VMS Python: Calling sys$trnlnm()

[Andrew Shaw]

Hi folks,

I have a technical Python question I need help with.
I've posted to the forum on vmspython.org, (now that its back up - Thanks JPF) but the last activity there was 6 months ago so I'm unsure how active it is, so thought I would try here as well - apologies if this isn't the right forum, but I know there are seriously clever folks here !

Here's my post from over there, with my issue:


I'm making a call to trnlnm() in my Python code and need some help decomposing the Itemlist I'm getting back.

My call looks like this:

attr=0
s, d = trnlnm (attr,
"LNM$FILE_DEV",
"MYLOGICAL",
None,
(
itemList(LNM__STRING),
itemList(LNM__ATTRIBUTES)
)
)

The call seems to work in that d[LNM__STRING] gives me my logical equivalence name back as a string - perfect.

I also want to know the TRANS=TERMINAL attribute of the logical.
Hence me also providing LNM__ATTRIBUTES as the second item in the itemlist.

What I get back in d[LNM__ATTRIBUTES] is what looks like a 4 byte "string" of unprintable ASCII. when I print the d dictionary I see this:
d = {2: 'MY_EQUIV_STR', 3: '\x01\x07\x01\x00'}

I understand that (in the C world anyway) this second item is a bitmask which you can & with the constant LNM$M_TERMINAL and you get True or False according to whether the TERMINAL bit is set. This works 100% in my sample C code where I do exactly that.
This is what I am struggling to replicate in Python.

Any attempt to do masking on this field gives me a type mismatch error between str and long. the dict entry seems to be a string of 4 bytes, but unprintable and I haven't found a way to turn this into something I can do a mask on - or even interpret another way.

The above hex string is what I get when I pass it a TRANS=TERM logical
When I pass it a logical which is NOT TERM, I get a slightly different "string" back: \x00\x04\x01\x00
So it is different by a couple of bits and I'm hoping that's the difference I am looking for. The other different bit *may* be the CONCEALED attribute, I haven't investigated enough yet.

Any tips?

[erga...@gmail.com]

Possibly trnlnm could be fixed to coerce the return value to an int. I'll leave that to smarter people than me. However, the struct module is what you need to solve the immediate problem.

from struct import unpack

from vms.itemList import *
from vms.lnmdef import *
from vms.starlet import trnlnm

attr=0
s, d = trnlnm (attr,
"LNM$FILE_DEV",
"MYLOGICAL",
None,
(
itemList(LNM__STRING),
itemList(LNM__ATTRIBUTES)
)
)

attrib = d[LNM__ATTRIBUTES]
attrib = unpack('<I', attrib)[0]
print(attrib & LNM_M_TERMINAL)

[Andrew Shaw]

HaHa - Nice - thanks you very much.
struct does indeed look like my missing link.
I had seen vague reference to it, but wasn't sure.
I will def play with this now - appreciate the pointer (pun intended) !!!

[Jean-François Piéronne]

You can try

itemList(LNM__ATTRIBUTES, dtype=il_unsignedLong)


JFP

--
L'absence de virus dans ce courrier électronique a été vérifiée par le logiciel antivirus Avast.
https://www.avast.com/antivirus

[erga...@gmail.com]

On Friday, 27 March 2020 10:01:50 UTC, Jean-François Piéronne wrote:

> itemList(LNM__ATTRIBUTES, dtype=il_unsignedLong)

This is obviously the non-hacky way of doing it. Still struct is a useful tool to have in your bag.

[VAXman-]

... and all of this is considered readable and maintainable? :(

--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG

I speak to machines with the voice of humanity.

[Andrew Shaw]

If there’s a more readable and maintainable way to determine the TERMINAL attribute of a logical from a Python program then I’m all ears :-)

[erga...@gmail.com]

On Friday, 27 March 2020 11:59:08 UTC, VAXman- wrote:
> ... and all of this is considered readable and maintainable? :(

It's just an itemlist API. If that scares you too much, you can join Stephen in the corner ;)

[Dave Froble]

On 3/27/2020 7:58 AM, VAX...@SendSpamHere.ORG wrote:
> ... and all of this is considered readable and maintainable? :(
>

WHAT!

You didn't notice all those comments in the example code to explain
what's happening ?

Oh, wait ....

Ok, I'll admit, I cannot read Python, nor do I understand Python ...

--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: da...@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486

[Simon Clubley]

On 2020-03-27, Dave Froble <da...@tsoft-inc.com> wrote:
> On 3/27/2020 7:58 AM, VAX...@SendSpamHere.ORG wrote:
>> ... and all of this is considered readable and maintainable? :(
>>

Yes. Mostly.

