing stuff for free are leaching off the big companies", but it would be far more accurate to say "the big companies are leeching off of these hackers/projects." Big companies giving away security fixes for free is just a little payback for building their entire business model on code they don't own and didn't write. If they don't think it's fair, then they are free to write their own OS from scratch. (Good Luck!)

The producers had to fix their bugs anway, so their costs are fixed. Freeloaders getting fixes for free don't increase the costs of fixing bugs for the producers. Therefore, it's not a 'problem'.

Point 2: "Is paying for updates a good thing?"

No. Paying for updates is bad for consumers. Tying bug fixes to costly 'upgrades' is bad for consumers. Apple charging for fixes is BAD FOR CONSUMERS. Period.

If you are a vendor, it may be tempting to charge for fixes. But the industry is moving in the other direction. Consumers are realizing what a perverse incentive it is to tie 'fixes' to costly 'updates'. Your competitors are realizing that it costs ZERO to distribute fixes for free.

[As a footnote, I will mention that the GPL requires producers to distribute the patch to their customers. Since the producers cannot limit further distribution, the producers usually just skip the middleman and give the patch out to everyone. That's the GPL protecting consumers. Go GPL! ]


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/200/23898#23898