[Info-vax] New VSI Roadmap (yipee!)

[Scott Dorsey]

Simon Clubley  <clubley at remove_me.eisner.decus.org-Earth.UFP> wrote:
>On 2015-02-28, Stephen Hoffman <seaohveh at hoffmanlabs.invalid> wrote:
>> On 2015-02-28 15:57:39 +0000, Kerry Main said:
>>
>>> Now, if there had not been such a significant increase in the OS 
>>> instances, the monthly security patches might have been more
>>> manageable, but the culture of 1 or 2 bus apps per OS instance that
>>> was established in the distributed days of commodity OS's (and 
>>> significantly boosted by the likes of VMware) has resulted in the 
>>> OPS groups throwing up their hands and have adopted 
>>> patch-n-pray.
>>
>> Not having patches and not having updates concerns me as much ? if not 
>> more ? than having patches to apply.  VMS just is not that secure.  
>
>Congratulations Hoff, you got it in one.
>
>About a year or two ago when Kerry was in full flow about his 10-40
>patches a month, I did an analysis of the RHEL patches for a month
>(and posted the results to comp.os.vms).
>
>What I found was that for many of the patches, they either covered
>application level software issues which should have been investigated
>for VMS as well (PHP, Java, etc) or involved functionality which
>simply doesn't exist on VMS.
>
>For that month's worth of data, the number of core Linux issues with
>comparable VMS core functionality were _way_ under that 10-40 patches
>per month number Kerry likes to use.

Right.  The problem is that we have organizations that are required to
install all patches.  They may not have Apache installed, but by God
there's an Apache patch for Red Hat and update has to be run today or
heads will roll.

This is a side-effect of managers coming from the Windows world where
everything is one monolithic block, but sadly this is the case in a 
large number of organizations and it's something we all have to deal with.
--scott

-- 
"C'est un Nagra. C'est suisse, et tres, tres precis."