The struct stuff requires a little care to make sure you don't create
something unreadable, but the rest of it is very readable Python.

You will need to look at the documentation to see how to call trnlnm()
but that's no different from calling it from C.

Calling trnlnm() by itself without any prefix looks a little unusual
to someone used calling system services from C or another language,
but it's documented right there in the from statement at the top of
the program where that was imported from.

>
> WHAT!
>
> You didn't notice all those comments in the example code to explain
> what's happening ?
>
> Oh, wait ....
>
> Ok, I'll admit, I cannot read Python, nor do I understand Python ...
>

Python has some very nice high level datatype constructs which allows
you to write clean and highly functional code without a lot of
boilerplate code.

Here are some examples from the Python 2 manual:

https://docs.python.org/2/tutorial/datastructures.html

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

[Jan-Erik Söderholm]

Den 2020-03-27 kl. 19:49, skrev Simon Clubley:
> On 2020-03-27, Dave Froble <da...@tsoft-inc.com> wrote:
>> On 3/27/2020 7:58 AM, VAX...@SendSpamHere.ORG wrote:
>>> ... and all of this is considered readable and maintainable? :(
>>>
>
> Yes. Mostly.
>
> The struct stuff requires a little care to make sure you don't create
> something unreadable, but the rest of it is very readable Python.
>
> You will need to look at the documentation to see how to call trnlnm()
> but that's no different from calling it from C.

And, if you do not need all the options, you can use the lib$get_logical
interace in Python which has a simpler interface.

http://www.vmspython.org/doku.php?id=vmsrtlexample

[Andrew Shaw]

On Saturday, March 28, 2020 at 9:51:42 AM UTC+11, Jan-Erik Söderholm wrote:

>
> And, if you do not need all the options, you can use the lib$get_logical
> interace in Python which has a simpler interface.
>
> http://www.vmspython.org/doku.php?id=vmsrtlexample
>

I originally started with lib$get_logical and that worked perfectly for returning me the equivalence string, but once I realised I also needed the TRANS=TERM attribute I couldn't see a way to get that from lib$get_logical and so I turned to SYS$TRNLNM.

If I missed that in lib$get_logical then that's my bad - feel free to show me the error of my ways, because that is a much simpler interface.

But I think I have the answers I need now so about to press on with some testing :-)

[Andrew Shaw]

Thanks folks for all your feedback, problem is now solved :-)

I went with unpack in the end - I agree that its a useful tool to have in your belt and so I wanted to understand it.

End result is below, for those worried about "readability and maintainability" :-)

Not quite finished testing yet, so will no doubt get minor bug fixes, but the shell is there.


# Translation worked
bResult = True
strResult = d[LNM__STRING]

# itemList(LNM_ATTRIBUTES) is returned as a hex "string" that needs to be interpreted as a bitmask
# The unpack routine takes care of this, by turning it into an unsigned int we can then mask
#
attrib = d[LNM__ATTRIBUTES]

# On our current Itanium Blades we are little-endian (<)
# '<' = Little endian
# 'I' = unsigned int

attrib = unpack('<I', attrib)[0]

# Check to see if the LNM_M_TERMINAL bit is set
if ( (attrib & LNM_M_TERMINAL) == LNM_M_TERMINAL ):
bTerminal = True
# Stop translating
else:
bTerminal = False
# Go around again

#=========================================
# Testing
# ----------------------------------------
# TRANS=TERMINAL Logicals
# -----------------------
# - LOG-1 = 512
# - LOG-2 = 512, Terminal
# - LOG-3 = 512, Terminal
#
# TRANS=(not) TERMINAL Logicals
# -----------------------------
# - LOG-4 = 0
# - LOG-5 - crashed when not found.
# now trapped in try/except
# - LOG-6 - 0, NOT Terminal
#
#=========================================

[Jan-Erik Söderholm]

Den 2020-03-28 kl. 01:32, skrev Andrew Shaw:
> On Saturday, March 28, 2020 at 9:51:42 AM UTC+11, Jan-Erik Söderholm
> wrote:
>
>>
>> And, if you do not need all the options, you can use the
>> lib$get_logical interace in Python which has a simpler interface.
>>
>> http://www.vmspython.org/doku.php?id=vmsrtlexample
>>
>
> I originally started with lib$get_logical and that worked perfectly for
> returning me the equivalence string, but once I realised I also needed
> the TRANS=TERM attribute I couldn't see a way to get that from
> lib$get_logical and so I turned to SYS$TRNLNM.
>

> If I missed that in lib$get_logical then that's my bad...

Never said you did. I said "if you do not need all the options". That
seams to include reading the TRANS=TERM attribute, as far as I understand.

