Comment by Rygian
In my fictional country, in order to release a software product to the market, or a hardware appliance that runs software, the vendor must:
- Subscribe to an end-of-life insurance package for security software patches. Vendor must contribute periodically. The amount contributed is proportional to the number of appliances sold, with a multiplication factor to account for how hard it is to upgrade the software. Vendor is still legally bound, by SLA, to release software patches and provide an upgrade path to customers for as long as devices remain operational (ie. no fixed EOL). The insurance is only there in case vendor goes bankrupt.
- Or else release the software under an FSF-approved free software license, including all the needed toolchain to deploy software fixes on an appliance. Any third party is then legally empowered to provide patching services (caveat: the third party must agree to same SLA as vendor in point above).
- Or else vendor must put in place a guaranteed-buyback scheme whereby consumers can get at least 75% of the ongoing retail price (or last known retail price) by bringing back a device. The funds must be put in escrow, to protect users if vendor goes bankrupt.
Musing...
All these things might need some flavor of escrow-with-indie-verification. For example, does the published source actually compile other what's on the device? And some flavors of escrow (like your #3) need a bankroll or some sort of insurance.
And anyways, given the inevitable enshittification of all the things, including "assurance", how is a grand scheme for preventing willful software obsolescence enforceable by anything less imposing than the gummint?