[Info-vax] Security, support and VMS, was: Re: A new VMS?

Mon May 3 14:18:42 EDT 2021

On Monday, 3 May 2021 at 12:28:34 UTC-4, Simon Clubley wrote:
> On 2021-05-03, David Turner <dtu... at islandco.com> wrote: 
> > Well I was talking more about simple support. Not patching etc 
> > There are a lot of customers out there happy and content with their 
> > current status. 
> > They just need a hand held when something goes wrong 
> > I would say that goes for the majority of users out there. 
> > 
> 
> Huh ??? The majority of VMS users don't care about keeping their 
> systems up to date and fully patched ??? 
> 
> I am having a hard time believing that... 
> 
> This isn't 20 years ago and anyone who acts like it is will find 
> this out sooner or later. 
> 
> The thing about security is that you simply don't know if the 
> next security issue that will affect you is just around the corner. 
> 
> Please tell me David is very wrong about this and that most VMS sites 
> do consider themselves to be just as vulnerable as everyone else 
> and take all the usual precautions as a result. 
> 
> If he is right about this, just think about what will happen when 
> one of the security researchers decide to probe x86-64 VMS. Much of 
> what they find, and they _will_ find vulnerabilities, will apply to 
> earlier architectures as well. 
> 
> Simon. 
> 
> -- 
> Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP 
> Walking destinations on a map are further away than they appear.

If you take what you say to its full extent, than you would never see VAX/VMS V5.5 systems running today, nor Alpha V7.3-2 systems running today. I currently support both for more than 1 client each.

Yes, many OpenVMS systems remain at "known" levels for extended periods of time. This is one of the reasons for uptimes measured in years.

I would posit that until OpenVMS runs native on the hardware, the majority if not all of the holes will be with the OS under which VMS is running.
To take a pre-emptive strike...  Yes, I know that you found a vulnerability in DCL that was there for a long time (and it was fixed), but that required you to be already connected.  Do you have examples of overtaking the system WITHOUT access?  While I won't claim that VMS is the best, you have to admit that a properly managed system is more secure than your standard Windows box.  You don't read about VMS having problems with virus attacks or programs that run because you opened up an Email.  These don't exist on VMS systems, they work differently.  That is not to say there aren't any potential issues at all, but in the grand scheme of tings, there are far fewer on VMS systems than on others.