> - feel free to show me the error of my ways,

Is there an error? I don't know.

[Andrew Shaw]

All good !

[Jean-François Piéronne]

On Saturday, March 28, 2020 at 9:51:42 AM UTC+11, Jan-Erik Söderholm wrote:

[snip]>

> And, if you do not need all the options, you can use the lib$get_logical
> interace in Python which has a simpler interface.
>
> http://www.vmspython.org/doku.php?id=vmsrtlexample
>
>

You can find some examples on
https://repos.sysgroup.fr/OpenVMS/vmspython/files/tip/

The current latest revision for starlet examples :

https://repos.sysgroup.fr/OpenVMS/vmspython/files/edbeedeee985ae2b77d73121f10dc3cfa6d8c450/python/local/vms/starlet/tests


[snip]

JF

[Phillip Helbig (undress to reply)]

In article <5e7f17f0$0$15169$426a...@news.free.fr>,
=?UTF-8?Q?Jean-Fran=c3=a7ois_Pi=c3=a9ronne?= <jf.pi...@laposte.net>
writes:

> L'absence de virus dans ce courrier électronique a été vérifiée par le logiciel antivirus Avast.
> https://www.avast.com/antivirus

Corona aussi?

[Arne Vajhøj]

On 3/27/2020 7:58 AM, VAX...@SendSpamHere.ORG wrote:

> ... and all of this is considered readable and maintainable? :(

I consider:

from vms.itemList import *
from vms.lnmdef import *
from vms.starlet import trnlnm

attr=0
s, d = trnlnm (attr,
"LNM$FILE_DEV",
"MYLOGICAL",
None,

( itemList(LNM__STRING), itemList(LNM__ATTRIBUTES,
dtype=il_unsignedLong) ) )

print('%d %s %s' % (s, d[LNM__STRING], (d[LNM__ATTRIBUTES] &
LNM_M_TERMINAL) != 0))

more readable and maintainable than:

.title attr
$SSDEF
$DSCDEF
$LNMDEF
.psect $PDATA quad,pic,con,lcl,shr,noexe,nowrt
atrmsk: .long 0
tbldsc: .ascid "LNM$FILE_DEV"
logdsc: .ascid "MYLOGICAL"
itmlst: .word 256
.word LNM$_STRING
.address trn
.address trnlen
.word 4
.word LNM$_ATTRIBUTES
.address atr
.long 0
.long 0
dir: .ascid "!SL !AS !AS"
truedsc: .ascid "True"
falsedsc: .ascid "False"
.psect $LOCAL quad,pic,con,lcl,noshr,noexe,wrt
trndsc: .word 256
.byte DSC$K_DTYPE_T
.byte DSC$K_CLASS_S
.address trn
trn: .blkb 256
trnlen: .blkl 1
atr: .blkl 1
resdsc: .word 256
.byte DSC$K_DTYPE_T
.byte DSC$K_CLASS_S
.address buf
buf: .blkb 256
buflen: .blkl 1
.psect $CODE quad,pic,con,lcl,shr,exe,nowrt
.entry attr,^m<>
pushal itmlst
pushl #0
pushal logdsc
pushal tbldsc
pushal atrmsk
calls #5,G^SYS$TRNLNM
movw trnlen,trndsc
bitl #LNM$M_TERMINAL,atr
beql 100$
pushal truedsc
brb 200$
100$: pushal falsedsc
200$: pushal trndsc
pushl r0
pushal resdsc
pushal buflen
pushal dir
calls #6,G^LIB$SYS_FAO
movw buflen,resdsc
pushal resdsc
calls #1,G^LIB$PUT_OUTPUT
movl #SS$_NORMAL,r0
ret
.end attr

:-)

Arne

[VAXman-]

Who writes macro code that ugly and unreadable? You?

[Arne Vajhøj]

On 4/2/2020 7:21 AM, VAX...@SendSpamHere.ORG wrote:
> In article <r63hte$af$1...@gioia.aioe.org>, =?UTF-8?Q?Arne_Vajh=c3=b8j?= <ar...@vajhoej.dk> writes:
>> On 3/27/2020 7:58 AM, VAX...@SendSpamHere.ORG wrote:
>>> ... and all of this is considered readable and maintainable? :(
>>
>> I consider:

[Python code]

>> more readable and maintainable than:

[Macro-32 code]

> Who writes macro code that ugly and unreadable? You?

Guilty as charged.

Arne

[Arne Vajhøj]

What is the problem?

That I do not use $FAO_S?

Arne

[Dave Froble]

On 4/2/2020 7:21 AM, VAX...@SendSpamHere.ORG wrote:

I found the Macro-32 readable. Maybe not the same as I'd write it, but
readable. I did not find the Python readable. Perhaps it's because I
do not know Python.

