Should OS makers, like Microsoft, be legally required to provide 15 years of security updates?
Why only 15?
Campaigners urge EU to mandate 15 years of OS updates
Submitted 6 months ago by SleafordMod@feddit.uk to technology@lemmy.world
https://www.theregister.com/2025/09/16/campaigners_urge_eu_to_mandate
Comments
davidagain@lemmy.world 6 months ago
recked_wralph@lemmy.world 6 months ago
15 years. 15 years. She got one of your kids got you for 15 years
maplebar@lemmy.world 6 months ago
Please mandate open bootloaders on devices, that’s what we truly need.
Zink@programming.dev 6 months ago
This seems backwards. Let’s just assume we’re always going to be willingly beholden to tech giants, and so we’re going to pass a law to make our masters treat us well.
Maybe instead campaign for a law that says all publicly funded computer resources must be reliably usable for 15 years. So you either go FOSS and save money too, or you get guarantees in writing before you hand over your hand over money to the people who won’t even let you see what their code is doing on your hardware.
Ironfist79@lemmy.world 6 months ago
People have had plenty of time to upgrade. 15 years is an incredibly long time to be supporting an OS. Even RHEL doesn’t do that.
ratten@lemmings.world 6 months ago
I have no sympathy for anyone using microsoft products.
They made their bed, now they get to sleep in it.
Squizzy@lemmy.world 6 months ago
I didnt my finance and IT team did.
If you ever want to create a google fan, make them use M365
spicehoarder@lemmy.zip 6 months ago
seems you were already a Google fan, they are a unique breed of horrible.
ieGod@lemmy.zip 6 months ago
This is a prime example of legislators not understanding technology.
merdaverse@lemmy.world 6 months ago
Microsoft’s plan to end Windows 10 support next month — which may make an estimated 400 million PCs obsolete
I don’t get this. Can’t those PCs update to the new version? Yes, I am very aware that win11 is a shit show and win10 was better.
But Ubuntu also has a similar support policy for updates:
Ubuntu LTS versions get five years of updates, while non-LTS only gets nine months.
Would all the Linux versions out there going to be subjected the same 15 years of updates??
hraegsvelmir@ani.social 6 months ago
Would all the Linux versions out there be subjected the same 15 years of updates??
They shouldn’t be, since the model for updates is quite distinct from Windows or iOS in a way that I would argue should effectively meet the requirements anyways. If a distro releases a new version twice a year, outside of enterprise situations where a company is paying for support, there’s nothing to really stop anyone who wants from upgrading. They don’t charge for it, and while new versions might add out-of-the-box support for new hardware, it’s pretty rare for Linux to suddenly change minimum hardware requirements in a way that requires you to buy a whole new machine in order to run the latest release. The only case that immediately comes to mind is that of distros increasingly removing support for i386 machines, but in fairness, Intel discontinued manufacturing of i386 chips 18 years ago.
Of course, this all assumes that the people in charge of making these decisions actually understand the technology in at least a general sense, and it’s not being left up to a bunch of idiots who have refused to keep up with any innovations more recent than the fax machine, so odds are kind of crap.
AstralPath@lemmy.ca 6 months ago
You don’t typically pay to run Linux distros. They’re open-source. I can’t imagine they’d be subject to this.
HubertManne@piefed.social 6 months ago
if anyone pays though they would need to keep a long-long-term-support.
some_kind_of_guy@lemmy.world 6 months ago
Upgrades are more seamless as well, it’s definitely a bit more blurry of a process. Plus Ubuntu releases twice a year, so their versions are more like the equivalent of Microsoft’s service packs (or whatever they call them now) but on a rolling basis.
Verqix@lemmy.world 6 months ago
Correct, the obsolete PCs can’t update to Windows 11. The Windows 11 update forces certain hardware support that a lot of devices don’t have. The security this hardware provides is mainly in someone physically removing data from your PC. As such it’s very business oriented but affects all versions of Windows 11.
barryamelton@lemmy.world 6 months ago
It’s not business oriented, it provides a unique ID attached to the machine.
Next step is to use that unique ID to identify you on the internet and digital life. Ending all privacy.
You think this is far fetched? Kernel-level anti-cheat for games already does this and bans the machine for playing that game ever again.
Hawk@lemmy.dbzer0.com 6 months ago
No, Windows 11 added extra, unneeded hardware requirements.
Obsolete in this case actually means obsolete. Windows 11 literally blocks the update because you do not meet requirements, such as not having a TPM.
Technically, there are ways to bypass this, but not for a casual user (and it probably breaks some ToS)
Smith6612@lemmy.world 6 months ago
Yep, exactly this. You can bypass the TPM and Processor requirements, but at some point it will come back to bite someone in the butt.
Microsoft with the 24H2 update broke Windows 11 for older systems (like Core2Duo, which are already ancient) due to a lack of required processor instructions. I’ve seen systems running under QEMU, and also on newer systems like the AMD Ryzen Zen1 platform experience “Unsupported Processor” BSODs preventing the system from booting.
Even outside of that, Microsoft doesn’t deploy the yearly feature roll-ups to systems with unsupported hardware, even if Windows 11 is already installed. I’ve seen many unsupported systems end up stuck 1-2 builds behind, and they never see the update. They have to be manually updated using the same mechanisms that got Windows 11 installed in the first place.
Microsoft I believe, expects Windows 11 to be running on a minimum set of hardware, and that’s all they are qualifying it for. So older systems are going to eat it at some point if they are used in production.
The TPM checks are for security but, certainly not required if someone is willing to drop system security for some reason.
AstralPath@lemmy.ca 6 months ago
Apparently there’s a way to install Win11 and bypass all these requirements.
tomshardware.com/…/bypass-windows-11-tpm-requirem… youtu.be/tx5TaozMXMQ
ZILtoid1991@lemmy.world 6 months ago
I think Microsoft should be punished with forcing to release the Windows kernel source code.
ZiemekZ@lemmy.world 6 months ago
Please no, just imagine the influx of 0-days
some_kind_of_guy@lemmy.world 6 months ago
I’ll bring the popcorn
boonhet@sopuli.xyz 6 months ago
This comes after e-waste watchers revealed that 75 million iPhones could be rendered obsolete – tipping the scales at around 1.2 million kilograms of e-waste – following the release of iOS 26.
Not strictly true because the phones they counted here will still get security updates for 2-3 years AFAIK. 7 year old phones, mind you. But yeah, no more feature updates. Which are so meaningless these days anyway.
kayazere@feddit.nl 6 months ago
The security updates for old iOS versions are a sleight of hand. Most companies only support the three latest versions of iOS, so soon that will be iOS 17 as the minimum. I had a device stuck on iOS 15, which was released in 2016, and banks and other major apps dropped support. So while the phone did get security updates, it can’t run the apps I needed.
boonhet@sopuli.xyz 6 months ago
That’s the app devs being idiots.
My two local banks that I use support 15.1 and 16. My two globally useful neobanks support 13 and 16. None of them have any features that the one on 13 doesn’t have (in fact, that gets the most updates and has the most features of them all)
Matriks404@lemmy.world 6 months ago
No, OS makers should just not make their OS bloated with useless shit, stealing your data and have arbitrary system requirements. I think 15 years of OS updates is excessive unless we’re talking about servers or very specific workflows. IMO 5-10 years is enough.
Holytimes@sh.itjust.works 6 months ago
5 years for basic and 10 for lts seems fine. 10 years is a fucking long ass time.
some_kind_of_guy@lemmy.world 6 months ago
I agree with most of that, but there are loads of embedded systems still running the equivalent of Windows XP and they’re chugging along just fine. That OS still receives updates and ending that would break a lot of backend stuff. Mostly banking.
Boeing just started making planes which don’t rely on floppy disks for updates. That will continue on the older part of the fleet until it’s no longer feasible to procure the disks or the planes are no longer airworthy. I mean, why not? If you only need to store a few mbs for something critical, it’s not a bad choice of medium.
If a system is reliable and works for decades without complaint, there’s no need to fix that.
Brkdncr@lemmy.world 6 months ago
No. Maintain your own OS. Any country or group of countries should be doing so.
kadotux@sopuli.xyz 6 months ago
Yes exactly :D en.m.wikipedia.org/wiki/Red_Star_OS
nucleative@lemmy.world 6 months ago
15 years is too long, it doesn’t match the state of the industry or technological progress.
If anything this slows down innovation which leads me to suspect the 15 year idea was though of by someone who dislikes any technical changes.
Holytimes@sh.itjust.works 6 months ago
Outside of aero and financial where it’s not uncommon for this to use 20+ year old tech.
If something isn’t hyper critical 15 is way too long
stuner@lemmy.world 6 months ago
15 years is too long, it doesn’t match the state of the industry or technological progress.
How is this too long? I would consider it a reasonable amount of time to receive security updates on a computer.
I have a notebook that I bought in 2012. It can run Ubuntu LTS 24.04, which is supported until 2034, without issue. There is no indication that the next release will stop supporting this hardware. I don’t see why Microsoft couldn’t provide this.
ratten@lemmings.world 6 months ago
Pretty sure Rocky Linux provides updates for 10 years.
It’s not asking too much for multi-billion dollar corporations to provide 15 years of updates.
They have more than enough resources.
Matthew@midwest.social 6 months ago
IBM providing 10 years for RHEL is doing most of the heavy lifting in the case of rocky linux
bestboyfriendintheworld@sh.itjust.works 6 months ago
15 years is actually reasonable.
I have a ten year old laptop with an i7 processor, 16 GB RAM, and 1 TB SSD. It still does most things, I bought it for initially just fine. Granted this was one of the best laptops you could buy at the time.
Apple stopped supporting it with a current version of macOS a couple of years ago sadly. It’s still possible to patch newer versions to install and run on the old machine, but it’s a bit of a hassle.
pirat@lemmy.world 6 months ago
Are we talking OpenCore Patcher? I was actually planning on trying that for my Early 2013 MBP, but I’m leaning more towards some Linux distro now, for the longevity of it, though I haven’t yet figured out which distro supports my MBP the best. Got any recommendations to share on some of this?
phillipp@discuss.tchncs.de 6 months ago
But unlike server aided services an OS still keeps working. You can use that PC for 10 more years, if you like.
I think there’s a discrepancy in the understanding of ‘support’ and what it entails in different technology fields. Demanding to receive NEW features for decades is not feasible in the current economic environment.
golli@sopuli.xyz 6 months ago
Or an established player in the market that wants to keep competitors out (but I guess in a way that is someone who dislikes change). While legislation like this can sometimes be great (e.g. the recent changes forcing longer support for mobile phones) there comes a point where it cuts the other way and it becomes an entry barrier.
Imo the better solution would be to legislate what happens after support ends. Like forcing the disclosure of at least some documentation that allows others to continue servicing the product or at least transfer out data and install other software on the device.
Highlandcow@feddit.uk 6 months ago
Fair like imagine if Microsoft was forced to support windows 8 for 15 years, a operating system people barely use, also some OSs arnt ran by huge companys
Rednax@lemmy.world 6 months ago
Before Microsoft demanded TPM 2.0, you could install the latest version of Windows on extremely old hardware. Easily reaching that 15 years. We had this already. And Windows 11 can easily run without TPM 2.0. Microsoft just has business reasons to demand it. So I don’t see how innovation is slowed down by this.
Korhaka@sopuli.xyz 6 months ago
That sounds like an insane duration, even LTS distros are not usually anything like 15 years
ILikeBoobies@lemmy.ca 6 months ago
There are companies still running XP.
ratten@lemmings.world 6 months ago
These multi-billion dollar corporations have more than enough resources to provide updates for 15 years.
There’s nothing insane about it, unless you’ve been conditioned to live vicariously through business owners.
Korhaka@sopuli.xyz 6 months ago
Pretty sure postmarketOS isn’t made by a multi-billion dollar corporation. Such a requirement would mean ONLY multi-billion dollar corporations can release an operating system. You do not want to give them that power.
pastermil@sh.itjust.works 6 months ago
They didn’t say you could do version upgrade…
iesha_256@lemmy.ml 6 months ago
this isn’t about the age of the OS, it’s the age of the device. I can install linux on a device from 20 years ago if not more.
Korhaka@sopuli.xyz 6 months ago
Ahh, so the win11 arbitrary hardware requirements bullshit
NauticalNoodle@lemmy.ml 6 months ago
I don’t know. just the other day somebody on lemmy was asking about installing a 32bit distro on an old netbook and the majority of comments were discussing whether there was any practical reason for distros to continue 32-bit support.
whyNotSquirrel@sh.itjust.works 6 months ago
yeah but you don’t pay 150euros for it + all the ads and stuffs
but yeah, I don’t see the point of this, it’s clearly aimed at Microsoft, and at this point alternative solutions exist
danhab99@programming.dev 6 months ago
I almost feel like the compromise we will eventually land on is that if an OS maker like Microsoft wants to continue advertising on your OS they have to take some liability for its security.
tekato@lemmy.world 6 months ago
If the EU is going to pay for the developers, sure. I’d even go higher and say make it 50 years. Otherwise make your own OS or use Linux.
