JMS@ARIZMIS.BITNET.UUCP (06/08/87)
AWALKER asks "why not post the patch?" The reason is that software maintenance is something you pay for. There are lots of folks out there that don't pay for software maintenance, and thus are not "entitled" to any patch by Digital. The patch is copyright Digital Equipment Corporation, and anyone that distributes it is (a) violating copyright laws and more likely (b) putting their own software maintenance contract at risk. If Digital catches you putting something like that out, they have a variety of recourses available to them, starting with sending nasty letters to your local rep, through revoking your software licenses (you didn't realize that they can do that if you violate the Terms/Conditions you implicitly signed when you bought the license? Read the fine print again...), and up to the lawsuit level. I think that Digital has started to send out the patch to maintenance customers anyway (ie, you don't have to call to get it). If you don't get the patch in the next week, remember that your local Digital office is empowered to authorize you to get it from some other customer. I believe that the local office also has enough latitude to give you such a patch even if you're not on maintenance (although this may be a local *informal* decision). We have two VMS maintenance contracts and got the patch (unsolicited) for one of them last week. +-------------------------------+ | Joel M Snyder | BITNET: jms@arizmis.BITNET | Univ of Arizona Dep't of MIS | Internet: (temp. out of order) | Tucson, Arizona 85721 | Pseudo-PhoneNET: (602) 621-2748 +-------------------------------+ ICBM: 32 13 N / 110 58 W (I have gotten into trouble too many times to put any faith in disclaimers) "There's nothing here that an overdose of Seconal won't cure."
mlinar@poisson.usc.edu.UUCP (06/08/87)
In article <8706080744.AA11345@ucbvax.Berkeley.EDU> JMS@ARIZMIS.BITNET writes: >AWALKER asks "why not post the patch?" > >The reason is that software maintenance is something you pay >for. There are lots of folks out there that don't pay for >software maintenance, and thus are not "entitled" to >any patch by Digital. The patch is copyright Digital Equipment >Corporation, and anyone that distributes it is (a) violating >copyright laws and more likely (b) putting their own software >maintenance contract at risk. If Digital catches you putting > ..... >to get it from some other customer. I believe that the local >office also has enough latitude to give you such a patch >even if you're not on maintenance (although this may be a >local *informal* decision). > So what you are saying in effect is that if you did not buy a maintainance agreement for your car and the manufacturer discovered that every key works in every car, they will not tell you how to fix it? Maybe this is a poor analogy, but *bug* fixes are one thing and SECURITY problems are another. In particular, if you bought the product to have a secure o.s. and it is NOT, the manufacturer made a false claim and IS liable. Before this drops to namecalling, it seems that DEC is very sensitive about this bug/patch and, as far as I can tell, is providing the information regardless of maintainance agreement - it is just more difficult if you do not have one. Unlike other bugs, this one has some legal footing for non- maintainance agreement customers, so this is a wise move. -Mitch
tihor@acf4.UUCP (06/15/87)
Actually Mitch the problem is that if you do not have a software service contract (at least at self-maintenace level) its hard for DEC to find out who you are. AWith this problem as with a few mandatory hardware FCOs in the past DEC is trying to reach all customers regardless of maintenace contract status for precisely these reasons. I would not be suprised if the publicity surrounding the patch was part of the reason for its wide distribution. A car manufacturer with the lock problem you mentioned, even on 1% of its cars could reach everyone by telling the media, but would probably go bankrupt from people sueing them because their cars were stolen after the announcement. Also if a DEC Salesman told you VMS 4.4 or 4.5 was "Secure" in the C2-rating style they were wrong and you should tell their boss and have them fired, or at least reassigned. They might have made a reasonable presumption but they failed.