I'm curious. How would you write the Macro-32? Maybe I can learn
something.

[Jan-Erik Söderholm]

Or more important, what is the ratio between those that know Python
and those that know Macro32?

Maybe something like 10.000 Python programmers for each Macro32 programmer?

And I can write a web server CGI process in 100 lines of Python including
Rdb, JSON and HTTP/HTML handling.

The whole comparison is a bit silly. Oranges and apples, as they say…

[Arne Vajhøj]

On 4/2/2020 11:16 AM, Jan-Erik Söderholm wrote:
> Or more important, what is the ratio between those that know Python
> and those that know Macro32?
>
> Maybe something like 10.000 Python programmers for each Macro32 programmer?

At least.

I would expect the number of people remembering enough Macro-32 to get
something working to be a few thousand (most of them including me a bit
rusty).

The number of Python developers has been estimated to be just below
the 10 million mark. And there must be some (including me) that know
a little Python without considering oneself a Python developer.

And then one can think about the numbers in the below 35 age category.

Arne

[Dave Froble]

How many of those 10 million would recognize, and therefore easily read,
the (I'm guessing) VMS extension to Python for the logical name translation?

Ok, I'm being my normal pain-in-the-ass self here, I'm aware that Python
has plenty of library routines that allow one to avoid writing custom
code. Just as VMS has the LIB$ routines.

My only point was, the simpler things are, the easier to read and
understand.

And from that perspective, is there anything available for Python that
is equivalent to:

HELP RTL LIB$

[Arne Vajhøj]

On 4/2/2020 1:51 PM, Dave Froble wrote:
> On 4/2/2020 11:27 AM, Arne Vajhøj wrote:
>> On 4/2/2020 11:16 AM, Jan-Erik Söderholm wrote:
>>> Or more important, what is the ratio between those that know Python
>>> and those that know Macro32?
>>>
>>> Maybe something like 10.000 Python programmers for each Macro32
>>> programmer?
>>
>> At least.
>>
>> I would expect the number of people remembering enough Macro-32 to get
>> something working to be a few thousand (most of them including me a bit
>> rusty).
>>
>> The number of Python developers has been estimated to be just below
>> the 10 million mark. And there must be some (including me) that know
>> a little Python without considering oneself a Python developer.
>>
>> And then one can think about the numbers in the below 35 age category.
>

> How many of those 10 million would recognize, and therefore easily read,
> the (I'm guessing) VMS extension to Python for the logical name
> translation?

The number that know the specific call must be very small.

They will just know the language and be able to read the
documentation.

> Ok, I'm being my normal pain-in-the-ass self here, I'm aware that Python
> has plenty of library routines that allow one to avoid writing custom
> code.  Just as VMS has the LIB$ routines.
>
> My only point was, the simpler things are, the easier to read and
> understand.
>
> And from that perspective, is there anything available for Python that
> is equivalent to:
>
> HELP RTL LIB$

Standard library:

https://docs.python.org/2/library/
https://docs.python.org/3/library/

For all the extra stuff including the VMS stuff it depends
on the author(s).

And there is a lot of stuff out there.

Per pypi themselves then the pip installer has over 225000
libraries with 1.7 million versions to chose from.

Arne

[Dave Froble]

I might ask, with that many possibilities, how does one find what one
needs? Might take 10 years to select a routine.

[Arne Vajhøj]

pypi.org has a search function.

One use the internet to find out what other people have
tried and their experience.

Arne

[Bill Gunshannon]

On 4/2/20 3:58 PM, Arne Vajhøj wrote:
>
>
> One use the internet to find out what other people have
> tried and their experience.

Angie's List for software development. You should trust these
people because your neighbors did.

bill

[Dave Froble]

Are you implying that it may be too much to expect to get sources for
routines one might choose to use?

And yeah, you raise a very good point. When I write anything, I know
what it will do. I always provide sources for whatever I produce.

[Arne Vajhøj]

On 4/2/2020 4:27 PM, Dave Froble wrote:
> On 4/2/2020 4:03 PM, Bill Gunshannon wrote:
>> On 4/2/20 3:58 PM, Arne Vajhøj wrote:
>>> One use the internet to find out what other people have
>>> tried and their experience.
>>
>> Angie's List for software development.  You should trust these
>> people because your neighbors did.
>
> Are you implying that it may be too much to expect to get sources for
> routines one might choose to use?
>
> And yeah, you raise a very good point.  When I write anything, I know
> what it will do.  I always provide sources for whatever I produce.

My guess is that all the Python code comes with source.

:-)

Arne

[Arne Vajhøj]

On 4/2/2020 4:03 PM, Bill Gunshannon wrote:

It is actually pretty similar.

