[comp.os.vms] VMS Security Patches

TIHOR@NYU-ACF1.ARPA.UUCP (06/11/87)

There is a clear need for a simple mechanism for DEC to distribute security
patchs to VMS customers in a timely and comprehensive manner.

There are also competing interests with any mechanism for distributing bug
fixes.  (1) Get each patch out as fast as possible; (2) system software
enviornments are complex and all patches must be tested for unforseen
interactions with other software and upgrades; (3) handling user problem
reports in much easier if the users enviornment can be summarized as VMS
version X.Y and layered product version A.B than if a list of patches applied
must be presented, futher it is much more likely that the problem enviornment
will be correctly reported if it is encoded in a few small integers, the fewer
the better; (4) do not publicize the nature of security patches any more than
is absolutely necessary since this increases vulnerability of systems which
have not applied the patch.

VMS developement has done a good job of developing Security Patches in a hurry
when they become aware of a problem.   Distributing these patches is less
clear.   Any method I have heard proposed creates a problem with one or
another of these interests and many fail to reach people who have bought VMS
but do not keep up to revision, Few address people who are out of warentee and
not even self-maintenance.

The Security Working Group of DECUS's VAX Special Interest Group is trying to
address these issues and present DEC with some options they haven't thought of
(unlikely) and some idea of what we will trade off.  Hopefully a concensus
will emerge.

(Having watched the "publish and damn those who don't update" versus "tell no
one so that I will have time to apply the fix when it arrives" flames break
out several times in the past I doubt we can reach enough of a consensus to
get DEC to do anything but what their lawyers tell them is the safest thing to
do.)

-- Stephen Tihor
   Vice Chair
   Security Working Group
   VAX Special Interest Group
   Digital Equipment Computer Users Society

-------