Oracle Patch Day Becoming Irrelevant 76
mocirac wak writes "Oracle's scheduled quarterly patch day is becoming more and more irrelevant. Oracle critical patches announced in the April 2006 CPU are still not available for download and the ETA is now set for May 15. The whole idea of a patch day was to let DBAs get prepared for testing and deployment. What's the use of having a patch day when there are no patches to download?" From the article: "... Oracle's explanation that patch testing is not yet done points to serious shortcomings and an absence of a good patch development process. 'For such a big organization with a lot of financial resources, they should be ready to handle this without problems. But they are amateurs on everything security related,' Cerrudo said. 'They spend a lot of time creating these patches. Then, patch day comes around and the patches aren't available. Then, when the patches are finally released, it's normal to find that they are incomplete and fail to address the actual vulnerability,' he added."
Re:You don't need to patch! (Score:2)
Re:You don't need to patch! (Score:2)
Which part of "patches announced in the April 2006 CPU" did you not understand? If they anounced them, then they need doing.
MOD PARENT DOWN (Score:2)
Re:You don't need to patch! (Score:2, Informative)
Anyone who reads bugtraq or the like will know it is shocking.
Take a look at http://www.securityfocus.com/archive/1/432399 [securityfocus.com] this for an example
Re:You don't need to patch! (Score:2)
We'll schedule a time to apply patches, but the stuff they've got all these "shocking" bugs in are the non-essential stuff.
Oh no! You can crash my application! Or you can crash my listener! At least you can't get to my credit card information, transaction logs, or anything sensitive.
Hell, lock the machines down the way you're supposed to do it, and 70% of the bugs are irrelevant anyway.
Practice go
Re:You don't need to patch! (Score:1)
Deal. (Score:5, Insightful)
If you have an alternative and they are able to serve you better, migrate. If not, suck it up and be thankful the mistakes of your vendor give you a well paying job.
Re:Deal. (Score:5, Insightful)
Either way, this is bad on Oracle's part.
Re:Deal. (Score:1)
How long will this be the case for though? With the ever-increasing number of real-world businesses growing up around MOGs (paying real money for items, selling/leasing in-game land, etc...) how long will it be before cracks and exploits start having an effect on real-world money?
For some, the security and integrity of the games involved will be as important to their business and profit as the operating systems they work
Re:Deal. (Score:2)
Games & virtual real estate will never impact the real-world economy signifigantly. Databases handle trillions of dollars worth of business transactions every year. Games will never reach that scale.
Define significantly (Score:2)
Are these businesses significant on the scale of a wire payment from Wal-Mart -> Rubbermaid not going through, or a trans
Re:Define significantly (Score:2)
If every electronic database froze up tomorrow, the worldwide economy would be signifigantly damaged.
If every WoW server crashed tomorrow, there would be very little impact on the worldwide economy.
Re:Define significantly (Score:2)
Re:Define significantly (Score:1)
Obviously if every WoW server crashed tomorrow it wouldn't seriously effect the economy (though you might have a hard time convincing Blizzard of that). And of course the exploiting of a game tomorrow, or next year, isn't going to impact more than a few smaller businesses. But in ten years? Fift
Re:Define significantly (Score:2)
Re:Define significantly (Score:2)
It's a different story with Oracle. Many companies buy Oracle database software not because it is the best available (though this is pretty much the case anyway) but
Re:Deal. (Score:2)
Re:Deal. (Score:5, Insightful)
An Oracle Database for a mid-sized website can easily cost hundreds-of-thousands of dollars. We pay Oracle Jockys a 6 figure salary to maintain the behemoth. It's critical to the business. For that price, I expect top-of-the-line support.
I wouldn't expect stellar support for WoW -- it costs something like $20/month. I'm suprised you attempt to compare the two.
The total license fees for Microsoft products for a 100-person office (100 workstations, Exchange, a dozen Windows Servers) is relatively low compared to the cost of the Oracle Database. From Microsoft, I expect good support-- the product needs to behave well, we need access to emergency support, etc.
Re:Deal. (Score:2)
I mentioned MSFT for the same reason. Do you get good support from them? Better than MSFT? I hear they have a DB product they would like to sell you. If not, continue to use Oracle and deal with the mishaps they might have. That's why you have a job.
Re:Deal. (Score:2)
Re:Deal. (Score:1)
Way to troll... I'd never be thankful that the problems with software require me to spend more time with it. I didn't sign up on my job to "deal with bugs in software", I signed up to administer the damn thing. If the software worked the way it is supposed to, I'd have a hell of a lot more time to do more productive things, and a hell of a lot less stress. And I'm not speaking of Oracle specifically, this applies
Heaven Forbid! (Score:4, Insightful)
Re:Heaven Forbid! (Score:2)
Re:Heaven Forbid! (Score:4, Insightful)
Re:Heaven Forbid! (Score:5, Insightful)
It's Oracle's responsibility. They they can't do it now, they need to invest in their patch development so that they do.
Re:Heaven Forbid! (Score:1)
to give them a fair comment, i would say that i believe they have been doing a good job for quite a while and the security problems are not as problematic as it seems to many of the readers here.
Re:Heaven Forbid! (Score:1)
I'm really not sure I could agree with that.
If you follow the bugtraq mailing list you'll have seen several recent posts expressing increasing dissatisfaction with the way that Oracle has handled security issues. Including several mentions of one bug being fixed whilst nearly identical (and also public) ones have been ignored.
For a good exa
Seems like a bad idea to begin with. (Score:4, Insightful)
The problem with development is developers (Score:2, Interesting)
The truth of the matter is development is slow from lack of focus, and it starts with us
Re:The problem with development is developers (Score:2)
Construction is mostly a repeatable activity with known materials, and hard, fixed requirements.