If you need to replace your windows and need a good
carpenter, then you first ask around among people that
you trust - if they have a recommendation then all
good. If you don't get any recommendation you try
the internet anonymous review market and pick
someone with lots of reviews and >4 stars.

If you need a RESTful web service client framework
for Python, then you first ask in forums where you
know the people and know that they generally know
what they are talking about - if they have a
recommendation then all good. If you don't get
any recommendation you try the internet web sites
with "10 best ..." lists and pick something that are on
most lists.

Arne

[Bill Gunshannon]

On 4/2/20 4:27 PM, Dave Froble wrote:
> On 4/2/2020 4:03 PM, Bill Gunshannon wrote:
>> On 4/2/20 3:58 PM, Arne Vajhøj wrote:
>>>
>>>
>>> One use the internet to find out what other people have
>>> tried and their experience.
>>
>> Angie's List for software development.  You should trust these
>> people because your neighbors did.
>
> Are you implying that it may be too much to expect to get sources for
> routines one might choose to use?

I am implying that betting the ranch on work based on someone
you know nothing about who just happens to think they're a
"professional programmer" is not something I would want to do.

>
> And yeah, you raise a very good point.  When I write anything, I know
> what it will do.  I always provide sources for whatever I produce.
>

And would you incorporate an algorithm into one of your
programs that you couldn't actually do yourself but you
found it on the internet?

bill

[Bill Gunshannon]

And, like PHP, mostly undecipherable but what the hell,
that's no reason to not trust it. Just grab that stuff
off the internet cause everybody writing code out here
is a professional software engineer.

bill

[Bill Gunshannon]

On 4/2/20 5:47 PM, Arne Vajhøj wrote:
> On 4/2/2020 4:03 PM, Bill Gunshannon wrote:
>> On 4/2/20 3:58 PM, Arne Vajhøj wrote:
>>> One use the internet to find out what other people have
>>> tried and their experience.
>>
>> Angie's List for software development.  You should trust these
>> people because your neighbors did.
>
> It is actually pretty similar.
>
> If you need to replace your windows and need a good
> carpenter, then you first ask around among people that
> you trust - if they have a recommendation then all
> good. If you don't get any recommendation you try
> the internet anonymous review market and pick
> someone with lots of reviews and >4 stars.

Sorry, this just has me laughing to hard to write anything
serious about it. As I stated somewhere else recently, the
world (at least the US but I expect we are not alone) has
totally lost u8nderstanding of the concepts trust and risk.

bill

[Dave Froble]

Hell no!

If I cannot understand it, then "it does not work".

[Dave Froble]

How about I design and write my own ????

[Arne Vajhøj]

On 4/2/2020 6:24 PM, Dave Froble wrote:
> On 4/2/2020 6:19 PM, Bill Gunshannon wrote:
>> On 4/2/20 4:27 PM, Dave Froble wrote:
>>> And yeah, you raise a very good point.  When I write anything, I know
>>> what it will do.  I always provide sources for whatever I produce.
>>>
>>
>> And would you incorporate an algorithm into one of your
>> programs that you couldn't actually do yourself but you
>> found it on the internet?
>
> Hell no!
>
> If I cannot understand it, then "it does not work".

Hmmmm.

Pretty tough criteria.

So we need to understand OS design well enough to be able
to write an OS, understand compilers well enough to be
able to write a compiler, understand cryptographic
theory before you use a cryptographic library.

I don't think that is efficient.

Arne

[Arne Vajhøj]

On 4/2/2020 6:26 PM, Dave Froble wrote:
> On 4/2/2020 5:47 PM, Arne Vajhøj wrote:
>> On 4/2/2020 4:03 PM, Bill Gunshannon wrote:
>>> On 4/2/20 3:58 PM, Arne Vajhøj wrote:
>>>> One use the internet to find out what other people have
>>>> tried and their experience.
>>>
>>> Angie's List for software development.  You should trust these
>>> people because your neighbors did.
>>
>> It is actually pretty similar.
>>
>> If you need to replace your windows and need a good
>> carpenter, then you first ask around among people that
>> you trust - if they have a recommendation then all
>> good. If you don't get any recommendation you try
>> the internet anonymous review market and pick
>> someone with lots of reviews and >4 stars.
>>
>> If you need a RESTful web service client framework
>> for Python, then you first ask in forums where you
>> know the people and know that they generally know
>> what they are talking about - if they have a
>> recommendation then all good. If you don't get
>> any recommendation you try the internet web sites
>> with "10 best ..." lists and pick something that are on
>> most lists.
>

> How about I design and write my own ????

