[Info-vax] New VSI Roadmap (yipee!)

[David Froble]

Simon Clubley wrote:
> On 2015-03-01, Kerry Main <kerry.main at backtothefutureit.com> wrote:
>> Simon - not sure if you work in a med-large Operations shop, but when 
>> you have hundreds+ of OS instances to harden, someone has to review 
>> these large number of security patches every month and match them
>> against those hundreds of OS instances. Not just the kernel patches,
>> but also to all those Apps running in those hundreds of OS instances.
>> And of course, no one has a really std environment, so you get multiple
>> Versions of Apps, Java, PHP levels etc.
>>
> 
> No Kerry, I work in a smaller (by VMS standards) setup. (Well, at least
> for the next couple of weeks. :-) After that, I suspect my next job,
> whatever it turns out to be, will not be VMS related.)
> 
> Lets just focus on the third party applications (PHP, Java, Apache,
> etc) in order to get a like for like comparison.
> 
> Would you agree that any bugs in these applications could very well
> affect VMS as well and that if VMS is kept up to date at the same rate
> as other OS environments, VMS will see the same number of patches for
> these applications as well ?

A problem is a problem, regardless of the environment.  So, yes.

> If so, how would you handle this ? Would you choose not to develop VMS
> applications using these languages/tools or would you do something else ?

Now we get to the core of the problem.

If some automaker has problems in their products, would that not affect 
your buying decisions?

If that automaker didn't address such issues, and continued to have the 
same problems, would you want to drive, or ride in, their cars?

I've heard the statement "everybody else does it" to explain unsafe 
security practices.  What a useless attitude.

Maybe the problem is in the specific product, and maybe we should 
boycott insecure products and choose those with a better security record.