[Info-vax] New VSI Roadmap (yipee!)

[Simon Clubley]

On 2015-03-01, Kerry Main <kerry.main at backtothefutureit.com> wrote:
>
> Simon - not sure if you work in a med-large Operations shop, but when 
> you have hundreds+ of OS instances to harden, someone has to review 
> these large number of security patches every month and match them
> against those hundreds of OS instances. Not just the kernel patches,
> but also to all those Apps running in those hundreds of OS instances.
> And of course, no one has a really std environment, so you get multiple
> Versions of Apps, Java, PHP levels etc.
>

No Kerry, I work in a smaller (by VMS standards) setup. (Well, at least
for the next couple of weeks. :-) After that, I suspect my next job,
whatever it turns out to be, will not be VMS related.)

Lets just focus on the third party applications (PHP, Java, Apache,
etc) in order to get a like for like comparison.

Would you agree that any bugs in these applications could very well
affect VMS as well and that if VMS is kept up to date at the same rate
as other OS environments, VMS will see the same number of patches for
these applications as well ?

If so, how would you handle this ? Would you choose not to develop VMS
applications using these languages/tools or would you do something else ?

>
> And just to correct your point, many of the single line references on 
> the Red Hat security web site are actually "bundles" of patches, so
> the number is likely much higher.
>

If you are referring to a patchset which fixes multiple problems in a
product (ie: PHP) at the same time, you are correct, but you still
only do one set of testing against what is a combined patchset.
Also, this will be no different on VMS if VMS is updated at the same
rate as, say, Linux installations are.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world