[Info-vax] New VSI Roadmap (yipee!)

[William Pechter]

In article <mcv3j3$8vs$1 at dont-email.me>,
Simon Clubley  <clubley at remove_me.eisner.decus.org-Earth.UFP> wrote:
>On 2015-02-28, Stephen Hoffman <seaohveh at hoffmanlabs.invalid> wrote:
>> On 2015-02-28 15:57:39 +0000, Kerry Main said:
>>
>>> Now, if there had not been such a significant increase in the OS 
>>> instances, the monthly security patches might have been more
>>> manageable, but the culture of 1 or 2 bus apps per OS instance that
>>> was established in the distributed days of commodity OS's (and 
>>> significantly boosted by the likes of VMware) has resulted in the 
>>> OPS groups throwing up their hands and have adopted 
>>> patch-n-pray.
>>
>> Not having patches and not having updates concerns me as much ? if not 
>> more ? than having patches to apply.  VMS just is not that secure.  
>
>Congratulations Hoff, you got it in one.
>
>About a year or two ago when Kerry was in full flow about his 10-40
>patches a month, I did an analysis of the RHEL patches for a month
>(and posted the results to comp.os.vms).
>
>What I found was that for many of the patches, they either covered
>application level software issues which should have been investigated
>for VMS as well (PHP, Java, etc) or involved functionality which
>simply doesn't exist on VMS.
>
>For that month's worth of data, the number of core Linux issues with
>comparable VMS core functionality were _way_ under that 10-40 patches
>per month number Kerry likes to use.
>
>Simon.
>
>-- 
>Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
>Microsoft: Bringing you 1980s technology to a 21st century world

The problem is if there's a security problem with sendmail (an MTA) or
mutt (a mail reader) or  with GCC's linker temp files or a problem with 
a video driver for X11 they all get posted by RedHat.

Sendmail should not be running on an internet e-commerce or web server.
Mutt is only an issue if you're running it on that box and will not
open any sockets without user invoking it. So it shouldn't be on 
installed on the box. GCC shouldn't be on any internet or web server -- 
it is there for development.  X11 shouldn't be running on the server unless
the sysadmin is using it for a specific function.

Yup... I sometimes ran it with Wireshark instead of tcpdump because it was
easier.

None of these are real operating system security holes that can be remotely 
exploited if these boxes were configured and admin'd correctly.

The fact that internet lists of bugs shows 100 security holes on an OS doesn't
do much for me if none of them are loaded on my box and none are remotely
exploitable.

Many things in standard RedHat and CentOS or Ubuntu are things that should
be removed in commercial production use before the box contacts an external
or internal user (except for IT staff).



Bill

-- 
-- 
Digital had it then.  Don't you wish you could buy it now!
pechter-at-gmail.com  http://xkcd.com/705/