[Info-vax] How do I make zip, unzip etc. available to all users?

Mon Jan 11 13:56:47 EST 2016

On Monday, January 11, 2016 at 11:40:17 AM UTC-5, Stephen Hoffman wrote:
> On 2016-01-11 16:02:52 +0000, RobertsonEricW said:
> 
> > Unfortunately, the current state of OpenVMS limits Secure Software 
> > Delivery to software produced exclusively by either HPE or VSI (via the 
> > newer HPE-specific signing routines). The situation with respect to 
> > Secure delivery using CDSA signed packages is virtually the same with 
> > respect to third party software producers. The only third party 
> > software producers outside of HPE and VSI that are capable of getting 
> > Secure Delivery using (now deprecated) CDSA signed installation kits 
> > are those producers who got their certificates signed by the OpenVMS 
> > CDSA Integrity Root Certificate before HPE suspended that process for 
> > third party software producers. Since VSI has not reinstituted that 
> > process, the situation remains unchanged; aspiring third party software 
> > producers (that did not previously produce CDSA-signed software kits 
> > for OpenVMS) cannot securely deliver software to the OpenVMS platforms.
> 
> If you're willing to trust a third-party to sign the kits (and install 
> an enablement kit), this can be dealt with.
> 
> Irrespective of the signing authority, running test installs doesn't 
> tell you if there's a vulnerability or a backdoor somewhere in the 
> package, though.

Nope. But that was never the responsibility of Secure Delivery. Secure delivery promises only identification of the producer and fidelity of transmission from the producer's point of origination to point of consumption. The current state of computing relies on software and network scanners which look for known patterns of code and/or code execution and network communication patterns to alert to the possibility of vulnerabilities and penetration therefrom (not that such reactionary results are particulary comforting from a security perspective; but that is a whole other discussion)

> 
> Nor if there's a malevolent in whatever "OpenVMS" DVD distribution kit 
> you've actually installed, for that matter.
> 
> > Since Secure delivery is one of a few foundational capabilities needed 
> > to enable automation of secure delivery and installation  of third 
> > party software installation kits, I am hoping that VSI targets the 
> > certificate management capabilities of OpenVMS as one of the first 
> > items to get attention once resources start freeing up from the 
> > development of OpenVMS x86-64. After all, in this day and age, what 
> > aspiring third party software developer is going to think very long 
> > about developing software for OpenVMS when they cannot make certain 
> > that the software they might contemplate producing will be securely 
> > transmittable and installable "over the wire" onto the very platform 
> > which they contemplate producing software for? Yes, certificate 
> > management and secured product installation are important ingredients 
> > needed for future growth of both the OpenVMS user and software 
> > marketplaces. Without it, the long (and possibly even medium) term 
> > future of OpenVMS will be grim indeed.
> 
> Solving that third-party distribution problem is feasible now.   Well, 
> feasible outside of cases where you're the target of a 
> nation-state-level adversary, that is.

Well, from a purely technical perspective this has been technically feasible for at least a decade-and-a-half. But until recently, OpenVMS has been in a virtual state of suspended animation and so we must indulge our fraying patience for a while longer before this becomes available as part of the out-of-the-box, OpenVMS computing DNA.

> 
> 
> 
> -- 
> Pure Personal Opinion | HoffmanLabs LLC