Oracle Patch Day Becoming Irrelevant

mocirac wak writes "Oracle's scheduled quarterly patch day is becoming more and more irrelevant. Oracle critical patches announced in the April 2006 CPU are still not available for download and the ETA is now set for May 15. The whole idea of a patch day was to let DBAs get prepared for testing and deployment. What's the use of having a patch day when there are no patches to download?" From the article: "... Oracle's explanation that patch testing is not yet done points to serious shortcomings and an absence of a good patch development process. 'For such a big organization with a lot of financial resources, they should be ready to handle this without problems. But they are amateurs on everything security related,' Cerrudo said. 'They spend a lot of time creating these patches. Then, patch day comes around and the patches aren't available. Then, when the patches are finally released, it's normal to find that they are incomplete and fail to address the actual vulnerability,' he added."

Deal.

[gregfortune]

Just because they are a large, successful company doesn't mean schedules are solid and sufficient resources are made available. Microsoft is wildly successful, but faces the same problems. World of Warcraft is wildly successful, but faces the same problems. Ultimately, we still have people involved and people make mistakes. People estimate incorrectly. Stuff happens (c).

If you have an alternative and they are able to serve you better, migrate. If not, suck it up and be thankful the mistakes of your vendor give you a well paying job.

Heaven Forbid!

[Enonu]

Heaven forbid that a company take its time testing a patch to make sure it's up to some level of standard. The poster even pointed out that historically, there've been problems with the patches in the past. Maybe patch day should move to quarterly updates for all but the most extreme patches in order to increate quality.

Seems like a bad idea to begin with.

[FatSean]

Anyone involved with software knows that NOTHING gets done on schedule. Smells of a marketing idea that got pushed onto the developers. I mean, it is a good idea...just not very practical.

Re:Deal.

[squidguy]

The difference is, security bugs in WoW cannot manifestly impact worldwide commerce (outside of Blizzard's books), national security and all the other things Oracle (and MSFT, unfortunately) are involved with.

Either way, this is bad on Oracle's part.

Good Thing?

[zaguar]

A lot of big business runs on Oracle. Governments, Banks, Corporations, etc. Rushing out a patch with fatal flaws, exploitable flaws would potentially cause more damage to the word than the worst predictions of Y2K. I am glad that Oracle are thoroughly testing the patches before they roll them out. I know the DBA's will test the patches, but there is no substitute for vendors testing the patches.

Re:Deal.

[EnronHaliburton2004]

There is a pretty big difference in Scale. You can't compare WoW to Oracle.

An Oracle Database for a mid-sized website can easily cost hundreds-of-thousands of dollars. We pay Oracle Jockys a 6 figure salary to maintain the behemoth. It's critical to the business. For that price, I expect top-of-the-line support.

I wouldn't expect stellar support for WoW -- it costs something like $20/month. I'm suprised you attempt to compare the two.

The total license fees for Microsoft products for a 100-person office (100 workstations, Exchange, a dozen Windows Servers) is relatively low compared to the cost of the Oracle Database. From Microsoft, I expect good support-- the product needs to behave well, we need access to emergency support, etc.

Two issues are at work here...

[packet919]

First, patches are inevitable for any application or system. Humans write code and humans make mistakes. Patches are like security incidents; if you think you don't have them (or in the case of patches, don't need them), you aren't looking hard enough. To the comment above about why patches are needed (and to all you "my system is totally secure" Mac-heads out there)...even OpenBSD, with all its code review processes for every release, has security vulnerabilities from time to time (go ahead, look them up). QA/QC process just can't find every little bug before release.

Second, patches for something as critical as Oracle is within most enterprises, MUST be fully examined and qualified. The comment above about being a year or two behind on patches because patches might break stuff, is relevant here. Again, humans write code and humans make mistakes, even on code meant to fix other broken code. Look at Apple's recent patch-to-fix-a-patch-to-fix-a-patch issue from several weeks back. I applaud Oracle for trying to get quality patches out. However, I would say that there comes a point when you just have to feel comfortable with the patch you have and get it out the door. Better to look like you're doing something while you get things together, even if what you do is not ideal, than to look like you're doing nothing and appear incompetent or unresponsive.

Re:Heaven Forbid!

[Bacon Bits]

If you want to charge people $25,000 for your software, you damn well better patch promptly and completely.

It's Oracle's responsibility. They they can't do it now, they need to invest in their patch development so that they do.

Re:Heaven Forbid!

[Oswald]

Actually, you probably meant to say "semi-annually," but that too ignores the point that Oracle should be allocating enough resources to patch vulnerabilities at the rate they are discovered. "Correct patches, delivered fast enough to keep up with the bugs," should be the standard, not "correct patches as fast as we can get around to them with what we've got handy."

This is not your father's Oldsmobile...

[Chitlenz]

Lest we forget, Oracle as a database system is exponenetially more complex than Unix itself, and in fact will probably come to include a linux distro before its all over. Oracle is a funny company, they make REALLY REALLY good databases (no... I mean it), but then they go out and release buggy features with holes in em. The truth? Most of these holes are in shit like ONames (the oracle version of computer browser... Let me expand on this a bit, for 8i Onames had a security hole that was fixable by using the ip address instead of UNC names for target boxes. Easy to workaround, and really more of an annoyance). Long story short, Oracle's the BEST at databases, not because they have some great code team somewhere in a closet doing innovative things but because they've been working on the same core product since 1977.

It's the same story each release, Oracle marketing trumpets up the latest and greatest Java Parser! then everyone ignores it and goes back to Listeners (which consequently have very few bugs at this point).

So yeah, patches are important, and yeah I apply em, but with Oracle ONLY (and maybe Solaris) to me this is indeed not a big deal.

chitlenz

limited set unavailable?

[Fro Ingwe]

I'm an Oracle DBA by trade and was able to patch my test systems running Oracle 9iR2 within days of the scheduled release date.

The article makes it sound like the target date was missed entirely, and while I know there are delays for some releases, others were made available as planned.

Why do I get the feeling that most of the complaining here is by people who don't actually use the product?