[Info-vax] A new VMS?

David Turner dturner at islandco.com
Mon May 3 10:16:11 EDT 2021 

Well I was talking more about simple support. Not patching etc
There are a lot of customers out there happy and content with their 
current status.
They just need a hand held when something goes wrong
I would say that goes for the majority of users out there.




On 5/2/2021 11:40 AM, Arne Vajhøj wrote:
> On 5/1/2021 11:46 PM, Simon Clubley wrote:
>> On 2021-05-01, David Turner <dturner at islandco.com> wrote:
>>> Support?
>>>
>>> PARSEC
>>>
>>> BRUDEN
>>>
>>> SECTOR 7
>>
>> I don't see how this is a viable option.
>>
>> The typical timeline for a security issue these days goes something
>> like this, assuming that VSI management were to follow responsible
>> disclosure procedures (yeah, yeah, I know...):
>>
>> Security researcher reports an issue to VSI (probably to one of the VSI
>> people directly as VSI doesn't have a security reporting mechanism)
>> and gives them a maximum of 90 days to fix the issue before revealing
>> the details.
>>
>> VSI investigates, confirms the issue over the next few days and
>> requests a CVE.
>>
>> VSI works on a patch, releases it within the 90 days and provides a
>> public reference for the patch so the CVE can be updated with a
>> summary of the vulnerability and made public. This is the first point
>> at which the above companies will know there is a security issue which
>> needs fixing.
>>
>> Security researcher either then releases the details immediately after
>> the patch is released or they give users a little bit of time (up to
>> a month or so) to install the patch.
>>
>> Question: how can the above support companies possibly develop and
>> release their own patch for the security issue immediately after the
>> VSI patch is released ?
>>
>> They may not have the vulnerability details if the researcher holds
>> off for a while before releasing them and they certainly don't have
>> an up to date buildable copy of the VMS sources which are used to
>> build the VSI releases.
>>
>> In that situation, how could they possibly be an alternative to VSI
>> support ?
>>
>
> For closed source all support vendors are not created equal.
>
> The one with the source has some advantages.
>
>>> Numerous large companies like Park Place, IBM, etc etc etc
>>
>> IBM does VMS support ?
>
> Never heard about it.
>
> But I can not see why the consultant branch of IBM should turn
> down money to do VMS support. Their business is to provide what the
> customers are wiling to pay for.
>
> Arne
>
>

More information about the Info-vax mailing list