If you can't find anything that is a good match
and of an acceptable quality then you have to.

But if you can find something then reinventing the
wheel is a waste of money.

Arne

[Jan-Erik Söderholm]

Should that have been:

So we need to understand OS design well enough to be able

to *use* an OS, understand compilers well enough to be
able to *use* a compiler, understand cryptographic

[Arne Vajhøj]

On 4/2/2020 8:29 PM, Jan-Erik Söderholm wrote:
> Den 2020-04-03 kl. 00:49, skrev Arne Vajhøj:
>> On 4/2/2020 6:24 PM, Dave Froble wrote:
>>> On 4/2/2020 6:19 PM, Bill Gunshannon wrote:
>>>> On 4/2/20 4:27 PM, Dave Froble wrote:
>>>>> And yeah, you raise a very good point.  When I write anything, I know
>>>>> what it will do.  I always provide sources for whatever I produce.
>>>>
>>>> And would you incorporate an algorithm into one of your
>>>> programs that you couldn't actually do yourself but you
>>>> found it on the internet?
>>>
>>> Hell no!
>>>
>>> If I cannot understand it, then "it does not work".
>>
>> Hmmmm.
>>
>> Pretty tough criteria.
>>
>> So we need to understand OS design well enough to be able
>> to write an OS, understand compilers well enough to be
>> able to write a compiler, understand cryptographic
>> theory before you use a cryptographic library.
>>
>> I don't think that is efficient.
>

> Should that have been:
>
> So we need to understand OS design well enough to be able
> to *use* an OS, understand compilers well enough to be
> able to *use* a compiler, understand cryptographic
> theory before you use a cryptographic library.

That would make sense.

But then you would also just need to understand how
to call a library not how it works.

:-)

Arne

[Jan-Erik Söderholm]

You need to know *what* it does, not *how* it does it.

Anyway, all this was a comment on the statement that "if I do not
understand it, then "it does not work"." It is of course a matter
of the meaning of "understand". You need to understand the call
interface and the expected outcome, but not always the internal
details.

And as usual, such sloopy statements are worthless in itself.

And I do not agree that you never can use anything that you haven't
written yourself.

[Dave Froble]

I agree. Don't like NIH. But what if the wheel is flat on the bottom?

I just wonder sometimes how many back doors exist in open source stuff.

[Dave Froble]

One needs to consider what Bill wrote.

From a supposed reliable vendor, such as VSI, if you trust them, then
use of their products is reasonable. That is not what Bill wrote.

>>>>>> And would you incorporate an algorithm into one of your
>>>>>> programs that you couldn't actually do yourself but you
>>>>>> found it on the internet?

Read that again. "Found on the internet" is the key phrase.
Questionable trust for such. Trust is the key word.

[Jan-Erik Söderholm]

"Found on the internet" can mean so many things. There are both less
and more reliable sources "on the internet". It is no different than when
you decide if you can rely on VSI or not. It is not that “the internet” is
only totally unknown places. Even the VSI homepage is "on the internet".
Does that make *that* web page less reliable?

[gérard Calliet]

All that is a discution which cannot be ended.
Because it's about 2 cultural worlds totally different. And in each of
them, "trust" is built with totally different methods.
For example, for the Open Source world, a totally proprietary solution,
with no access to the sources, is essentially untrustable.
And the code made by small teams (for example IBM :) ), structured teams
sharing structured concepts, has not the same way of searching for quality.
And the cycles of development are also very different.
And their success stories are generally not in the same domains.

The point here is we cannot avoid now to be confronted to a
confrontation between the 2 worlds. There will be a lot of work to
imagine a safe collaboration.

One or two things I think could be good:
- use the more adapted to the situations: do ssl with openssl, don't
redevelop heart of good application in javascript,
- use segmented subsystem, well separated,
- apply the sprecific method quality of a world to itself: trust VSI and
have a Q/A style on quality where VSI is a unique center ; have the
sources of VMS ports kit of Open Source project, and let them read by
the relevant Open Source community,
- forget the prejudices between the 2 worlds :) ,
- ...

Gérard Calliet

[Arne Vajhøj]

I will answer with a question: if you were to create a program with a
backdoor would you prefer to distribute a binary or source code?

:-)

Arne

[Arne Vajhøj]

>> You need to know *what* it does, not *how* it does it.
>>
>> Anyway, all this was a comment on the statement that "if I do not
>> understand it, then "it does not work"." It is of course a matter
>> of the meaning of "understand". You need to understand the call
>> interface and the expected outcome, but not always the internal
>> details.
>>
>> And as usual, such sloopy statements are worthless in itself.
>>
>> And I do not agree that you never can use anything that you haven't
>> written yourself.
>
> One needs to consider what Bill wrote.
>
> From a supposed reliable vendor, such as VSI, if you trust them, then
> use of their products is reasonable.  That is not what Bill wrote.
>
> >>>>>> And would you incorporate an algorithm into one of your
> >>>>>> programs that you couldn't actually do yourself but you
> >>>>>> found it on the internet?
>
> Read that again.  "Found on the internet" is the key phrase.
> Questionable trust for such.  Trust is the key word.

