[Info-vax] DECnet Phase IV and VMS code comments

[Kerry Main]

> -----Original Message-----
> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On Behalf
> Of Simon Clubley via Info-vax
> Sent: 27-Nov-16 10:31 PM
> To: info-vax at rbnsn.com
> Cc: Simon Clubley <clubley at remove_me.eisner.decus.org-
> Earth.UFP>
> Subject: Re: [Info-vax] DECnet Phase IV and VMS code comments
> 
> On 2016-11-26, Kerry Main <kemain.nospam at gmail.com> wrote:
> >
> > [snip..]
> >
> > Regardless of the company logo, my experience (including
> often working
> > closely with CSSE - WW interface for DEC Field Services to
> > Engineering) with the culture in OpenVMS engineering was/is
> that
> > security was always a top priority. If the issue was OpenVMS
> related,
> > I highly doubt the statement "the security issue is their
> problem"
> > ever came up.
> >
> 
> The problem Kerry is that VSI still seem to be stuck in the old
> mindset of how things were done in the old days of the
> 1980s/1990s and don't seem to have adapted to how security
> issues are handled in today's environment.
> 
> A really simple example: VSI _still_ didn't have a secure
security
> vulnerability reporting mechanism established the last time I
> checked their website; they seem to be completely dismissing
> the possibility that security issues may be reported by
unrelated
> third parties who may expect things to be done in a certain
> industry established way.
> 
> Another example; Do VSI have any plans in place to do
> coordinated releases of patches with HP if a security
vulnerability
> is found which requires a patch to be created and released ?
This
> coordination is absolutely standard these days, but I've yet to
> hear VSI say anything about this.
> 

Given VSI is already coordinating regular and ongoing patches
with HPE, why would coordinating security patches be any
different?

I can logon to the HPE patch system or VSI and get the same
patches.

> > Re: DECnet Phase IV - Hindsight is always 20-20.
> >
> > However, it's fair to say that those who developed a new
> networking
> > architecture 35+ years ago (when the design started - not
when
> it was
> > released) had no idea of the chaotic world networks would
> evolve into
> > today.
> >
> 
> It's not really to do with hindsight - IP and friends have also
had to
> adapt to the changing security world as well, both in terms of
> protocol changes and in terms of changes to the various code
> bases.
> 
> The question you should be asking is: is there anything in
DECnet
> Phase IV (or the other DEC network protocols) which require
> similar changes and have those changes been implemented over
> the years or not ?
> 
> Simon.
> 

Asking that question about DECnet Ph IV is like asking Microsoft
to keep NetBEUI current with today's TCPIP standards.

Imho, much as it has a place in some current environments, DECnet
is no longer a strategic technology. That does not mean it will
not receive any basic maint to keep up with OS changes, but do
not expect any new wiz bang enhancements without some Customer
stepping up to pay for them.

In a decade or two, perhaps this will change, but as we all know,
TCPIP is the way forward for now, so that is what VSI is doing
with the new standards based TCPIP stack.

If a security issue came up that was specific to DECnet, then
based on past experiences, VSI would address it.


Regards,

Kerry Main
Kerry dot main at starkgaming dot com