Post by Bob Gezelter Post by John Dallman Post by Stephen Hoffman
OpenJDK and OpenSSL (Assuming that's what "SSL3" is) will need frequent
security updates. Serious vulnerabilities show up in them fairly often.
I would hope that "annual release" does not refer to patches.
OpenSSL vulnerabilities need to be patched together with other OSes. Otherwise,
there will be issues with ongoing security compliance.
What the Roadmap says for OpenVMS v9.2-1 is that it will include "SSL3
built-in." It's a little cryptic but I'm pretty sure that has to mean
that they will be moving from OpenSSL 1.1.x to OpenSSL 3.x as part of
the base OS install. Some layered products are already beginning to
require OpenSSL 3.x as a prerequisite.
Patches to OpenSSL will obviously be much more frequent than annual
since that's what they've been doing already, e.g., OpenSSL 1.1.1s and
3.0.7 kits were released in the last few days. They haven't always been
up to the minute, but the release cadence with VSI is vastly better than
anything that ever happened in the CPQ/HP/HPE era.
The Roadmap clearly states, "VSI expects to release new operating system
versions on a yearly basis after 2023" so the annual thing obviously has
nothing to do with patches or layered product updates.