But what does "found on the internet" and "questionable trust"
really mean?

Does it mean that stuff downloaded via HTTPS is less trustworthy
than stuff from a CD?

That does not make any sense.

Does it mean that stuff that comes with source code is less
trustworthy than stuff coming as binary?

Certainly not. It is the other way around. Source enables
review.

Does it mean that free stuff is less trustworthy than stuff
you are paying for?

I doubt it. People are not running Windows and IIS instead
of Linux and Apache because paying MS guarantee better security
and quality of the product.

It is indeed a matter of trust.

We trust VSI. We don't trust "Evil Spyware Inc.".

We trust a Python package used by hundreds of thousands all
over the world. We don't trust a piece of Python code posted
to comp.lang.python from someone nobody ever heard about.

Arne

[Robert A. Brooks]

On 4/3/2020 8:43 AM, Arne Vajhøj wrote:
>
> We trust VSI. We don't trust "Evil Spyware Inc.".

I heard that ESI uses Ada . . .

--
-- Rob

[Arne Vajhøj]

That may mean very reliable spyware.

:-)

Arne

[Bill Gunshannon]

Open Source, probably none as someone would find them.
Now, in proprietary stuff......

I recently saw an article talking about the risk in using
Zoom because it is a Chinese company and you are giving them
access to a lot of data (It was a DOD person writing it.)
Of course, they recommended Microsoft Meeting, which also
passes all your data thru a third party who has no more
reason to be trusted than the Chinese.

bill

[Bill Gunshannon]

Exactly. See my other comment on "Trust" and "Risk".

bill

[Bill Gunshannon]

No, the source could be the same.

>
> That does not make any sense.
>
> Does it mean that stuff that comes with source code is less
> trustworthy than stuff coming as binary?

Exact opposite.

>
> Certainly not. It is the other way around. Source enables
> review.
>
> Does it mean that free stuff is less trustworthy than stuff
> you are paying for?

Paying does not guarantee quality. Or reason to trust.

>
> I doubt it. People are not running Windows and IIS instead
> of Linux and Apache because paying MS guarantee better security
> and quality of the product.
>
> It is indeed a matter of trust.

Often misplaced trust. That was one of my point.

>
> We trust VSI. We don't trust "Evil Spyware Inc.".

People in this group know a lot of the people who work at
VSI. That gives, at least, a modicum of reason to trust
them.

>
> We trust a Python package used by hundreds of thousands all
> over the world. We don't trust a piece of Python code posted
> to comp.lang.python from someone nobody ever heard about.

Sadly, more people would trust the second item than should.

bill

[VAXman-]

In article <r67bk2$qhd$1...@dont-email.me>, "Robert A. Brooks" <FIRST...@vmssoftware.com> writes:

>On 4/3/2020 8:43 AM, Arne Vajhøj wrote:
> >
>> We trust VSI. We don't trust "Evil Spyware Inc.".
>

>I heard that ESI uses Ada . . .

SPECTRE does too!

--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG

I speak to machines with the voice of humanity.

[erga...@gmail.com]

On Friday, 3 April 2020 15:11:21 UTC+1, Bill Gunshannon wrote:

> I recently saw an article talking about the risk in using
> Zoom because it is a Chinese company and you are giving them
> access to a lot of data (It was a DOD person writing it.)

Last time I looked, San Jose was in the People's Republic of
California.

[Arne Vajhøj]

Zoom is headquartered in San Jose, California.

And their main web site is:
https://zoom.us/
^^

Only Chinese about it seems to be that theie CEO was born in China.

Arne

[Bill Gunshannon]

Your point? China isn't the only threat. Any time you let
any of your data into other peoples hands you loose control
over its security.

bill

[Arne Vajhøj]

On 4/3/2020 12:35 PM, Bill Gunshannon wrote:
> On 4/3/20 11:23 AM, erga...@gmail.com wrote:
>> On Friday, 3 April 2020 15:11:21 UTC+1, Bill Gunshannon  wrote:
>>> I recently saw an article talking about the risk in using
>>> Zoom because it is a Chinese company and you are giving them
>>> access to a lot of data (It was a DOD person writing it.)
>>
>> Last time I looked, San Jose was in the People's Republic of
>> California.
>
> Your point?