Runaway@lemmy.zip 6 months ago
15 is an arbitrarily long time. I think forcing it to be open sourced upon the companies end of life is the better option
ronigami@lemmy.world 6 months ago
Then you can have a company that acquires the original failed company and provides “support” in the form of one bugfix per year.
All of these solutions are gamable except for requiring that the solution be open source from the get-go.
Horsey@lemmy.world 6 months ago
Dude, I’m so ready. Linux supports processors that old, by enthusiasts for free.
ronigami@lemmy.world 6 months ago
This would almost certainly rule out Linux as an option. What Linux vendor feels comfortable committing to something for 10 years?
ratten@lemmings.world 6 months ago
Because Linux is free software, we can implement the fixes ourselves.
Doing so with Windows or Crapple would literally be illegal.
cmnybo@discuss.tchncs.de 6 months ago
Just require any new operating systems to support 15 year old hardware. We should require manufacturers to provide 15 years of UEFI and firmware updates too.
Matriks404@lemmy.world 6 months ago
That is way more sensible, than the other way around.
minorkeys@lemmy.world 6 months ago
Or legislate that unsupported software becomes public domain or is open for development and the public can try and make the updates themselves.
Forcing people to upgrade entirely depends on the nature of the upgrades and the motive of the company. What we need is competition so there are alternatives for people to use if they don’t want to upgrade. But somehow Microsoft is not considered the monopoly of the PC OS market, despite being a monopoly, and uses that position to force changes nobody wants but them, like turning window into an AI data farming scheme that violates user privacy.
thethunderwolf@lemmy.dbzer0.com 6 months ago
Mandatory open source public domain release at EOS.
At Win10 EOS, people would make Windows distros, and ReactOS would no longer have to be a clean room implementation.
Also this would be a success for Stop Killing Games.
ILikeBoobies@lemmy.ca 6 months ago
Or legislate that unsupported software becomes public domain
Solves a lot of issues.
TankovayaDiviziya@lemmy.world 6 months ago
Nothing says ‘circular economy’ like Microsoft stranding 400 million PCs
This might be a silly question but would this not be a good idea for a start up company that recycle computer parts?
Cricket@lemmy.zip 6 months ago
would this not be a good idea for a start up company that recycle computer parts?
I really don’t think so. Computer recycling already seems to be a low profit business, as evidenced by there not being any large companies that do it (that I’m aware of). This number of computers flooding the market would probably make it even less profitable. Sure, it may be profitable for some small businesses, but nothing on the scale required to address the problem.
Jankatarch@lemmy.world 6 months ago
Don’t manufacturers purposefuly destroy the computers and such just to ensure that doesn’t happen?
miked@piefed.social 6 months ago
No. Manufacturers have no say in what happens to computer hardware after is sold.
Some companies may destroy the hard drives to make sure no data gets out. Some companies will remove the memory as well.
DJDarren@sopuli.xyz 6 months ago
There are dozens of us out here patiently awaiting a bunch of reasonably powerful new Linux machines.
vacuumflower@lemmy.sdf.org 6 months ago
Of course. Make another regulation only big corps can follow. To punish them, of course. This is punishment.
IHeartBadCode@fedia.io 6 months ago
European e-waste campaigners are calling on EU leadership to force tech vendors to provide 15 years of software updates, using Microsoft's plan to end Windows 10 support next month — which may make an estimated 400 million PCs obsolete — as a textbook case of avoidable e-waste.
Windows 10 has already had 10 years of support. ESU extends this one extra year. If you have hardware that cannot meet Windows 11's requirements, there are other OSes available that will happily run on that hardware. Which is what brings us to the real issue.
Microsoft's near monopoly on consumer grade PCs and Apple's vendor lock in. This is the core issue.
