Operating System - OpenVMS
1748224 Members
4515 Online
108759 Solutions
New Discussion юеВ

Re: Change to Patch services effective September 18, 2010

 
labadie_1
Honored Contributor

Re: Change to Patch services effective September 18, 2010

Steven said

>>>If it stays unresolved, then I expect to
begin migrating my primary computing
environment away from VMS fairly soon.

If the bright idea was to kill VMS, I think this will be a complete success.




Roger_Fraser
Occasional Advisor

Re: Change to Patch services effective September 18, 2010

"It seems to me if there is a defect (bug) in an operating system they sold, any patches to that o/s should be free. The LMF is there to make sure the o/s is "legal" right?"

Well said!

Also not being able to download from the FTP site will slow things down considerably.
Brian Reiter
Valued Contributor

Re: Change to Patch services effective September 18, 2010

At the moment, a support contract (if we had one) would be the first thing to go in terms of trying to save costs etc. (something our customers are very keen on).

It'll be interesting to see what would happen if some kind of horrendous failure could be pinned on the lack of upto date patches. The clash between a government and HP could be interesting (as long as you're not in the middle).

Given the we've already stumped up quite a lot of cash for the software and license, why shouldn't we qualify for patch support? After all microsoft do it without any kind of yearly fee.
Robert Atkinson
Respected Contributor

Re: Change to Patch services effective September 18, 2010

Steve Reece_3
Trusted Contributor

Re: Change to Patch services effective September 18, 2010

To find the patches, there's already the Point Secure Patch Analyzer. That doesn't help to download them though.

Patch Analyzer is free too...
Ian Miller.
Honored Contributor

Re: Change to Patch services effective September 18, 2010

how does Patch Analyzer discover what patches are available and will it work after this change?

Do contact your HP account manager or other suitable person about this change.
Note this change affects all HP OS, not just OpenVMS.
____________________
Purely Personal Opinion
Doug Phillips
Trusted Contributor

Re: Change to Patch services effective September 18, 2010

Are they going to add fine print to the sales agreement that says: "All software is sold and licensed 'as is' and we do not promise that anything will work according to its description and specifications." ??

I understand requiring a support agreement for updates: new features and new hardware support.

Patches to correct problems of safety (security) and non-conformance must be provided at no additional cost to lawful licensees.

IANAL but I hope HP has consulted their legal department. Of course, they might have been told 'Well, if a licensee complains too loudly, just give them the bug-patch. No one's going to spend the money to take us to court.'

So, given two competing software support models to choose from:

1) The model used by the most successful software company to ever exist and those successfully competing with that company.

2) The model used by organizations who have failed to compete with those following model #1.

HP chooses the model proven by history to be unsuccessful.
Richard Jordan
Regular Advisor

Re: Change to Patch services effective September 18, 2010

I posted my responses over on C.O.V. I also sent a message to the interim CEO via Hurd's link, and I'm working on notes to the board as well. This is a very bad decision on HP's part and it will negatively impact our remaining small (Open)VMS customers (and therefore us as well).

These customers do not have software contracts; they stay at the most recent version they had when either their initial contract expired, or what came on the system, but the patches have been critical on numerous occasions. When they upgrade its because they are buying a newer system, often an architecture change (our last VAX customer, a tiny shop, is prepping for an upgrade to an AlphaServer, and we've upgraded three Alpha sites to Itaniums). HP still gets the money, and most of them still have hardware support with HP, but the apps and programs are pretty static, and we haven't needed to place a software support call in many many years (2003 I think was the last one).

Not being able to get patches for the current customers, suddenly requiring a significant additional expense in order to correct flaws and problems in static version of VMS is a seriously big issue. I have NO doubt at all that it will drive some of them to make their next move off of VMS (the microsoft fanboys in the office are already champing at the bits).

Of course HP (and Compaq before) have been working for years to make the small VMS customers (and resellers, who were blown off shortly after the Compaq buyout) just go away so this is pretty much in line with their previous actions.

I'll also add... the recent huge changes in VMS engineering staffing and VMS support, and the exceptionally buggy nature of the V8.4 release (feels more like a .0 in many ways), makes the timing of this exceptionally unpleasant.
Dennis Handly
Acclaimed Contributor

Re: Change to Patch services effective September 18, 2010

>Dave: This can't be costing them much to maintain files on a ftp site.

I assume ftp sites don't allow them to check for a support contract.

>Doug: Patches to correct problems of safety (security)

Patches for security will still be available.
Craig A Berry
Honored Contributor

Re: Change to Patch services effective September 18, 2010

Dennis> Patches for security will still be available.

There is no indication of that in the announcement nor in the associated FAQ, so anyone making plans based on official statements will have to assume this is NOT the case.

Even if it does turn out to be the case, there's not always a clear distinction between security patches and other patches. For example, the confusingly enumerated "hp SSL V1.4 for OpenVMS" which is "Based on OpenSSL 0.9.8h" fixes a bunch of CVEs, but it was released as a regular patch, not a MUP.

Also, the implication that security is somehow a cordoned off and independent area from overall system reliability is quaint but simply wrong in this day and age. For example, search for the word "crash" in any of the recent RMS, or FIBRE_SCSI, or SYS update kits. Each of these describes a fix for an arcane and unusual set of circumstances under which something went terribly wrong. If those circumstances can happen by accident, then some of them can probably be made to happen on purpose and thus represent potential attack vectors. People without support contracts will be more vulnerable.

While my company does have a support agreement, this change still affects me because it makes the most difficult-to-use method for finding out what patches are available the only method. For example, Jim Duff's patch syndication at <> will stop working if the ftp site is shut down. It's unclear whether PointSecure's tool will continue to work. It's already a rather byzantine manual process to figure out what patches are available, what patches one already has, what the dependencies are, and so on. This adds one more hurdle.

The FAQ linked from the announcement says, "This change brings HP in alignment with accepted industry practices for software patch delivery." That's simply a false statement and damages HP's credibility. No other vendor we deal with has anything like it. There is only one HP badge in our entire data center: a solitary OpenVMS system. There is already a perception that HP is too difficult to deal with and OpenVMS is too different from our other systems. This just fuels that perception.