[Info-vax] (Hypothetical only) Major new security issue for VAX/Alpha. What do you do ?

Kerry Main kemain.nospam at gmail.com
Sat Sep 24 17:16:03 EDT 2016 

> -----Original Message-----
> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On Behalf
> Of Simon Clubley via Info-vax
> Sent: 24-Sep-16 4:38 PM
> To: info-vax at rbnsn.com
> Cc: Simon Clubley <clubley at remove_me.eisner.decus.org-
> Earth.UFP>
> Subject: Re: [Info-vax] (Hypothetical only) Major new security
> issue for VAX/Alpha. What do you do ?
> 
> On 2016-09-24, Kerry Main <kemain.nospam at gmail.com> wrote:
> >> -----Original Message-----
> >> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On
> Behalf Of Simon
> >> Clubley via Info-vax
> >> Sent: 24-Sep-16 2:45 PM
> >> To: info-vax at rbnsn.com
> >> Cc: Simon Clubley <clubley at remove_me.eisner.decus.org-
> >> Earth.UFP>
> >> Subject: [Info-vax] (Hypothetical only) Major new security
> > issue
> >> for VAX/Alpha. What do you do ?
> >>
> >> Questions:
> >>
> >> What would you do to tackle the problem that your old
> system, which
> >> is long off software support, now has a major new potential
> security
> >> hole in it ?
> >>
> >> HP can't give you a patch for VAX and as I understand it,
they
> won't
> >> be able to give you one for Alpha from the end of this
> > year.
> >> [*]
> >>
> >
> > [snip..]
> >
> > Never say never .. there is a difference between "won't" and
> "can't".
> > The EOL dates are arbitrary to force Cust's to plan to move
to a
> > supported version by a designated date. It does not mean
> source code
> > could not be pulled out of HPE backups if it was required.
> >
> 
> Next questions:
> 
> Do HP currently evaluate IA64 and Alpha VMS security issues to
> see if they apply to VAX/VMS as well ?
> 
> After the end of this year, will IA64 issues be evaluated to
see if
> they also apply to Alpha as well ?
> 
> At the moment, if a security researcher tells HP that a VMS
issue
> also applies to VAX/VMS, is the security researcher simply told
> that VAX/VMS is no longer supported (in regards to new patches
> being generated), or would the issue be evaluated to see what
> impact it has on VAX systems ?
> 

My personal thoughts - I have no idea of what the current
situation is in HPE or VSI. 

Having stated this - like all OS platforms, I imagine each
security scenario would be looked at in terms of severity, risk,
amount of work required to fix, versions impacted (supported/not
supported) and criticality.

Hence, given the hypothetical nature of the question(s), the most
likely answer anyone at HPE/VSI would offer is that they will
cross that bridge when/if it comes up.


Regards,

Kerry Main
Kerry dot main at starkgaming dot com

More information about the Info-vax mailing list