Companies can do this because there are no regulations to stop them. We call on European Commissioner Jessika Roswall to introduce EU Ecodesign requirements for laptops, guaranteeing at least 15 years of software updates. No more devices designed to break or become obsolete before their time
Ten years is a very long time for support. If you need support past that length, you need a different OS. Apple does good to keep Macs made in the last five to seven years still able to run their newest OS. They are some of the worse offenders on this. But even with a different OS, there's still a limit to how far you can take hardware. You could put the best optimized software on really old hardware and that won't change that the underlying CPU is old.
The older hardware gets the harder it is to keep supporting it. Case in point, there reason you can't get TLS 1.2 that pretty much every site now requires onto Windows 95 era machine is the underlying hardware cannot keep up with the required computational needs to support that encryption. And if you happened to install Windows 95 onto modern hardware, the number of changes to the OS to get access to the underlying hardware is pretty much an upgrade to Windows 7.
Ten year old machines are doing alright for the time being, but we have to move on. TLS 1.3 is here, has been here since 2018. The stricter requirements for security, require more advanced hardware.
And I just mention TLS as a single example of what we're talking about here. Modern hardware advances and attackers and users get those at the same time. While software security schemes do ensure security long after the hardware has become dated, there's a point where it won't matter anymore what software you toss onto the machine. It's just so out dated it doesn't matter, no software is securing it. Now that's usually a lot longer than ten years, but it's not much longer.
You can take a very lightweight Linux distro and pop it onto a Pentium 3 machine. It will technically run. But you are lacking SSE2 and even if you recompiled to remove SSE2 optimizations and strictly held to 586 ISA, you're not going to enjoy the performance on the machine. For even the most simple tasks like unpacking a 7-zip. You will fare very unwell to some attacker who has a modern Threadripper machine.
I love old machines but the rest of the world is moving forward. Yes, software could technically cover for more than ten years, but not much more. But it's silly to think that a Athlon 64 (2003), the oldest CPU you can technically get working on Windows 10 because of the NX bit requirement, would be able to keep pace on today's multi megabyte sized website. Hell even the X2 models that were the first to be "dual core" would have issues with how modern web browsers handle things because Athlon 64 X2's model for multiple processors is vastly different than how modern CPUs do it. It wouldn't take anything for someone to feed it a website that would bring the system to it's knees.
The thing is 15 years a very long time in the world of technology that's ever evolving. Software can only go so far. 15 years is absolutely you need a different OS if that's your requirement territory. But when you start hitting 20 years, your going to see breakage no matter what software you throw at it. It might be very slight at the 20 year mark. but each year after that it's going to become more pronounced.
bluGill@fedia.io 6 months ago
Lifetime for security. Other features (new drivers...) you can pay for, but security is lifetime. You need to escrow enough money to provide this service or prove that nobody is using the OS.
All services required for use of the device are also lifetime - though they may charge a subscription price so long as that price is clear to the customer before the first sale and prices go up by inflation only. After 15 years they can drop the service if it is easy for a "normal user" to switch to a different subscription provider; and all source code required for someone "skilled in the art" to create and maintain their own service provider is publicly released under terms that allow modification and redistribution was released at least 5 years before killing their own service.
You are allowed to drop support for any protocol that is not latest recommended state of the art so long as you maintain what was recommended at time of release. If a newer protocol comes out you need not support it. (Which is to say you can be IPv6 only today, and if the internet switches to IPv12 in the future you don't have to support that)
The above applies to anything network connected. OS, web browser, Security camera, thermostat....
Petter1@discuss.tchncs.de 6 months ago
I would prefer if they force the companies to unlock root and boot-loader, when they not ship new OS anymore for a device.
panda_abyss@lemmy.ca 6 months ago
This is stupid.
15 years is a massive time to just update your OS.
15 years ago instagram didn’t exist, the iPad was new, and people were just updating from Vista to Windows 7. I think Hadoop was just created then.
That is a massive amount of time to support software that would have almost no architectural protection against things like heartbleed.
krebssteven@lemmy.world 6 months ago
What we REALLY need is to curb microsoft’s market dominance. If more alternatives for OS and usable replacements for MS office em would exist, this would not be a problem and would not need to hamper innovation for the sake of back porting (the main counter-argument as a dev).
freeman@feddit.org 6 months ago
What would that mean for Linux distros? It seems like it could be a law that cuts off the competition. Like amazon who is very selectively for better working conditions when the know that no competitior can fulfull them.
phutatorius@lemmy.zip 6 months ago
This will kill small firms developing new OSes.