[Info-vax] A few tools for improving software security

Mon Jan 22 14:04:13 EST 2024

On 2024-01-22 13:25:22 +0000, Simon Clubley said:

> On 2024-01-21, Lawrence D'Oliveiro <ldo at nz.invalid> wrote:
>> On Sun, 21 Jan 2024 10:10 +0000 (GMT Standard Time), John Dallman wrote:
>> 
>>> That's two quite hard things, and starting on them now makes less sense 
>>> than carrying on with the current strategy, for good or ill.
>> 
>> I think that?s called the ?sunk-cost fallacy?.
> 
> So VSI's choices are to either continue selling x86-64 systems to 
> customers and complete the missing bits, or they stop selling systems 
> for 3 years while they write a migration tool from the ground up for 
> something that will never be as close in operation as the first option 
> above.

Three years' effort is barely a start on the API coverage needed for a 
non-trivial app; for a porting library akin to Sector 7.

I'd expect the "kernel transplant" approach to take most of a decade. 
If it is even achievable without causing existing customers to migrate 
their own apps else-platform; either to Sector 7, or an incremental app 
port, or a wholesale port as has happened elsewhere.

Running on multiple platforms (past x86-64 and AArch64) isn't a big 
selling point for commercial installations either, and that support 
adds vendor testing and qualification and customer support costs for 
each of the platforms. And adds costs for ISVs.

And all for no obvious benefit. Yeah, a kernel transplant would 
probably make another port (AArch64 or maybe RISC-V) in a decade or two 
slightly easier. But that at the cost of a lack of focus; of customers 
getting fewer enhancements for another decade, and at the cost of 
customers simply waiting for the next port, and with all the usual 
disruptions and delays of a port for those that do migrate.

Not gonna happen. Not until well after VSI is a whole lot bigger and a 
whole lot better funded, and is encountering some hard limits in their 
chosen hardware platform and tooling.

And I still haven't heard a sales pitch for which kernel to pick, as 
Linux is but one of many fine choices. And GPL'd Linux quite possibly 
not the best choice for grafting a closed-source commercial platform.

> Hmmm, I wonder which option they will choose ? :-)

This whole scheme reminds me of a sales deal from some years ago, where 
a vendor migrated a customer off the vendor's own proprietary platform, 
and onto a commodity platform.

The customer was quite happy with their purchase.  The vendor did get 
that last server hardware sale, but at no small migration cost, and 
with ~no long-term future with that customer.

TL;DR: epic troll, or epic dumb.

-- 
Pure Personal Opinion | HoffmanLabs LLC 