[Info-vax] DCL vulnerability write up on The Register

Sat Feb 10 08:25:18 EST 2018

> -----Original Message-----
> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On Behalf Of Bill
> Gunshannon via Info-vax
> Sent: February 10, 2018 7:31 AM
> To: info-vax at rbnsn.com
> Cc: Bill Gunshannon <bill.gunshannon at gmail.com>
> Subject: Re: [Info-vax] DCL vulnerability write up on The Register
> 
> On 02/09/2018 10:31 PM, Kerry Main wrote:
> >> -----Original Message-----
> >> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On Behalf Of
> >> DaveFroble via Info-vax
> >> Sent: February 9, 2018 1:50 AM
> >> To: info-vax at rbnsn.com
> >> Cc: DaveFroble <davef at tsoft-inc.com>
> >> Subject: Re: [Info-vax] DCL vulnerability write up on The Register
> >>
> >> terry-groups at glaver.org wrote:
> >>> On Thursday, February 8, 2018 at 12:29:52 PM UTC-5, Stephen
> Hoffman
> >> wrote:
> >>>> HPE transitioned OpenVMS Alpha into mature support — that's
> HPE-
> >> speak
> >>>> for "no patches" — over a year ago.
> >>>
> >>> If I were paying HPE for support, I'd really have to question what
> type
> >> of "support" they were providing if they declined to produce a patch
> for
> >> a known CVE, particularly when they seem to know what the fix
> entails.
> >> Perhaps HPE "support" just means access to the library of out-of-
> date,
> >> no-longer updated patches, plus occasional "reading service" to tell
> the
> >> user that something is in the manual? Perhaps they should reduce
> their
> >> support pricing to reflect the reality of the "support" they are
> providing...
> >>
> >> If you were paying HPE for VMS support on Alpha, you'd be an idiot,
> or
> >> worse.  I
> >> certainly hope nobody fits into this catagory.
> >>
> >
> > Lets not forget that some larger companies have policies that state ALL
> servers (esp. prod) MUST have support contracts in place. It is a risk
> mitigation strategy i.e. a single throat to choke.
> >
> > In the big scheme of Operations support contracts, I highly doubt that
> even over priced Alpha support contracts is barely even a rounding error
> compared to what most companies pay annually in support contracts to
> Red Hat, Microsoft and/or Oracle.
> >
> 
> Yes, but they actually get something for their money from them.
> Any CIO who pays for support for a system the vendor says they will
> not support should be fired for incompetence.
> 
> bill

You obviously have much higher view of support from companies like Oracle than I do.

At a prior site I was at, the DBA's logging a call with Oracle was a last resort to get a log number and keep their senior mgrs. off their back. However, the local DBA's rarely received what they were looking for.

I am sure the same could be stated for many Customers view of MS support. Have not really dealt with RH, so cant say about them.

Certainly not trying to defend HPE's patch policies, but the hidden nugget is that if HPE patches get further and further behind, it will be more incentive for those Customers to jump to VSI.

Regards,

Kerry Main
Kerry dot main at starkgaming dot com