[Info-vax] VSI and Process Software announcement

[Stephen Hoffman]

On 2016-09-24 09:43:56 +0000, Dirk Munk said:

> Stephen Hoffman wrote:
>>> 
>> 
>> Looking forward to 2020 and beyond, rather than looking at back...
>> 
>> Get DHCP working out of the box.    OpenVMS boots up, requests a DHCP address,
> 
> SLAAC or DHCPv6 is the recommended way to assign an IPv6 address. Now 
> of course with IPv6 you can have lots and lots of addresses. Before I 
> tamed by Windows PC in assigning IPv6 addresses, opening a new tab in 
> Seamonkey caused a new IPv6 address to appear, so within a short while 
> I had dozens and dozens of IPv6 addresses.

Not where I'm going with that.   As I stated, this to allow full remote 
management on first boot, right after installing the bits onto the 
disk.   This before the installation and configuration script can be 
invoked.

>> and allows (only) remote-management connections, and an ssh server.   
>> Generate a system password based on the server serial number.  That's 
>> available on Itanium.    Maybe use the MAC address if there's no serial 
>> number set or if the x86 box has no serial number, but that ends up 
>> being far too obvious.   This to allow full remote management on first 
>> boot, right after installing the bits.
> 
> Why not use a built-in web interface on a chip? That is the default way 
> for any modern x86 system.

Not where I'm going with that. either.   I was referring to determining 
credentials for access control, and preferably something that wasn't 
going to be immediately easy to guess.   That's a tough problem though, 
and even using a hardware serial number isn't great security even for 
first-boot.

>> Install Apache as part of the base distro.
> 
> Why Apache? Why not WASD? Because "everybody is using Apache"? If VSI 
> can use Multinet components, then they can also use WASD. Instead of 
> porting every new version of Apache to VMS, they can just add new 
> functionality to WASD. After all WASD has a far better performance, and 
> is more then properly documented.

Two reasons: Because folks new to the platform aren't going to want to 
learn another web server.   My longer-term end-user goal is to get out 
of managing as much of the web server as I can, too.   Other platforms 
make that easier, though those use Apache.    Secondly, if y'all want 
to fund and/or acquihire and/or quite possibly have VSI take over all 
future WASD development if (when?) that becomes necessary, or to spend 
and start and maintain an nginx port, or whatever else, so be it.

VSI doesn't strike me as a bunch that really wants to take the lead on 
updating and maintaining a competitive web server right now.

And if I happened to have acqui-hired the WASD team, I'd probably still 
roll out Apache and put the team to work overhauling and updating the 
OpenVMS integration with that server, and the rest of the web 
integration within the platform, too.

Note: none of this is intended to cast any aspersions toward the 
quality or capabilities or skills of the WASD software or team.

>> Install LDAP and particularly LDAP server as part of the base distro.
> 
> It seems there is a tendency to go to full blown X.500, instead of the 
> smaller LDAP. Hey, we already have that on VMS!!!

Please show me the LDAP server in the base distro, and where it's 
automatically installed and available, and show me where LDAP is 
integrated into the base environment beyond passwords and account 
status.

I've used the existing LDAP client bits and the associated password 
authentication, and it's not something I consider easy to configure, 
integrate or troubleshoot, either.


>> Get ftp and telnet out of the default configurations and menus, and 
>> make folks work to enable those, and any other insecure transports, 
>> services or tools.
> 
> For some odd reason you don't want to use IPsec so it seems. But if you 
> do, and make your IP network secure on the place where it should be 
> done (the network stack), the suddenly all those insecure protocols 
> become secure. And your IP cluster communication is also secure. That 
> would be a really modern approach instead of antiquated protocols like 
> SSH, or would you like IP clustering to use SSH???

Not where I'm going with that comment.   I'm referring to removing 
those from the default configuration menu and related tools.   If 
somebody wants to use VPN and use telnet, or just use telnet, give'm a 
out-of-band path to enable that.  Don't make that easy, as telnet and 
ftp are insecure and problematic.

>> Disable all network services that are incompatible with DHCP, whenever 
>> DHCP is enabled.
> 
> Which services do you mean? The list of DHCP options is almost endless.

Not where I'm going with that, either.  I'm referring to other network 
services that can get tangled up if the host IP address changes.

>> Don't use RMS indexed files for TCP/IP Services configuration data.  
>> Use SQLite databases or something that makes particularly rolling 
>> upgrades less complex, less constrained, and less hack-ish.
> 
> Why not add RdB again? A long time ago RdB runtime was added to VMS to 
> the dissatisfaction of Oracle. Negotiate with Oracle. Why spend 
> precious time in porting SQLlite if VSI can make a deal with Oracle to 
> add a real VMS database?

Rdb is a nice database.   If Oracle wants to give it away to folks, or 
if VSI wants to eat the licensing costs, I'm interested.

Or as one wag referred to a particular Rdb-dependent package on the 
OpenVMS Freeware, it was the most expensive piece of Freeware on the 
whole distro.

Otherwise, Oracle has to compete with the costs of SQLite or other 
database alternatives, both to developers and to end-users.

There are more than a few cases where I'd use SQLite in preference to 
Rdb, and that's given more than a little experience with managing and 
developing and troubleshooting Rdb applications and databases over the 
years.


-- 
Pure Personal Opinion | HoffmanLabs LLC