[Info-vax] Should VSI create a security bug bounty program for VMS ?
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Thu Sep 1 11:16:23 EDT 2016
On 2016-09-01 13:22:49 +0000, Simon Clubley said:
> On 2016-08-30, Kerry Main <kemain.nospam at gmail.com> wrote:
>
>> Commodity OS's have 20+ security patches released each and EVERY month.
>> Security patches - not normal bug patches. Yes, not all apply to all OS
>> versions. Not all apply to the Products or services these OPS group
>> actually use.
>
> And VMS would be seeing a lot more patches if it's internet related
> components were updated at the rate they should be.
Ayup.
Do I like patches that often? No. But I like patches and critical
updates that are months or years late even less. That delay just
leaves everybody open for shenanigans, from whatever activity or
exploit or disclosure triggered the original development of the patch,
or from anybody that can read the CVEs and the exploits and do a little
digging.
In areas where the sources are common — various of the web-facing
components and some security components — OpenVMS is missing a whole
lot of those patches and updates. The DNS server version on OpenVMS
— not exactly an inconsequential component of network security — is
long deprecated, for instance. It's a good bet that some of the
patches related to the DNS server also apply to OpenVMS, too.
Even what are considered high-priority security patches usually arrive
a month later on OpenVMS. On other platforms, those patches are
either immediately available, or arrive within a day or two.
Then there's how much I despise having to periodically and manually log
into a patch portal and check for new patches and download the patches
and unpack the patches and read the patch installation notes and then
copy the patches to the target servers and issue the manual patch
commands and run the rolling reboots or whatever other updates are
required. This whole patch process is patently absurd.
Pointing at dozens of patches for the other platforms might makes for
some decent vendor marketing, certainly. Pointing at a long-deprecated
DNS server version and at OpenSSL patches that are usually a month late
and that are probably then not very widely or quickly installed, or
that OpenVMS might not see some applicable fixes and patches for years
— which is what end-users such as Stark and other OpenVMS customers
encounter — not so much.
Then there's that — (should? when? if?) OpenVMS becomes more
successful, and as OpenVMS inherently increases in scope and scale, and
as OpenVMS incorporates more open source — the most probable patch
trend will be an increasing number of patches and/or the need to
install at least certain patches or updates much more quickly, and
quite probably both.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list