[Info-vax] DCL vulnerability write up on The Register

[Bill Gunshannon]

On 02/09/2018 10:31 PM, Kerry Main wrote:
>> -----Original Message-----
>> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On Behalf Of
>> DaveFroble via Info-vax
>> Sent: February 9, 2018 1:50 AM
>> To: info-vax at rbnsn.com
>> Cc: DaveFroble <davef at tsoft-inc.com>
>> Subject: Re: [Info-vax] DCL vulnerability write up on The Register
>>
>> terry-groups at glaver.org wrote:
>>> On Thursday, February 8, 2018 at 12:29:52 PM UTC-5, Stephen Hoffman
>> wrote:
>>>> HPE transitioned OpenVMS Alpha into mature support — that's HPE-
>> speak
>>>> for "no patches" — over a year ago.
>>>
>>> If I were paying HPE for support, I'd really have to question what type
>> of "support" they were providing if they declined to produce a patch for
>> a known CVE, particularly when they seem to know what the fix entails.
>> Perhaps HPE "support" just means access to the library of out-of-date,
>> no-longer updated patches, plus occasional "reading service" to tell the
>> user that something is in the manual? Perhaps they should reduce their
>> support pricing to reflect the reality of the "support" they are providing...
>>
>> If you were paying HPE for VMS support on Alpha, you'd be an idiot, or
>> worse.  I
>> certainly hope nobody fits into this catagory.
>>
> 
> Lets not forget that some larger companies have policies that state ALL servers (esp. prod) MUST have support contracts in place. It is a risk mitigation strategy i.e. a single throat to choke.
> 
> In the big scheme of Operations support contracts, I highly doubt that even over priced Alpha support contracts is barely even a rounding error compared to what most companies pay annually in support contracts to Red Hat, Microsoft and/or Oracle.
> 

Yes, but they actually get something for their money from them.
Any CIO who pays for support for a system the vendor says they will
not support should be fired for incompetence.

bill