Software development, on the other hand, oftne does not have the benefit of hard, fixed requirements. http://twasink.net/blog/archives/2004/10/if_archit ects_h.html [twasink.net] is the normal state of the software industry today.
Construction (and engineering for that matter) are mostly about repetition. Repeating y
Innovation does not happen on schedule. (Score:2)
When you are chasing bugs and adding new features...these things are quite variable.
Here's an analogy...wiring a car on an assembly-line takes constant time, but solving a wiring problem on an existing car takes variable time.
And these guys want to get into Linux? (Score:2, Interesting)
"Oracle promised them on May 1. Now they are saying some will come on May 10 and others will come on May 15. It's clear they are having big problems," Cerrudo said.
He said Oracle's explanation that patch testing is not yet done points to serious shortcomings and an absence of a good patch development process.
"For such a big organization with a lot of financial resources, they should be ready to handle this without problems. But they are amateurs on everything security related," Cerrudo said.
"Th
Re: (Score:1)
Unbreakable? *smirk* (Score:1)
Sold my Oracle stock a long time ago (Score:3, Interesting)
Abhorent lack of focus (Score:2, Informative)
CIP: E-Business Suite. Re:Abhorent lack of focus (Score:2)
a.k.a.: "Look on my works, ye mighty, and have a chuckle at my goddamn expense."
Singlehandedly destroyed our call center response times (was at under 1m:00s on a bad day, under 0m:15s on a good day, promptly jumped up to about 10m:00s, and there were no more good days), and after running it for about 8 months now, it still regularly has to go down for essential upgrades. Part of that is, no doubt, the company's IT bungling and inadequate testing, but Oracle's eBS sucks.
It's horribly
From TFA (Score:2, Funny)
This Week on Ask Slashdot...
'Larry' has a company that sells database software and he's trying to get developers to release security patches that are both trouble free and actually fix security holes and other problems...and then finally get them to do all of this on time.
"Microsoft isn't good at
Re:From TFA (Score:3, Funny)
Good Thing? (Score:3, Insightful)
Re:Good Thing? (Score:2)
Its called customer service.... (Score:2, Informative)
ROI is important, and bad patch schedules and releases is not good ROI...
Is patch timing really an issue? (Score:3, Funny)
I could be missing the point here, and these are minor (yet critical) patches, but if they are, how come they are taking so much time to develop?
Re:Is patch timing really an issue? (Score:1)
That's the point. It IS broke. Oracle started these quarterly updates because severe vulnerabilities were being identified. If your systems are that far out of rev., you're going to be doing a lot of fancy footwork if your customers' data is stolen/hacked/etc.
I agree that trying to stay on top of all the myriad of patches They put out in the past was a losing battle, but this idea of a consolidated patchset has really changed that.
Personally, I had to just get o
Re:Is patch timing really an issue? (Score:1)
Also, I wrote:
>>but if there are fixes for giant security holes, then you're just asking for Bad Things to happen.
When I *should* have written:
but if there are fixes for giant security holes, and you ignore the fixes, then you're just asking for Bad Things to happen.
Goodness even 'preview' can't help me.
Software updates (Score:1)
Unofficial patches (Score:5, Funny)
Two issues are at work here... (Score:2, Insightful)
Sad state of Software Devlopment in general.... (Score:2, Informative)
Most of the companies are not mature and entrenched with bureocracy. Staff probably turns over twice a year now when a decade ago devoted "well paid" developers worked long hours to make sure a patch or update was ready for release.
Now from my perspective, as a DBA responsible for installing and overseeing the installation of software patches on database and application servers, I can't really say this is happening any longer.
I don't sim
This is not your father's Oldsmobile... (Score:4, Insightful)
It's the same story each release, Oracle marketing trumpets up the latest and greatest Java Parser! then everyone ignores it and goes back to Listeners (which consequently have very few bugs at this point).
So yeah, patches are important, and yeah I apply em, but with Oracle ONLY (and maybe Solaris) to me this is indeed not a big deal.
chitlenz
limited set unavailable? (Score:5, Insightful)
The article makes it sound like the target date was missed entirely, and while I know there are delays for some releases, others were made available as planned.
Why do I get the feeling that most of the complaining here is by people who don't actually use the product?
Re:limited set unavailable? (Score:3, Informative)
Metalink note 360465.1 has a table of patch levels required for database versions and patch release dates by OS. For 9.2.0.6, 9.2.0.7, 10.2.0.1 it looks like patches are available, and 10.2.0.2 is only awaiting the patch for the HP Itanium platform ( expected today... I'm sure both sites who use Oracle on HP Itanium will be happy ).
There is some delay in other oracle versions on other platforms.
Re:limited set unavailable? (Score:2)
Yes, Oracle's slow on releasing patches sometimes. But their support prog
Re:limited set unavailable? (Score:1)
Re:limited set unavailable? (Score:1)
Unbreakable (Score:1)
If you think this applies to just their database software, think again. I've had Oracle ship me gold cut CDs for their OAS app server on several occasions and have seen Oracle Finanaicals implementations go through over 1000 patches over the course of a year.
Amateurs (Score:1)
FTFS: But they are amateurs on everything security related.
Exactly - because only amatuers would force their customers to use cscript [wikipedia.org] as part of the patching process.
M$ and Firefox manage to release security patches that install themselves. Why can't/won't Oracle do the same?
Maybe it's job security for that abortion known as MetaLink [oracle.com].
Or maybe it's so these clowns [dba-oracle.com] can charge Oracle's customers $1000 an hour to not fix anything.
Re: (Score:1)
Wishful Thinking (Score:2)
One can dream, I suppose.
Offshore development problems (Score:2)
A "Fusion" of bugs (Score:1)
I found a sollution!!! (Score:1)