On 2013-02-19 13:25, Sašo Kiselkov wrote:
It might seem like a fine idea for a business, but for me this is a deal breaker. I have lots of OI systems, some for personal use, some for business use, and all of them need security fixes. I don't want to have to pay for support on machines which generate zero revenue.
Makes sense.
Also, how do you enforce this? Will you make access to security repositories subscriber-only? And how will you manage subscriptions? How will you manage machine IDs? This necessarily forces you to close off portions of OI code, which is a dangerous path to take.
I believe RedHat and its spin-offs (Fedora as a bleeding edge experiment, and CentOS as a rebadged clone) have set a nice example here, especially the latter. All the source is open as GPL requires, and AFAIK CentOS is a rebuild of the same code in the same conditions as the main RHEL distro. The only difference is the right (license) to use RedHat's IP in the form of name and logo, which is granted only to its official paid-for distro. Also, the paid-for distro users have someone to complain to in case of bugs/RFEs, and the community (including free spinoff users) have the results for free, but later (after testing, rebuilds, etc.) Qualified users are free to pull the source code updates and constantly rebuild their free OSes if they like, but the general populace would likely wait for new RPM revisions to appear and become automatically downloaded and applied to their installation. As for user identification, Oracle MOS has an example with individual user certificates issued for support contract holders, to access IPS repos over HTTPS. On one hand, these certificates automatically have an expiration date which forces one to continue buying support and automates the non-provision of commercial updates to unpaid users. On another hand this allows to track the usage - i.e. how many IP addresses downloaded a patch with certain user certificate, or even how many times it has been used for the same patch in a short timeframe (though... then what about updates of many local zones...)? If you want to go Nazi about forcing people to buy support for each machine - there are simple ways to do it. They might be circumvented (i.e. use the user-cert on some LAN replicator of IPS packages), but this might not be worth it especially if support is kept relatively cheap and the users follow an honor system to have this OS alive at all. The individual users might get the same patches via source (illumos-gate, etc. - subject to their ability to build this and receive the same resulting binaries which work like the QA'd releases) and/or by quarterly community releases, etc. This way, the code needs not be closed, and there is an ability to fund the project (both branches) as well as gain free users and more common awareness. And compliance-bound users have someone to blame for security breaches ;) Though, possibly, this is what undermined Sun - OpenSolaris SXCE which was way more functional than Solaris 10 and free to use at that ;) //Jim _______________________________________________ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss