Re: The Register: OpenVMS among most-secure of operating systems

From: Bob Koehler (koehler_at_eisner.nospam.encompasserve.org)
Date: 01/20/04 

Date: 20 Jan 2004 12:11:16 -0600

In article <bujp02$e7a$1@new-usenet.uk.sun.com>, Andrew Harrison SUNUK Consultancy <Andrew_No.Harrison_No@nospamn.sun.com> writes:
>
> 1. Vendors evaluate the bugs in the OpenSource component
> on a per OS basis and you may have noted that the
> same release of the component gets different CERT
> advisories on different OS's (somethimes like
> HP from the same vendor). They generally only release
> patches if the bug causes a problem on their OS.
>
> This is true of HPs implimentation of BIND on
> OpenVMS, there have been many more BIND advisories
> and patches to the generic BIND code than there
> have been patches released by HP. This point
> alone refutes your argument.

   Those two paragraphs disagree with each other. HP would not release
   a patch if its BIND didn't have a problem on OpenVMS, which is
   what the last sentence of your first paragraph says, but the second
   paragraph implies that this means HP is hiding something by not
   releasing patches just because lots of other systems were affected.

> 2. When HP, Process etc have evaluated the CERT advisories
> dilligently and have found a vunerability they have admitted
> that there is an OpenVMS hole and provided a specific patch
> or a recommended upgrade to a newer version

   They are not limited to doing so only when there is in fact a hole.
   The ACCVIO/restart behaviour is not a security hole, yet Process
   has released patches for it because it indicates a coding bug. Not
   all code bugs are security holes, and in this case they are not even
   harmfull in a non-security related way, but they do reflect on the
   quality reputation of the vendor.