Probably that Zoom is not a Chinese company.

:-)

Arne

[Dave Froble]

I remember from some years back a piece of DCL code that seemed totally
innocent. Until it was run and various symbol values or such was put
together into a very not innocent command string.

Unless the source is inspected very carefully, having the source may not
be enough. Maybe need Steve's "jails" and such.

[Dave Froble]

Alexa, what time is it?

[Andy Burns]

Bill Gunshannon wrote:

> I recently saw an article talking about the risk in using
> Zoom because it is a Chinese company

Huh?

<https://www.nasdaq.com/market-activity/stocks/zm/sec-filings>

[Bill Gunshannon]

https://www.forbes.com/sites/thomasbrewster/2020/04/03/warning-zoom-sends-encryption-keys-to-china-sometimes/#5cbc71893fd9

bill

[Bill Gunshannon]

https://www.forbes.com/sites/thomasbrewster/2020/04/03/warning-zoom-sends-encryption-keys-to-china-sometimes/#5cbc71893fd9

bill

[Arne Vajhøj]

Did you read it the article?

That article does not claim that Zoom is a Chinese company.

The CEO was born in China and they have developers in China, but that
does not make it a Chinese company.

Just like Microsoft is not an Indian company.

Arne

[Arne Vajhøj]

And the article itself is a bit weak technically.

If I have read it correctly then the problems are:
1) they use AES-123 and not AES-256
2) they use ECB and not CBC (or one of the other chaining techniques)
3) they use encryption between end user and data center and not
from end user to end user
4) they have a data centers in US, Canada, Brazil, Germany,
Netherlands, Australia, India, Japan and China

#1 is not a problem until quantum computing becomes a reality.

#2 is a big coding fuck-up that they should fix ASAP.

#3 is a questionable design from a security perspective, but
they are not the only one with that design.

#4 is a potential problem because in China the chinese state
can request whatever they want. That problem would go away
if #3 was changed.

So Zoom is not doing a good job.

But the headline "Zoom Sends Encryption Keys To China" is
unethical journalism. It is technically true (if you do
end user to data center encryption and the data center
happens to be in China then the encryption key is in
China). But it gives the readers some totally wrong
associations about a malicious application sending
a copy of the keys to the Chinese intelligence agencies.

Arne

[Andy Burns]

Yeah sure, I've seen plenty of devices that "phone home" to e.g. servers
based on Tencent Cloud, but that doesn't make it a Chinese company.

[Simon Clubley]

On 2020-04-02, Arne Vajhøj <ar...@vajhoej.dk> wrote:
> On 4/2/2020 10:52 AM, Arne Vajhøj wrote:
>> On 4/2/2020 7:21 AM, VAX...@SendSpamHere.ORG wrote:
>>> In article <r63hte$af$1...@gioia.aioe.org>, =?UTF-8?Q?Arne_Vajh=c3=b8j?=
>>> <ar...@vajhoej.dk> writes:
>>>> On 3/27/2020 7:58 AM, VAX...@SendSpamHere.ORG wrote:
>>>>> ... and all of this is considered readable and maintainable? :(
>>>>
>>>> I consider:
>>
>> [Python code]
>>
>>>> more readable and maintainable than:
>>
>> [Macro-32 code]
>>
>>> Who writes macro code that ugly and unreadable?  You?
>>
>> Guilty as charged.
>
> What is the problem?
>
> That I do not use $FAO_S?
>
> Arne
>

I wonder how much Macro-32 code would be required to implement associative
arrays/sets/lists/etc and then test for membership as well as retrieving
and using items from the data structures ? :-)

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

[Simon Clubley]

> you decide if you can rely on VSI or not. It is not that ?the internet? is

> only totally unknown places. Even the VSI homepage is "on the internet".
> Does that make *that* web page less reliable?
>

VSI/HPE found bash/Apache/the GNV tools/etc on the Internet before
packaging them for use on VMS.

VSI are currently in the process of adding LLVM/CMake/Python to that list.

There will be security issues in them just as there are in VMS itself and
there will be new versions released as a result.

What is interesting (and unknown to me) is how much testing and evaluation
of those products do VSI do before packaging them ? Is it OpenBSD level of
review or something less intense ? Is the OpenBSD approach considered to
be too resource consuming for VSI when there are a number of large packages
to review before packaging ?

https://www.openbsd.org/security.html

[erga...@gmail.com]

On Monday, 6 April 2020 13:17:02 UTC+1, Simon Clubley wrote:

> I wonder how much Macro-32 code would be required to implement associative
> arrays/sets/lists/etc and then test for membership as well as retrieving
> and using items from the data structures ? :-)

Most of SYSLNM.MAR, I imagine.