[Info-vax] New VSI Roadmap (yipee!)

[lists at openmailbox.org]

> Lets just focus on the third party applications (PHP, Java, Apache,
> etc) in order to get a like for like comparison.
> 
> Would you agree that any bugs in these applications could very well
> affect VMS as well and that if VMS is kept up to date at the same rate
> as other OS environments, VMS will see the same number of patches for
> these applications as well ?

This is what I have been saying about C and Intel and the general state of
Linux and gnu crapware. If VMS tries to run crapware it will become
crapware. You can't wrestle with pigs and not get dirty.

The only thing you can do is jail/zone apps etc. but that already exists on
other platforms. Where is the added value?

> If so, how would you handle this ? Would you choose not to develop VMS
> applications using these languages/tools or would you do something else ?

I hate to see comments that VMS should run all this stuff. You are never
going to get people to pay hard cash for stuff they can do for nothing. VMS
needs to keep differentiating and not be just another platform to run
bug-ridden, vulnerable *NIX apps. For things that enterprises use, new
software in safe languages should be on the table.

Since somebody mentioned OpenBSD...the guys got sick of the vulnerabilities
in sendmail. So they wrote their own SMTP server. They got sick of the
vulnerabilities and zillions of lines of code in NTP so they wrote their
own NTP server. They got tired of vulnerabilities in Apache and didn't like
nginx after using it in base for a couple of versions so they're writing
their own httpd.

If you want to do better you can. If you don't, you can't.

> If you are referring to a patchset which fixes multiple problems in a
> product (ie: PHP) at the same time, you are correct, but you still
> only do one set of testing against what is a combined patchset.
> Also, this will be no different on VMS if VMS is updated at the same
> rate as, say, Linux installations are.

Patching is bad. It's a necessary evil but the patches to mainline Linux
applications are coming way too often. Stability requires least possible
changes to production code. And IT consumers (enterprises) need to be
taught the difference between the OS and the third party software they run
on it. This distinction has to be made crystale clear and pounded into them
over and over again. *NIX has so many layers of crapware most people can't
tell the difference between a good OS and a bad one. All they know is
whether their application works or doesn't or is vulnerable or isn't. That
doesn't help you sell a good OS.