On 26/05/2023 4:28 am, Kurt J. Quackenbush wrote:
Glad to hear it works great and "management will love it." If you find value
in this capability I encourage you to reach out to your other software providers and
request they also start signing their packages. I know one in particular is already
working on it, but not sure about the many others.
What about non-SMP/E delivered software?
What would be nice to see is a function where e.g. APF and linklist
libraries at least were required to be signed. I know there was a
discussion some time back on the difficulties with load modules due to
reblocking etc.
However, we can also sign things on z/OS e.g. SMF data. So you could
have a local signing key usable for functions like the binder and
IEBCOPY, and under certain conditions e.g.
- all input is signed
- IEBCOPY etc. is APF authorized
the reblocked module is signed with the local key, maintaining a chain
of signatures that can be validated back to the original package.
Other components (panels etc.) would be much easier to validate a
signature. So it would be nice to be able to look at everything and see
that it is either unchanged from a vendor, or something modified locally.
--
Andrew Rowley
Black Hill Software
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
