TIHOR@NYU-ACF1.ARPA.UUCP (06/11/87)
There is a clear need for a simple mechanism for DEC to distribute security patchs to VMS customers in a timely and comprehensive manner. There are also competing interests with any mechanism for distributing bug fixes. (1) Get each patch out as fast as possible; (2) system software enviornments are complex and all patches must be tested for unforseen interactions with other software and upgrades; (3) handling user problem reports in much easier if the users enviornment can be summarized as VMS version X.Y and layered product version A.B than if a list of patches applied must be presented, futher it is much more likely that the problem enviornment will be correctly reported if it is encoded in a few small integers, the fewer the better; (4) do not publicize the nature of security patches any more than is absolutely necessary since this increases vulnerability of systems which have not applied the patch. VMS developement has done a good job of developing Security Patches in a hurry when they become aware of a problem. Distributing these patches is less clear. Any method I have heard proposed creates a problem with one or another of these interests and many fail to reach people who have bought VMS but do not keep up to revision, Few address people who are out of warentee and not even self-maintenance. The Security Working Group of DECUS's VAX Special Interest Group is trying to address these issues and present DEC with some options they haven't thought of (unlikely) and some idea of what we will trade off. Hopefully a concensus will emerge. (Having watched the "publish and damn those who don't update" versus "tell no one so that I will have time to apply the fix when it arrives" flames break out several times in the past I doubt we can reach enough of a consensus to get DEC to do anything but what their lawyers tell them is the safest thing to do.) -- Stephen Tihor Vice Chair Security Working Group VAX Special Interest Group Digital Equipment Computer Users Society -------