[Info-vax] A new VMS?

[Simon Clubley]

On 2021-05-01, David Turner <dturner at islandco.com> wrote:
>
> Support?
>
> PARSEC
>
> BRUDEN
>
> SECTOR 7
>

I don't see how this is a viable option.

The typical timeline for a security issue these days goes something
like this, assuming that VSI management were to follow responsible
disclosure procedures (yeah, yeah, I know...):

Security researcher reports an issue to VSI (probably to one of the VSI
people directly as VSI doesn't have a security reporting mechanism)
and gives them a maximum of 90 days to fix the issue before revealing
the details.

VSI investigates, confirms the issue over the next few days and
requests a CVE.

VSI works on a patch, releases it within the 90 days and provides a
public reference for the patch so the CVE can be updated with a
summary of the vulnerability and made public. This is the first point
at which the above companies will know there is a security issue which
needs fixing.

Security researcher either then releases the details immediately after
the patch is released or they give users a little bit of time (up to
a month or so) to install the patch.

Question: how can the above support companies possibly develop and
release their own patch for the security issue immediately after the
VSI patch is released ?

They may not have the vulnerability details if the researcher holds
off for a while before releasing them and they certainly don't have
an up to date buildable copy of the VMS sources which are used to
build the VSI releases.

In that situation, how could they possibly be an alternative to VSI
support ?

> Numerous large companies like Park Place, IBM, etc etc etc
>

IBM does VMS support ?

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.