[Info-vax] How do I make zip, unzip etc. available to all users?

[Stephen Hoffman]

On 2016-01-11 16:02:52 +0000, RobertsonEricW said:

> Unfortunately, the current state of OpenVMS limits Secure Software 
> Delivery to software produced exclusively by either HPE or VSI (via the 
> newer HPE-specific signing routines). The situation with respect to 
> Secure delivery using CDSA signed packages is virtually the same with 
> respect to third party software producers. The only third party 
> software producers outside of HPE and VSI that are capable of getting 
> Secure Delivery using (now deprecated) CDSA signed installation kits 
> are those producers who got their certificates signed by the OpenVMS 
> CDSA Integrity Root Certificate before HPE suspended that process for 
> third party software producers. Since VSI has not reinstituted that 
> process, the situation remains unchanged; aspiring third party software 
> producers (that did not previously produce CDSA-signed software kits 
> for OpenVMS) cannot securely deliver software to the OpenVMS platforms.

If you're willing to trust a third-party to sign the kits (and install 
an enablement kit), this can be dealt with.

Irrespective of the signing authority, running test installs doesn't 
tell you if there's a vulnerability or a backdoor somewhere in the 
package, though.

Nor if there's a malevolent in whatever "OpenVMS" DVD distribution kit 
you've actually installed, for that matter.

> Since Secure delivery is one of a few foundational capabilities needed 
> to enable automation of secure delivery and installation  of third 
> party software installation kits, I am hoping that VSI targets the 
> certificate management capabilities of OpenVMS as one of the first 
> items to get attention once resources start freeing up from the 
> development of OpenVMS x86-64. After all, in this day and age, what 
> aspiring third party software developer is going to think very long 
> about developing software for OpenVMS when they cannot make certain 
> that the software they might contemplate producing will be securely 
> transmittable and installable "over the wire" onto the very platform 
> which they contemplate producing software for? Yes, certificate 
> management and secured product installation are important ingredients 
> needed for future growth of both the OpenVMS user and software 
> marketplaces. Without it, the long (and possibly even medium) term 
> future of OpenVMS will be grim indeed.

Solving that third-party distribution problem is feasible now.   Well, 
feasible outside of cases where you're the target of a 
nation-state-level adversary, that is.



-- 
Pure Personal Opinion | HoffmanLabs LLC