Thanks David,
1. Even if you are right about the version numbers, we still have 5 different versions here. 2. Your claim about the sub-version is interesting. So Z/OS 2.4, just fir example, all RSU levels are the same. I don't think so, and so do the NVD administrators. Read the range of the affected versions. it includes all three levels. 3. I am sure your company does a great job with versioning. 4. The major issue with open source is that there is no formal life cycle. Usually it is a vendor product that you need to completely upgrade instead of installing a PTF. See your offering such as BASH. It is downloaded and installed. no service exists. Do you expect the user to check every day if there is a new version? ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Tue, Jan 18, 2022 at 4:52 AM David Crayford <dcrayf...@gmail.com> wrote: > On 17/1/22 10:34 pm, ITschak Mugzach wrote: > > Hi, > > > > We took the time to dive into the wider issue of open source and z/os. > USS > > is a scary jungle! > > Only to the ignorant. > > > > > > Without many details on the how, we discovered that on our z/os 2.3 there > > are 19 (!) different versions of Apache Ant: 1.5.3, 1.6.2, 1.6.5, 1.7.0, > > 1.7.1, 1.8.0, 1.8.1, 1.8.2, 1.8.2, 1.8.2, 1.8.3 ,1.8.4, 1.9.0, 1.9.2, > 1.9.3 > > ,1.9.4, 1.9.6 ,1.9.7, 1.9.8 used by 1000 plus jar files and sharing 4 > CVEs. > > I take it you don't understand the concept of semantic versioning. Those > are not all different versions, the last digit is the patch. We do this > in our (mainframe) products too. > In fact, we go further and add the Git commit hash to the version > message so we can track the version the customer is running down to a > line of code. > > Apache Ant is a build system and not part of a runtime. I don't share > your concerns. > > > > > > Nice divers... and as others may say "What you don't know doesn't hurt > you". > > > > ITschak > > > > ITschak Mugzach > > *|** IronSphere Platform* *|* *Information Security Continuous Monitoring > > for z/OS, x/Linux & IBM I **| z/VM coming soon * > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN