Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Oracle Patch Day Becoming Irrelevant

Zonk posted more than 8 years ago | from the patches-on-patch-day-seems-logical dept.

Security 76

mocirac wak writes "Oracle's scheduled quarterly patch day is becoming more and more irrelevant. Oracle critical patches announced in the April 2006 CPU are still not available for download and the ETA is now set for May 15. The whole idea of a patch day was to let DBAs get prepared for testing and deployment. What's the use of having a patch day when there are no patches to download?" From the article: "... Oracle's explanation that patch testing is not yet done points to serious shortcomings and an absence of a good patch development process. 'For such a big organization with a lot of financial resources, they should be ready to handle this without problems. But they are amateurs on everything security related,' Cerrudo said. 'They spend a lot of time creating these patches. Then, patch day comes around and the patches aren't available. Then, when the patches are finally released, it's normal to find that they are incomplete and fail to address the actual vulnerability,' he added."

cancel ×

76 comments

You don't need to patch! (-1)

Amiga Lover (708890) | more than 8 years ago | (#15270239)

The whole idea of a patch day was to let DBAs get prepared for testing and deployment. What's the use of having a patch day when there are no patches to download?"

Well maybe there are no patches that need doing? I mean maybe the assumption after using window$ so much is that there always should be patches but what about the situation where oracle is secure from one month to the next and nothing needs patching to keep it secure?

Why complain then?

Re:You don't need to patch! (1)

UnidentifiedCoward (606296) | more than 8 years ago | (#15270260)

Did you read the statement? Patches supposed to be available are not ready yet, so it is not that there is not something to fix, the fix is has not been delivered on time.

Re:You don't need to patch! (1)

Tx (96709) | more than 8 years ago | (#15270270)

Well maybe there are no patches that need doing?

Which part of "patches announced in the April 2006 CPU" did you not understand? If they anounced them, then they need doing.

MOD PARENT DOWN (1)

gEvil (beta) (945888) | more than 8 years ago | (#15270338)

Someone mod this moron down. It's clear that he didn't even read TFSummary. CRITICAL patches announced in April are still not available. He somehow reads that as "there is no need to patch anything"...

Re:You don't need to patch! (2, Informative)

fm2503 (876331) | more than 8 years ago | (#15270363)

Have you seen Oracle's security record recently?
Anyone who reads bugtraq or the like will know it is shocking.
Take a look at http://www.securityfocus.com/archive/1/432399 [securityfocus.com] this for an example

Re:You don't need to patch! (1)

j_snare (220372) | more than 8 years ago | (#15271418)

I know that I certainly look at the list of bugfixes in the patches and note that we usually don't need them.

We'll schedule a time to apply patches, but the stuff they've got all these "shocking" bugs in are the non-essential stuff.

Oh no! You can crash my application! Or you can crash my listener! At least you can't get to my credit card information, transaction logs, or anything sensitive.

Hell, lock the machines down the way you're supposed to do it, and 70% of the bugs are irrelevant anyway.

Practice good security and use good programming practices on your side, and you won't even sniff at the holes people bring up. I mean, who the hell grants the ability to look at the DBA_USERS table to everyone anyway?

The GP is right. You may actually not really need to patch.

Re:You don't need to patch! (1)

Zerbs (898056) | more than 8 years ago | (#15270429)

I think what the parent post might have been trying to get at, is that not every company will necessarily need these patches even when they are available. If you're not using the products that are outward facing or have the vulnerabilities, and your Oracle database server is secure so that hackers on the internet can't even get to it, then it isn't as high of a priority. I've worked at a number of companies that use Oracle databases but don't use Oracle products for their application server or web interface.

Deal. (4, Insightful)

gregfortune (313889) | more than 8 years ago | (#15270284)

Just because they are a large, successful company doesn't mean schedules are solid and sufficient resources are made available. Microsoft is wildly successful, but faces the same problems. World of Warcraft is wildly successful, but faces the same problems. Ultimately, we still have people involved and people make mistakes. People estimate incorrectly. Stuff happens (c).

If you have an alternative and they are able to serve you better, migrate. If not, suck it up and be thankful the mistakes of your vendor give you a well paying job.

Re:Deal. (4, Insightful)

squidguy (846256) | more than 8 years ago | (#15270410)

The difference is, security bugs in WoW cannot manifestly impact worldwide commerce (outside of Blizzard's books), national security and all the other things Oracle (and MSFT, unfortunately) are involved with.

Either way, this is bad on Oracle's part.

Re:Deal. (1)

FreakyLefty (803946) | more than 8 years ago | (#15270651)

The difference is, security bugs in WoW cannot manifestly impact worldwide commerce
How long will this be the case for though? With the ever-increasing number of real-world businesses growing up around MOGs (paying real money for items, selling/leasing in-game land, etc...) how long will it be before cracks and exploits start having an effect on real-world money?

For some, the security and integrity of the games involved will be as important to their business and profit as the operating systems they work on.

Re:Deal. (1)

EnronHaliburton2004 (815366) | more than 8 years ago | (#15270797)

You're living in fantasy land.

Games & virtual real estate will never impact the real-world economy signifigantly. Databases handle trillions of dollars worth of business transactions every year. Games will never reach that scale.

Define significantly (1)

alexhmit01 (104757) | more than 8 years ago | (#15270848)

I have a small business. We generate traffic from search engines. A hiccup in a system (ours, our ISP's, Google's, Yahoo's, etc.) can cost us serious money, and potentially put us out of business and our employees out of jobs. Those that have businesses build around WoW can potentially lose money if Blizzard chokes on their mailing of the money, or other things beyond their control.

Are these businesses significant on the scale of a wire payment from Wal-Mart -> Rubbermaid not going through, or a transfer from Nike to their textile plant in China?

Of course not.

However, for those that own those businesses and work in those businesses, it is just as significant.

Point being, as the onling games generate larger and larger supporting economies, downtime ceases to just be an inconvenience (and potential loss of customers... certainly some users on the edge between continuing to play and quit are pushed to the quit site when they can't play when they want), and begins to effect the livelihood of many.

The fact that it isn't your livelihood doesn't mean that it doesn't exist. Sure, WoW related activities won't be at the level of a trading desk at Citi, but it still affects people and that matters.

Re:Define significantly (1)

EnronHaliburton2004 (815366) | more than 8 years ago | (#15271753)

Signifigant on a global scale, as in "manifestly impact worldwide commerce". Oracle bugs can cause signifigant affects on a global scale. A bug in WoW affects a much smaller part of the population.

If every electronic database froze up tomorrow, the worldwide economy would be signifigantly damaged.

If every WoW server crashed tomorrow, there would be very little impact on the worldwide economy.

Re:Define significantly (1)

cayenne8 (626475) | more than 8 years ago | (#15271904)

What are they talking about? I just downloaded the patches for 64 bit Solaris 2 days ago from Oracle....

Re:Define significantly (1)

FreakyLefty (803946) | more than 8 years ago | (#15273999)

But further down the line, when there is a much larger amount of business based around games, when there are games specifically to provide and create business, a problem in a game would have a far larger effect.

Obviously if every WoW server crashed tomorrow it wouldn't seriously effect the economy (though you might have a hard time convincing Blizzard of that). And of course the exploiting of a game tomorrow, or next year, isn't going to impact more than a few smaller businesses. But in ten years? Fifty? It's a young industry...

I think in the near future we're going to be seeing a lot more economists and economics lawyers taking in interest - there's a whole field of business models and legislation just waiting to happen and that's when the big money starts moving.

Re:Define significantly (1)

EnronHaliburton2004 (815366) | more than 8 years ago | (#15274065)

I guess I don't ever see it getting that big. I doubt that online gaming will ever have that much influence on the real world economy. This is a dream of science fiction.

Re:Define significantly (1)

Ryan Amos (16972) | more than 8 years ago | (#15273959)

The difference being you do not have SLAs with Blizzard that guarantee you 99.99% uptime, nor do you pay Blizzard an exorbitant fee every year to provide you with patches. You are relying on public systems with no guarantee of service. If you stake your livelihood on these systems, that's your own problem. This is a risk that you have accepted.

It's a different story with Oracle. Many companies buy Oracle database software not because it is the best available (though this is pretty much the case anyway) but because you can pay Oracle a crapton of money and they stand behind their product. You pay out the nose for software upgrades and when that much money is DIRECTLY paid to Oracle, their customers expect a lot more than your average software company. They have put themselves in this situation with their pricing structure, maybe Larry Ellison needs to stop counting his money and hire more programmers to fix his software.

Re:Deal. (1)

gregfortune (313889) | more than 8 years ago | (#15273174)

I agree. But how do you remove the human element? Are you proffering an alternative? It's just life in the big software world. IBM, Sun, Apple and many others have had patch mishaps. How about Sony's nifty little cloaking app? Again, find an alternative and move or suck it up and do your best to deal. It is why we are employeed, after all.

Re:Deal. (4, Insightful)

EnronHaliburton2004 (815366) | more than 8 years ago | (#15270545)

There is a pretty big difference in Scale. You can't compare WoW to Oracle.

An Oracle Database for a mid-sized website can easily cost hundreds-of-thousands of dollars. We pay Oracle Jockys a 6 figure salary to maintain the behemoth. It's critical to the business. For that price, I expect top-of-the-line support.

I wouldn't expect stellar support for WoW -- it costs something like $20/month. I'm suprised you attempt to compare the two.

The total license fees for Microsoft products for a 100-person office (100 workstations, Exchange, a dozen Windows Servers) is relatively low compared to the cost of the Oracle Database. From Microsoft, I expect good support-- the product needs to behave well, we need access to emergency support, etc.

Re:Deal. (1)

gregfortune (313889) | more than 8 years ago | (#15273198)

Of course the two are different applications with a different effect. I mention WoW due to Blizzard's inability to manage patches properly.

I mentioned MSFT for the same reason. Do you get good support from them? Better than MSFT? I hear they have a DB product they would like to sell you. If not, continue to use Oracle and deal with the mishaps they might have. That's why you have a job.

Re:Deal. (1)

EnronHaliburton2004 (815366) | more than 8 years ago | (#15273792)

Is english your second language? Not a problem, but I couldn't understand you at all.

Re:Deal. (1)

TooFarGone (841076) | more than 8 years ago | (#15271840)

If not, suck it up and be thankful the mistakes of your vendor give you a well paying job."

Way to troll... I'd never be thankful that the problems with software require me to spend more time with it. I didn't sign up on my job to "deal with bugs in software", I signed up to administer the damn thing. If the software worked the way it is supposed to, I'd have a hell of a lot more time to do more productive things, and a hell of a lot less stress. And I'm not speaking of Oracle specifically, this applies to ALL software. The less time and effort spent on the vender's part making software work and work well, the more time administrators spend fixing it. People seem to think that bugfixing = good job. You fail to realize that this effort could be better spent elsewhere, such as innovating new solutions that would make our jobs even more efficient. Would this put some of us out of our current jobs? Sure! And I'd be damned happy because it would free us up to pursue more innovative and hopefully more efficient technologies.

In other words, we're spinning our wheels in the mud of flawed software.

Heaven Forbid! (3, Insightful)

Enonu (129798) | more than 8 years ago | (#15270300)

Heaven forbid that a company take its time testing a patch to make sure it's up to some level of standard. The poster even pointed out that historically, there've been problems with the patches in the past. Maybe patch day should move to quarterly updates for all but the most extreme patches in order to increate quality.

Re:Heaven Forbid! (1)

Enonu (129798) | more than 8 years ago | (#15270339)

I meant to say "move to bi-anually", but I slipped there.

Re:Heaven Forbid! (3, Insightful)

Oswald (235719) | more than 8 years ago | (#15270722)

Actually, you probably meant to say "semi-annually," but that too ignores the point that Oracle should be allocating enough resources to patch vulnerabilities at the rate they are discovered. "Correct patches, delivered fast enough to keep up with the bugs," should be the standard, not "correct patches as fast as we can get around to them with what we've got handy."

Re:Heaven Forbid! (4, Insightful)

Bacon Bits (926911) | more than 8 years ago | (#15270622)

If you want to charge people $25,000 for your software, you damn well better patch promptly and completely.

It's Oracle's responsibility. They they can't do it now, they need to invest in their patch development so that they do.

Re:Heaven Forbid! (1)

ketamine-bp (586203) | more than 8 years ago | (#15270785)

note that you are always allowed to use another [more] reliable database here. they set the price, you bought it, that's economics AFAIK.

to give them a fair comment, i would say that i believe they have been doing a good job for quite a while and the security problems are not as problematic as it seems to many of the readers here.

Re:Heaven Forbid! (1)

stevey (64018) | more than 8 years ago | (#15271167)

i would say that i believe they have been doing a good job for quite a while and the security problems are not as problematic as it seems to many of the readers here.

I'm really not sure I could agree with that.

If you follow the bugtraq mailing list you'll have seen several recent posts expressing increasing dissatisfaction with the way that Oracle has handled security issues. Including several mentions of one bug being fixed whilst nearly identical (and also public) ones have been ignored.

For a good example of that please see this post [securityfocus.com] from a week or two ago describing a "fixed" bug lasting over a year..

Who cares? (-1, Troll)

Gogogoch (663730) | more than 8 years ago | (#15270330)

I know I'm not your average Slashdotter, but who cares about this opinon, this story? The world must be particularly boring today.

Seems like a bad idea to begin with. (3, Insightful)

FatSean (18753) | more than 8 years ago | (#15270332)

Anyone involved with software knows that NOTHING gets done on schedule. Smells of a marketing idea that got pushed onto the developers. I mean, it is a good idea...just not very practical.

The problem with development is developers (2, Interesting)

neelm (691182) | more than 8 years ago | (#15271476)

How we got this far on the myth that software development can't be controlled is beyond me. Some old fasion project managment will keep any project on track, but we devs have managed to convince the managers that software development can't be estimated. Construct a Skyscraper and it's no problem to have a time line, but code an app... whoa, that has so many issues. Does construction have zero surprises along the way?

The truth of the matter is development is slow from lack of focus, and it starts with us the developers. Put down the damn Ruby on Rails book and focus on the language and tools you are actually using. (you can still do all the ruby you want at home). If ruby makes sense, then the company as a whole will move to it so we can all focus on it, but as long as you "do your own thing" you are part of the problem.

Oracle has the people, the money, and yes - the time. If it's still not working, then they don't have the method. Software development is not a special and unique snowflake - it can be managed like everything else.

Re:The problem with development is developers (1)

dodobh (65811) | more than 8 years ago | (#15272761)

Construct a Skyscraper and it's no problem to have a time line, but code an app... whoa, that has so many issues.

Construction is mostly a repeatable activity with known materials, and hard, fixed requirements.

Software development, on the other hand, oftne does not have the benefit of hard, fixed requirements. http://twasink.net/blog/archives/2004/10/if_archit ects_h.html [twasink.net] is the normal state of the software industry today.

Construction (and engineering for that matter) are mostly about repetition. Repeating yourself in software construction is bad practice. "Don't repeat yourself" is a standard rule of software development.

Oh, and add to the above link the requirement that the house be buildable in a few weeks/months and we will see how easily construction becomes predicatable.

Innovation does not happen on schedule. (1)

FatSean (18753) | more than 8 years ago | (#15273672)

If you are cranking out yet another web application, or a standardized patterns-following data system, then you have a point.

When you are chasing bugs and adding new features...these things are quite variable.

Here's an analogy...wiring a car on an assembly-line takes constant time, but solving a wiring problem on an existing car takes variable time.

And these guys want to get into Linux? (2, Interesting)

Billosaur (927319) | more than 8 years ago | (#15270333)

"Oracle promised them on May 1. Now they are saying some will come on May 10 and others will come on May 15. It's clear they are having big problems," Cerrudo said.

He said Oracle's explanation that patch testing is not yet done points to serious shortcomings and an absence of a good patch development process.

"For such a big organization with a lot of financial resources, they should be ready to handle this without problems. But they are amateurs on everything security related," Cerrudo said.

"They spend a lot of time creating these patches. Then, patch day comes around and the patches aren't available. Then, when the patches are finally released, it's normal to find that they are incomplete and fail to address the actual vulnerability," he added.

Oracle has been falling down on the job for years, making it virtually impossible for DBAs to keep up with patches and keep their systems tuned. They hem and haw, obfuscate and prevaricate, and still manage to retain their commanding market share. Sound like anyone else we know?

Again, Oracle should have gotten into the Linux biz 5 years ago -- now it's too late. At this point they should think about cleaning their own house and stay out of the OS business until they have a firm grip on their DB. This constant inability to stay on top of critical problems points a wider, systemic problem that would infect any Linux development program they acquired. Time for Larry Ellison to retire to a tiny island in the Pacific somehwere and let some new blood fix Oracle before it implodes under its own weight and become an IT black hole.

It takes time for change to happen. (0)

Anonymous Coward | more than 8 years ago | (#15271256)

Remember, it takes time for change to occur, especially when it comes to enterprise information systems. Many companies have invested very large sums of money in Oracle-based database systems. It's not feasible for them to move to another solution any time soon. So for the time being, there is still demand for products from Oracle.

The main area to focus on is new development. This is an area where PostgreSQL, for instance, is really shining. It offers many of the features needed by large, corporate data infrastructures, while offering almost none of the problems associated with Oracle's offerings. In the near future, we likely won't be hearing anywhere near as much about Oracle as we do today, since it just won't be a component of most of the information systems of tomorrow.

Right now, we're in the transition period. Most new development is not taking place with Oracle, but there is still much in the way of legacy systems using their products, thus making it appear as though there is still demand.

This is very similar to what we witnessed during the late 1980s and early 1990s, with respect to corporate networks. By the mid-1980s it was clear that centralized mainframes were on the way out, with distributed desktop or workstation systems taking over. However, it did take until the mid- to late-1990s for the vast majority of Big Iron to be retired and replaced with new, non-mainframe solutions. It did take some buffer time for the old systems to be replaced, be it for technical or financial reasons.

Re:It takes time for change to happen. (1)

toadlife (301863) | more than 8 years ago | (#15272254)

"The main area to focus on is new development. This is an area where PostgreSQL, for instance, is really shining. It offers many of the features needed by large, corporate data infrastructures, while offering almost none of the problems associated with Oracle's offerings. In the near future, we likely won't be hearing anywhere near as much about Oracle as we do today, since it just won't be a component of most of the information systems of tomorrow."

After spending a little bit of time with MS SQL Server 2005, and seeing the massive improvement over MS SQL 2000, I have to think that some of Oracle's marketshare might just slip into MSFT's hands too. Besides clustering support being improved drastically over 2000, alot of the changes in SQL 2005 revolve around development support.

mod Down (-1, Troll)

Anonymous Coward | more than 8 years ago | (#15270340)

Fact: *BSD IS A performin6.' Even new core is going Live and a job to fear the reaoper obvious that there future. The hand I don't want to

Unbreakable? *smirk* (1)

derfla8 (195731) | more than 8 years ago | (#15270342)

What happend to Larry's campaign that his products were unbreakable? No need to patch if your products are unbreakable. Notice how that campaign slowly just fizzed out?

Sold my Oracle stock a long time ago (2, Interesting)

mabu (178417) | more than 8 years ago | (#15270344)

I worked on a big project involving Oracle software and after a lot of research, we decided to only use the core database and write our own interfaces to more reliable, more secure open-source systems. When I discovered how convoluted the company's own product line and support process was, I dumped the stock. It doesn't surprise me one bit that they can't meet deadlines of this nature. The internal structure of the organization from my perspective was always a bloody mess.

Abhorent lack of focus (2, Informative)

Anonymous Coward | more than 8 years ago | (#15270378)

Though their database is their flagship product, they have been way too distracted with their substandard Oracle Applications suite. If they really want to do well, they should focus on what they do best and stop wasting their time trying to push poorly written web applications. (I should know, I have to use their worthless timecard and expense system every week.)

seconded (0)

Anonymous Coward | more than 8 years ago | (#15270852)

Oracle Applications is the biggest POS I've ever seen. We've designated every Saturday as 'Oracle downtime', meaning the apps go offline all day to fix the latest f-up during the week. I'm convinced the UI was designed by a monkey flinging feces at the screen. It's that bad.

Re:seconded (0)

Anonymous Coward | more than 8 years ago | (#15272393)

If you can find the patch that makes the UI resemble monkey poo splattered on the screen please post a link so I can get the IT guys to install it over here. The UI we're using looks like great green gobs of greasy grimy gopher guts!

CIP: E-Business Suite. Re:Abhorent lack of focus (1)

the grace of R'hllor (530051) | more than 8 years ago | (#15270956)

Oracle E-Business Suite.
a.k.a.: "Look on my works, ye mighty, and have a chuckle at my goddamn expense."

Singlehandedly destroyed our call center response times (was at under 1m:00s on a bad day, under 0m:15s on a good day, promptly jumped up to about 10m:00s, and there were no more good days), and after running it for about 8 months now, it still regularly has to go down for essential upgrades. Part of that is, no doubt, the company's IT bungling and inadequate testing, but Oracle's eBS sucks.

It's horribly designed, it's slow as all hell in anything related to retrieving information (which, y'know, they might be good at, being database folks), and it's a major resource hog. Also, it's fucking designed for an 800x600 resolution, WHEN ALL CS-rep PC'S HAVE 1280x1024 SCREENS!! And the screens don't stretch, they have fixed geometry!

I swear, if someone, some day, walks up to me and says "Hi, I used to work on Oracle's E-Busine", that's as far as they'd get before I punch their stinking face in.

From TFA (2, Funny)

Aqua_boy17 (962670) | more than 8 years ago | (#15270407)

"These aren't random complaints from unhappy researchers," Newman said, referring to the comments from Kornbrust and Cerrudo. "They need to admit their procedures aren't working and seek help getting it fixed."

This Week on Ask Slashdot...

'Larry' has a company that sells database software and he's trying to get developers to release security patches that are both trouble free and actually fix security holes and other problems...and then finally get them to do all of this on time.

"Microsoft isn't good at security. We're good at that and I don't think sending a memo is going to help," 'Larry' states. Now he's turning to the /. community for help. So what advice can you give to 'Larry'?

Re:From TFA (2, Funny)

LearnToSpell (694184) | more than 8 years ago | (#15270471)

"Larry, have you tried PostgreSQL? It's fantastic, and free!"

Good Thing? (2, Insightful)

zaguar (881743) | more than 8 years ago | (#15270420)

A lot of big business runs on Oracle. Governments, Banks, Corporations, etc. Rushing out a patch with fatal flaws, exploitable flaws would potentially cause more damage to the word than the worst predictions of Y2K. I am glad that Oracle are thoroughly testing the patches before they roll them out. I know the DBA's will test the patches, but there is no substitute for vendors testing the patches.

Re:Good Thing? (1)

Duke of URL (10219) | more than 8 years ago | (#15271347)

I'm not convinced that Oracle is doing a good (enough) job of testing their patches, or more accurately, they are not _able_ to do to a good job no matter how hard they try. Their support matrixes are huge, with many Oracle packages interacting with other Oracle software, along with the OS, and other vendors software. We caught a bug with a patch set, the first customors to find it. An older yet supported software version didn't want to play nice with a newer oracle application. I ment horrible service and a lot of downtime for our users. Unfortunately the problem only showed up under huge loads that we weren't able to reproduce in our test environments. Maybe Oracle should have more publicly available benchmarking software.. but maybe the marketing dept. nixed such ideas.

I wish Oracle would trim down their support list, and dump older versions of software from support. Oracle would be able to better test for strange and arcane interactions. Who knows, maybe they'd spend more time fixing security issues across their whole code base rather than in the one app a security advisory was published on.

Its called customer service.... (1, Informative)

zappepcs (820751) | more than 8 years ago | (#15270450)

When you have to pay as much as you need to to run oracle, patches released in a timely manner that actually fix things is part of customer service. If there is no customer service, there is soon no customers. The OSS database engines are gaining ground, and personally, I like the way patches and fixes are released thus far for F/OSS .... I'm seeing fewer and fewer reasons to pay for big software packages like Oracle, MS, etc.

ROI is important, and bad patch schedules and releases is not good ROI...

Is patch timing really an issue? (2, Funny)

HarvardAce (771954) | more than 8 years ago | (#15270470)

Is the timing of the patches really that much of an issue? Do people install the patches as soon as they are released? I only ask because at my company we are about 2 years behind in the patches (we are still using 9i and in some cases 8), due to an inherent distrust of the stability of a patch. Likewise, not many people are in a rush to install the latest service packs of Windows until all the flaws are worked out.

I could be missing the point here, and these are minor (yet critical) patches, but if they are, how come they are taking so much time to develop?

Re:Is patch timing really an issue? (0)

Anonymous Coward | more than 8 years ago | (#15271039)

i'm in the same position. i work with a number of database customers and we're very much behind. stability is an issue for us, and most of these customers are so small that the resources aren't there for testing patches. if it ain't broke, we don't fix it.

oracle patches can be quite complicated too. dependencies and what not abound. you can't simply install them like windows patches, where you close your eyes and hit install. patches are inherently risky, and it doesn't help that databases are at the critical center of a business.

i'd love to hear from other DBAs in a similar position, how do you manage all these patches when faced with limited resources and the need for utmost stability?

Re:Is patch timing really an issue? (1)

Mr. Fahrenheit (962814) | more than 8 years ago | (#15271944)

>>if it ain't broke, we don't fix it.

That's the point. It IS broke. Oracle started these quarterly updates because severe vulnerabilities were being identified. If your systems are that far out of rev., you're going to be doing a lot of fancy footwork if your customers' data is stolen/hacked/etc.

I agree that trying to stay on top of all the myriad of patches They put out in the past was a losing battle, but this idea of a consolidated patchset has really changed that.

Personally, I had to just get over myself and start applying the things. Yeah, you have to work out what the newest version of opatch is (1.0.0.55, I think) and yeah, you have to figure out what's up on each individual OS, but that's getting streamlined and is making inroads to a more unified view of patching across platforms.

This is not a meant as a personal attack on you, but if someone was posting on Slashdot saying how they were ignoring each and every Microsoft update for the last few years since it might break something, they'd be laughed right out of here. Sure the products should be more stable, but if there are fixes for giant security holes, then you're just asking for Bad Things to happen.

Re:Is patch timing really an issue? (1)

Mr. Fahrenheit (962814) | more than 8 years ago | (#15271980)

OMG, I screwed up twice with a single post. This was meant as a reply to a reply of the parent.

Also, I wrote:
>>but if there are fixes for giant security holes, then you're just asking for Bad Things to happen.

When I *should* have written:
but if there are fixes for giant security holes, and you ignore the fixes, then you're just asking for Bad Things to happen.

Goodness even 'preview' can't help me.

Re:Is patch timing really an issue? (0)

Anonymous Coward | more than 8 years ago | (#15271260)

I agree, these "Security Researchers" obviously have no idea what its like in the real world. They are sitting around in their tighty whities with 4 PC's running Oracle thinking it is a good representation of what real customers are dealing with. They have absolutely no user community, project deadlines or other constraints to deal with.

The only people the delay is hurting is these researchers who rip apart the patch as soon as it is released so that they can be the first to find the slightest problem, post it and say I told you so. I wonder what these buffoons did before patches were released quarterly.

Re:Is patch timing really an issue? (0)

Anonymous Coward | more than 8 years ago | (#15271448)

I work for a small (25 People) System i (aka iSeries, i5, AS/400) ISV. I maintain our internal Systems (Windows, Linux, System i). I also maintain installations at our customers. I usually apply patches or updates one Week after GA, except for super-critical security patches.

Our internal production system serve as a testbed for patches, updates, new versions of software for our customers.

Since all people working at this shop are at a minimum "IT-savy", this always worked fine, and provided an excellent test scenario. Particularly interesting is that we never had any relevant downtime because of this.

Software updates (1)

badevlad (929181) | more than 8 years ago | (#15270487)

Software updates can not be sheduled... It is impossible to do something in-time. But it is possible to do something, and then promote it like made in-time :)

Unofficial patches (4, Funny)

Matt Perry (793115) | more than 8 years ago | (#15270546)

Unofficial patches available here: Mirror 1 [postgresql.org] . Mirror 2 [mysql.com] .

;-)

Two issues are at work here... (2, Insightful)

packet919 (207827) | more than 8 years ago | (#15270588)

First, patches are inevitable for any application or system. Humans write code and humans make mistakes. Patches are like security incidents; if you think you don't have them (or in the case of patches, don't need them), you aren't looking hard enough. To the comment above about why patches are needed (and to all you "my system is totally secure" Mac-heads out there)...even OpenBSD, with all its code review processes for every release, has security vulnerabilities from time to time (go ahead, look them up). QA/QC process just can't find every little bug before release.

Second, patches for something as critical as Oracle is within most enterprises, MUST be fully examined and qualified. The comment above about being a year or two behind on patches because patches might break stuff, is relevant here. Again, humans write code and humans make mistakes, even on code meant to fix other broken code. Look at Apple's recent patch-to-fix-a-patch-to-fix-a-patch issue from several weeks back. I applaud Oracle for trying to get quality patches out. However, I would say that there comes a point when you just have to feel comfortable with the patch you have and get it out the door. Better to look like you're doing something while you get things together, even if what you do is not ideal, than to look like you're doing nothing and appear incompetent or unresponsive.

Sad state of Software Devlopment in general.... (2, Informative)

bodland (522967) | more than 8 years ago | (#15270621)

Basically...this is not uncommon across the software industry.

Most of the companies are not mature and entrenched with bureocracy. Staff probably turns over twice a year now when a decade ago devoted "well paid" developers worked long hours to make sure a patch or update was ready for release.

Now from my perspective, as a DBA responsible for installing and overseeing the installation of software patches on database and application servers, I can't really say this is happening any longer.

I don't simply patch Oracle becasue they say it's "critical". Updates and patching is only done if needed to keep the applcation going and to keep users working. If the risk of not patching comes into play then we patch.

Unfortunately for us, many software makers they have discovered the joys of consulting fees to bolster fading profit and market share, rather than actually delivering quality service and product to existing customers.

Particulary in smaller software makers. Selling the sizzle and delivering the bacon later is all too common now. And many times you end up with something much less than "bacon".

Anyone who works with canned apps in a large heterogenous IS environment knows what I am talking about.

And "we" the customers are partly to blame for allowing software makers to have thier way with us. I for one refuse to "pay" to vendors develop working patches for their software...there are a thousand and one ways for software vendors to take advantage of clients. It is up to the IT professionals to hold them to contracts and simple concepts like the delivery of software, updates and patches that actually work as claimed.

So it is up to us to demand full documentation, and READ IT. Test the systems completely and be more "critical" of the vendors claims...if you have to be hard ass to do so...so be it.

This is not your father's Oldsmobile... (3, Insightful)

Chitlenz (184283) | more than 8 years ago | (#15270758)

Lest we forget, Oracle as a database system is exponenetially more complex than Unix itself, and in fact will probably come to include a linux distro before its all over. Oracle is a funny company, they make REALLY REALLY good databases (no... I mean it), but then they go out and release buggy features with holes in em. The truth? Most of these holes are in shit like ONames (the oracle version of computer browser... Let me expand on this a bit, for 8i Onames had a security hole that was fixable by using the ip address instead of UNC names for target boxes. Easy to workaround, and really more of an annoyance). Long story short, Oracle's the BEST at databases, not because they have some great code team somewhere in a closet doing innovative things but because they've been working on the same core product since 1977.

It's the same story each release, Oracle marketing trumpets up the latest and greatest Java Parser! then everyone ignores it and goes back to Listeners (which consequently have very few bugs at this point).

So yeah, patches are important, and yeah I apply em, but with Oracle ONLY (and maybe Solaris) to me this is indeed not a big deal.

chitlenz

limited set unavailable? (5, Insightful)

Fro Ingwe (523932) | more than 8 years ago | (#15270812)

I'm an Oracle DBA by trade and was able to patch my test systems running Oracle 9iR2 within days of the scheduled release date.

The article makes it sound like the target date was missed entirely, and while I know there are delays for some releases, others were made available as planned.

Why do I get the feeling that most of the complaining here is by people who don't actually use the product?

Re:limited set unavailable? (2, Informative)

grassy_knoll (412409) | more than 8 years ago | (#15271528)

Agreed. When I saw this story, I figured I'd missed something, since my 9i DBs have had the patch since release.

Metalink note 360465.1 has a table of patch levels required for database versions and patch release dates by OS. For 9.2.0.6, 9.2.0.7, 10.2.0.1 it looks like patches are available, and 10.2.0.2 is only awaiting the patch for the HP Itanium platform ( expected today... I'm sure both sites who use Oracle on HP Itanium will be happy ).

There is some delay in other oracle versions on other platforms. If you're using 8.1.7.4, you're boned... although since IIRC all support for that version ends at the end of this year, I'd hope there's a migration in your future anyway.

For versions 10.1.0.3 and 10.1.0.4 it's a little odd... for some OSs there are patches available ( Tru-64, Linux, UNIX, et. al. ) but there's a wait for the windows versions. In 10.1.0.3s case some platforms must upgrade to 10.1.0.4 or 10.1.0.5, then apply patches for those levels.

So in short, if you're running the latest version of Oracle 9i or 10g on Windows, proprietary UNIX or Linux, there are patches available.

Re:limited set unavailable? (1)

T5 (308759) | more than 8 years ago | (#15272340)

I just went through patching 4 databases with CPUApril2006 earlier this week. It took a few service requests to Oracle to get some of the error messages that were generated as part of the process identified as benign, and I've still got one relatively minor outstanding issue, but it went with relatively little fanfare. I'll be applying the same patchset to a 10gR2 forms and reports standalone instance soon and expect little trouble.

Yes, Oracle's slow on releasing patches sometimes. But their support programs are reasonably good. Their support engineers usually understand their products pretty well. And I've yet to install a patch from Oracle that required me to back it out because it broke something badly. Microsoft products, on the other hand...

Re:limited set unavailable? (1)

Genady (27988) | more than 8 years ago | (#15272908)

You sir, are blessed to never have had to touch the E-Business suite.

Re:limited set unavailable? (1)

PopBus (959675) | more than 8 years ago | (#15275217)

Because everyone uses MySQL... Didn't you know, open source is the only way to go with databases.. Because a thousand cooks with no direction is much better at developing database software than one company that's been doing it for decades! Of course, you might also get what you pay for.

Oracle CPU Hell (0)

Anonymous Coward | more than 8 years ago | (#15270814)

F*ck you Larry

Signed,

An Oracle Customer

Unbreakable (1)

br0k_sams0n (848842) | more than 8 years ago | (#15270818)

Maybe they are trying to live up to that old "unbreakable" campaign. If they don't release any patches, it's tough to break anything.

If you think this applies to just their database software, think again. I've had Oracle ship me gold cut CDs for their OAS app server on several occasions and have seen Oracle Finanaicals implementations go through over 1000 patches over the course of a year.

Amateurs (1)

aquatone282 (905179) | more than 8 years ago | (#15270945)

FTFS: But they are amateurs on everything security related.

Exactly - because only amatuers would force their customers to use cscript [wikipedia.org] as part of the patching process.

M$ and Firefox manage to release security patches that install themselves. Why can't/won't Oracle do the same?

Maybe it's job security for that abortion known as MetaLink [oracle.com] .

Or maybe it's so these clowns [dba-oracle.com] can charge Oracle's customers $1000 an hour to not fix anything.

Re:Amateurs (1)

toadlife (301863) | more than 8 years ago | (#15272433)

M$ and Firefox manage to release security patches that install themselves. Why can't/won't Oracle do the same?

Interestingly enough, jsut a few years ago, MS SQL Server patches were shipped as archives with updates binaries and you had to replace each file by hand and I think in some cases, run scripts. When slammer came out and borked 80% of the worlds SQL servers, Microsoft realized that the monkeys running their products were probably too stupid to manually apply the patches, and changed their patches so they were automated.

Wishful Thinking (1)

robkill (259732) | more than 8 years ago | (#15271181)

At first glance, I thought the headline was "Orrin Hatch Becoming Irrelevant."

One can dream, I suppose.

Offshore development problems (1)

Ruzty (46204) | more than 8 years ago | (#15271207)

This is just one more example of how offshoring development causes disorganization and a lack of control in timeliness and quality of product. You can not base complex software development in remote locations because "it's cheaper" and expect not to have problems with issues related to poor communication, timeliness and product quality. There is too much loss of control of the development process and significantly less motivation for quality and success when there is little downside to failure. The company closes your outsourcing center? Move onto the next sucker who thinks it's a good idea and is hiring.

Until company executives see the financial impact that losses from these ventures produce the people taking advantage of the situation will continue to profit and not produce.

Can you tell I think outsourcing offshore is one of the stupidest decisions a company can make? And, it's not due to the lost jobs in the U.S. that I have my opinion.

A "Fusion" of bugs (1)

dbdweeb (598548) | more than 8 years ago | (#15271778)

Oracle is too busy buying competitors and fusing disparate technologies together to be bothered with unexciting stuff like security patches. Hiring entry level developers and making them do patches is a good way for them to learn the Oracle. ;-)

failzo8s (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15272631)

are there? OH,

ffagorz (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15272777)

the 'Community' my resignatinon

False (1)

pocketstheclown (963187) | more than 8 years ago | (#15272934)

Oracle critical patches announced in the April 2006 CPU are still not available for download and the ETA is now set for May 15
I downloaded the CPUAPR06 from metalink 2 weeks ago. The other 7 DBAs in my company also downloaded it too. But I will admit, one DBA said it failed on his test database, so the QA issue is true.

One reason we switched... (0)

Anonymous Coward | more than 8 years ago | (#15273435)

As a 6 year Oracle DBA, all I have to say is that dealing with Oracle's patching is becoming a huge PITA to manage. At first, I was really worried when our management switched some of our servers to EnterpriseDB [enterprisedb.com] a few months ago because they don't as many features as Oracle, but I think a little differently about EnterpriseDB and PostgreSQL now. EnterpriseDB's support people kick ass and respond a helluva lot faster than any TAR I've entered into MetaLink and we haven't had to patch at all for security holes. The only patch we've done to EnterpriseDB was for a few additional Oracle compatibility features. If you have a small to medium Oracle app, consider getting EnterpriseDB or PostgreSQL instead... it will make your life as a DBA much easier. The only thing I wish was that EnterpriseDB had a MetaLink-type site for more information, but all in all MetaLink is a PITA to navigate and find stuff.

I found a sollution!!! (1)

robd003 (672018) | more than 8 years ago | (#15275487)

Go check out Blue Lane Technologies... Apparently they emulate patches on the network so you don't have to touch the servers themselves. They've also already got a patch out that covers ALL THE AFFECTED ORACLE RELEASES. Yeah, I'm impressed too.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...