From: arne@vajhoej.dk   
      
   On 2/6/2026 4:31 AM, gcalliet wrote:   
   > I am doing investigation about security for "latecomers" VMS users (Vax,   
   > Alpha, Itanium on HP licence).   
   >   
   > It seems being a not-so-little number of users. And for them, to adapt   
   > to the fast cycles about security (SSH, SSL for example) is a challenge.   
   >   
   > I know the Process Software offer for that, able to work with everything   
   > on VMS. Are there other offers, methods, Open Source initiatives...?   
   >   
   > Every idea, information welcomed.   
      
   That challenge is due to having an inconsistent system   
   strategy.   
      
   VMS VAX is 25+ years old. HP VMS Alpha and HP VMS Itanium   
   is 10+ years old.   
      
   I would assume that relative few recent software packages   
   supports those old OS versions.   
      
   An old OS with old software packages is likely to have   
   vulnerabilities.   
      
   There are two consistent approaches to that:   
      
   A) Always update to supported version. For VMS that   
       means VSI VMS On Alpha, Itanium or x86-64. And expect   
       VSI to close vulnerabilities when they are found.   
      
   B) Live by the "If it ain't broke, don't fix it" mantra.   
       Old OS, old TCP/IP, old everything. Security is not   
       provided by the system but around the system. Network   
       security, physical security etc. mitigate the risk from   
       the old stuff. This is not a great solution, but it may   
       be possible to achieve an acceptable security level. Not   
       all servers are running internet web servers.   
      
   But it sounds like they are asking for the inconsistent:   
      
   C) Keep the old OS as is without updating it, but always   
       update the software packages on it.   
      
   Difficult to provide. Many/most software packages will   
   not support very old VMS versions. For business reasons:   
   too few customers to make a business case. For technical   
   reasons: the software package need newer C RTL or   
   newer system services or something else new.   
      
   The right recommendation is: upgrade to VMS 9.x on x86-64.   
      
   The alternative somewhat questionable recommendation is:   
   keep what you have and build security around the systems.   
      
   If the reason for not upgrading is the issue of needing   
   to run on supported physical HW not a VM, then contact   
   VSI.   
      
   I know VSI has been presented with the issue many times   
   before. But there is a huge difference between "we think   
   it would be nice if VSI supported a few physical HW servers"   
   and "we are ready to buy N VMS license if you can support   
   physical HW servers".   
      
   If enough customers come with the latter, then VSI can   
   do the math and that there are extra money in supporting   
   physical HW servers.   
      
   Arne   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)