[Info-vax] OpenVMS in the future, Open sourced or Closed? Intent is to keep it...

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Wed May 6 11:09:12 EDT 2015 

On 2015-05-06 12:24:02 +0000, Bill Gunshannon said:

> In article <059ca1d8-ade0-4428-b003-9c912a872a8b at googlegroups.com>,
> 	seasoned_geek <roland at logikalsolutions.com> writes:
>> On Tuesday, May 5, 2015 at 11:01:34 PM UTC-5, David Froble wrote:
>>> seasoned_geek wrote:
>>>> 
>>>> This fantasy you believe in only works if a single individual can and 
>>>> does posses _ALL_ of the hardware and environment to build from source 
>>>> _AND_ deploy raw to target. This is why wanna-be dutifully disrespected 
>>>> platforms "thrive" as OpenSource and no serious platform does.
>>>> 
>>>> As was pointed out by Hoff. Building VMS from source requires 
>>>> phenomenal setup and significant resources.

Could you point out where I wrote that?  While I did indicate that the 
build — back when I was familiar with it — was complex and it was very 
much tailored to the then-current clusters, but nothing precludes 
simplifying and productizing the build.  Productizing the build would 
be a moderate-sized project, and the complexity here comes largely from 
the scale.   The build is a collection of specific tools and data 
files, and a whole lot of DCL.

There are no specialized hardware requirements, beyond the entirely 
unsurprising "more is faster".

Even for VSI, it'd be handy to have the build overhauled, and features 
such as Xcode and the Xcode bots available.

In short, there are no insurmountable (technical) problems here.  Just 
a whole lot of code-slogging.

Running a full regression test would require the necessary hardware in 
order to test all hardware, but that's entirely separate from the build.

>>> But once all the requirements are set up and available, many would be  
>>> capable of doing the build.  Not that I'm advocating such.  As I've  
>>> written more than once, the reason I wanted to see VMS open sourced was 
>>>  to insure someone at HP could not decide to just delete everything.
>>> 
>> Well, I trust Hoff when it comes to this and if he says few, if any, 
>> are capable of setting up such an environment, I believe him.

As presently implemented.

The folks at VSI would really like to have something like Xcode IDE and 
the build bots for themselves, too.  Whether they get time to work on 
their tooling?

>> We aren't talking about a hokey wanna-be OS like Linux, Windows, BSD, etc.

Those operating systems work quite well, and solve the problems that 
many folks have.  Some of these sites are former OpenVMS sites, too.

>> There is also the issue of all the conditional compilation in the 
>> source code which exists for military and/or very high security 
>> clearance eyes only.

That's a new one.  Never heard of that version of OpenVMS before.

I've never heard of a military or high-security or variant version of 
OpenVMS, beyond Security-Enhanced OpenVMS; SEVMS.  The SEVMS package 
was separate, and hasn't been offered or AFAIK even built in many 
years.    IIRC, the last evaluated versions of SEVMS were back in the 
V6 era, and the product was discontinued a long time ago.

The SEVMS layered product used some add-on tools and add-on utilities 
and features latent in OpenVMS — see the UPGRADE and DOWNGRADE 
privileges, for instance — to implement mandatory access control 
security.

AFAIK, SEVMS was a price book layered product purchase, too.  Most 
anybody could order a copy, and install it.   Not that most sane folks 
really want to manage and utilize a mandatory access control system 
configuration.

The vast majority of OpenVMS source code has been openly published for 
decades via the fiche, and more recently via the source listings kits.  
 The SEVMS hooks are included in the source listings. The hooks are 
present and will AFAIK still function in every shipped copy of OpenVMS 
if you enable the SEVMS system parameters, too.  Not that anybody has 
tried that in some years, AFAIK.

I don't think SEVMS source listings were ever published, but that is 
the case with most (all?) of the layered products.

In years past, you could purchase an OpenVMS source license, too.  It 
wasn't cheap, either.   You can still purchase source listings.  
Hopefully, VSI continues to offer that.  Those have the vast

I am very familiar with the source pool, and familiar with the build 
environment, with the source listings, and with SEVMS.  So I call BS.  
SEVMS is not relevant to building OpenVMS, nor is the complexity of the 
current build relevant to whether the build and the test environment 
could be productized.  A subset of the regression tests that tests core 
functions and (just) the available hardware options is also not an 
insurmountable problem.

The problem here — as with many problems — is not a technical limit.  
It's the copyrights and related agreements, and it's that a whole lot 
of folks just aren't interested in learning and building OpenVMS from 
source code, there are the sorts of non-trivial details that I listed 
in my previous comment, including bug tracking and distributed version 
control and legal releases and the rest, and that it'd take a 
reasonable investment to productize the build and core tests and the 
source control — source control is not going to be a small issue here, 
at the scale of OpenVMS, see the VDE package on the OpenVMS Freeware 
for related details — and the bug tracking.  VSI is likely going to 
invest that time and those people elsewhere here, and at least for the 
foreseeable future, too.   But a secret military version of OpenVMS?  
No.  A publicly-documented and difficult to use and long-retired and 
here-irrelevant version?  Yes.  But SEVMS is AFAICT not even remotely 
relevant here.   Productizing and coordinating and deploying the 
infrastructure for distributed development is all entirely technically 
possible, too.   Just a whole lot of work.

Fear that open source is less secure?  Doubtful.  Ignoring the source 
listings that are available for the vast majority of OpenVMS, source 
code obscurity doesn't mean more security, either.   The 
reverse-engineering tools available now are much better than the ones I 
was using to reverse-engineer and to extend VMS executables, and that 
wasn't particularly difficult.   Now having an engineering team that 
has the testing tools and the fuzzers and the deprecated-feature and 
verification tools and the time and the experience to run those tools — 
whether on open- or closed-source code — and a team has the ability and 
the mandate to retire the old and insecure code — matters far more.


-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list