On 2017-09-13 13:04:58 +0000, Rod Regier said:
> I would speculate that whoever coded the 5 year value presumed that the
> OpenVMS instance would be indefinitely receiving patching and/or
> version upgrades.
Too clever by half. It's a test for a valid system time returned from
the hardware, and a test that would have involved a rather lively
discussion in many conceivable design or code review meetings.
At some point, VSI is going to have to look at online patch checks and
reporting support information status to the system manager, but this
design and this check for a valid system time isn't it.
Some Alpha systems have firmware that returns wacky values, and some
systems have had other operating systems save their time in a format
that OpenVMS doesn't recognize, or the system time is wrong because the
coin cell clock batteries are only good for five or ten years, and the
Dallas chips also fail. As an example of a bogus boot time,
AlphaStation XP1000 SRM is old and is buggy, and that SRM can't be
updated, and older versions of SRM had a bug that returns time values
in a format that is completely out-of-spec for what SRM console was
supposed to return; values for the time that OpenVMS wasn't expecting.
That case has been fixed in current patches.
> That turns out *not* to be a universal circumstance in the long term
> for sites running older versions of OpenVMS for which sustaining
> engineering is no longer extant.
Those "older" OpenVMS releases might be familiar and comfortable but
can still manifest latent problems and issues. not the least of which
is severely down-revision crypto, and known-insecure network services.
Attempts to create connections to or from releases prior to a fairly
recent IP patch will be rejected by other common systems, for instance.
There are more than a few known CVEs cases that OpenVMS is vulnerable
— the security marketing and CVE "count" web page over at VSI is a
gross misrepresentation and one that does a disservice to VSI, to
OpenVMS, and to OpenVMS customers — and there are other cases where
OpenVMS systems can be used as part of DDoSes against other network
denizens.
If this were a notification of the end of support, it'd be better off
issued as a message at the boot. Which would have been easier than
coding a time check of an image build date at boot. And much more
clear than forcing a prompt of the time at boot.
> Since patches apparently flow from HP Sustaining Engineering more sites
> over time will experience this behavior.
IIRC, current UPDATE patches removed the validity check for the system
time, or at least reworked it. Well, yeah, but that's the way of
running fossil versions under the delusions upgrades don't fix problems
that you have and just don't know about (yet).
I've probably heard every excuse and every justification for running
old releases of OpenVMS and layered products, too. Those folks that
run do those older configurations are simply getting better at
disconnecting their servers from all other computing, and never
changing anything; unchanging hardware or software or system time or
otherwise. For the rest of us, the bill for falling behind on
patches and system and app version upgrades and migrations inevitably
and eventually comes due. Sometimes in very strange and unpredictable
ways. Sometimes — such as with connections and security being a
moving target, and as even supposedly-isolated systems are increasingly
being exposed to attackers — in very predictable ways.
TL;DR: get to current UPDATE patches on HPE OpenVMS V8.4, with plans
for or deployments of VSI OpenVMS releases and eventually to port to
VSI OpenVMS on x86-64. Or for staff at those sites, have plan to
retire or re-hire elsewhere before the bill comes due and the mess
becomes un-ignorable. We're on an upgrade treadmill now, and the
remaining static and never-upgrade software installations are embedded
and disposable.
ps: VSI folks: you're missing a huge marketing opportunity with your
pricing, if I understand what you're licensing for the prices and
packaging that you're now quoting.