Slashdot Mirror
Oracle Patch Day Becoming Irrelevant
mocirac wak writes "Oracle's scheduled quarterly patch day is becoming more and more irrelevant. Oracle critical patches announced in the April 2006 CPU are still not available for download and the ETA is now set for May 15. The whole idea of a patch day was to let DBAs get prepared for testing and deployment. What's the use of having a patch day when there are no patches to download?" From the article: "... Oracle's explanation that patch testing is not yet done points to serious shortcomings and an absence of a good patch development process. 'For such a big organization with a lot of financial resources, they should be ready to handle this without problems. But they are amateurs on everything security related,' Cerrudo said. 'They spend a lot of time creating these patches. Then, patch day comes around and the patches aren't available. Then, when the patches are finally released, it's normal to find that they are incomplete and fail to address the actual vulnerability,' he added."
Did you read the statement? Patches supposed to be available are not ready yet, so it is not that there is not something to fix, the fix is has not been delivered on time.
Well maybe there are no patches that need doing?
Which part of "patches announced in the April 2006 CPU" did you not understand? If they anounced them, then they need doing.
Oh no... it's the future.
Just because they are a large, successful company doesn't mean schedules are solid and sufficient resources are made available. Microsoft is wildly successful, but faces the same problems. World of Warcraft is wildly successful, but faces the same problems. Ultimately, we still have people involved and people make mistakes. People estimate incorrectly. Stuff happens (c).
If you have an alternative and they are able to serve you better, migrate. If not, suck it up and be thankful the mistakes of your vendor give you a well paying job.
Heaven forbid that a company take its time testing a patch to make sure it's up to some level of standard. The poster even pointed out that historically, there've been problems with the patches in the past. Maybe patch day should move to quarterly updates for all but the most extreme patches in order to increate quality.
Anyone involved with software knows that NOTHING gets done on schedule. Smells of a marketing idea that got pushed onto the developers. I mean, it is a good idea...just not very practical.
Blar.
"Oracle promised them on May 1. Now they are saying some will come on May 10 and others will come on May 15. It's clear they are having big problems," Cerrudo said.
He said Oracle's explanation that patch testing is not yet done points to serious shortcomings and an absence of a good patch development process.
"For such a big organization with a lot of financial resources, they should be ready to handle this without problems. But they are amateurs on everything security related," Cerrudo said.
"They spend a lot of time creating these patches. Then, patch day comes around and the patches aren't available. Then, when the patches are finally released, it's normal to find that they are incomplete and fail to address the actual vulnerability," he added.
Oracle has been falling down on the job for years, making it virtually impossible for DBAs to keep up with patches and keep their systems tuned. They hem and haw, obfuscate and prevaricate, and still manage to retain their commanding market share. Sound like anyone else we know?
Again, Oracle should have gotten into the Linux biz 5 years ago -- now it's too late. At this point they should think about cleaning their own house and stay out of the OS business until they have a firm grip on their DB. This constant inability to stay on top of critical problems points a wider, systemic problem that would infect any Linux development program they acquired. Time for Larry Ellison to retire to a tiny island in the Pacific somehwere and let some new blood fix Oracle before it implodes under its own weight and become an IT black hole.
GetOuttaMySpace - The Anti-Social Network
Someone mod this moron down. It's clear that he didn't even read TFSummary. CRITICAL patches announced in April are still not available. He somehow reads that as "there is no need to patch anything"...
This guy's the limit!
What happend to Larry's campaign that his products were unbreakable? No need to patch if your products are unbreakable. Notice how that campaign slowly just fizzed out?
I worked on a big project involving Oracle software and after a lot of research, we decided to only use the core database and write our own interfaces to more reliable, more secure open-source systems. When I discovered how convoluted the company's own product line and support process was, I dumped the stock. It doesn't surprise me one bit that they can't meet deadlines of this nature. The internal structure of the organization from my perspective was always a bloody mess.
Have you seen Oracle's security record recently?
Anyone who reads bugtraq or the like will know it is shocking.
Take a look at http://www.securityfocus.com/archive/1/432399 this for an example
Though their database is their flagship product, they have been way too distracted with their substandard Oracle Applications suite. If they really want to do well, they should focus on what they do best and stop wasting their time trying to push poorly written web applications. (I should know, I have to use their worthless timecard and expense system every week.)
"These aren't random complaints from unhappy researchers," Newman said, referring to the comments from Kornbrust and Cerrudo. "They need to admit their procedures aren't working and seek help getting it fixed."
/. community for help. So what advice can you give to 'Larry'?
This Week on Ask Slashdot...
'Larry' has a company that sells database software and he's trying to get developers to release security patches that are both trouble free and actually fix security holes and other problems...and then finally get them to do all of this on time.
"Microsoft isn't good at security. We're good at that and I don't think sending a memo is going to help," 'Larry' states. Now he's turning to the
What if the Hokey Pokey really is what it's all about?
A lot of big business runs on Oracle. Governments, Banks, Corporations, etc. Rushing out a patch with fatal flaws, exploitable flaws would potentially cause more damage to the word than the worst predictions of Y2K. I am glad that Oracle are thoroughly testing the patches before they roll them out. I know the DBA's will test the patches, but there is no substitute for vendors testing the patches.
"Sure there's porn and piracy on the Web but there's probably a downside too."
I think what the parent post might have been trying to get at, is that not every company will necessarily need these patches even when they are available. If you're not using the products that are outward facing or have the vulnerabilities, and your Oracle database server is secure so that hackers on the internet can't even get to it, then it isn't as high of a priority. I've worked at a number of companies that use Oracle databases but don't use Oracle products for their application server or web interface.
"22 astronauts were born in Ohio. What is it about your state that makes people want to flee the Earth?" Stephen Colbert
When you have to pay as much as you need to to run oracle, patches released in a timely manner that actually fix things is part of customer service. If there is no customer service, there is soon no customers. The OSS database engines are gaining ground, and personally, I like the way patches and fixes are released thus far for F/OSS .... I'm seeing fewer and fewer reasons to pay for big software packages like Oracle, MS, etc.
ROI is important, and bad patch schedules and releases is not good ROI...
Support NYCountryLawyer RIAA vs People
I could be missing the point here, and these are minor (yet critical) patches, but if they are, how come they are taking so much time to develop?
Note to self: Stop putting jokes in my insightful comments so I can get something other than +1 Funny!
Software updates can not be sheduled... It is impossible to do something in-time. But it is possible to do something, and then promote it like made in-time :)
Hide your files and folders from others!
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
First, patches are inevitable for any application or system. Humans write code and humans make mistakes. Patches are like security incidents; if you think you don't have them (or in the case of patches, don't need them), you aren't looking hard enough. To the comment above about why patches are needed (and to all you "my system is totally secure" Mac-heads out there)...even OpenBSD, with all its code review processes for every release, has security vulnerabilities from time to time (go ahead, look them up). QA/QC process just can't find every little bug before release.
Second, patches for something as critical as Oracle is within most enterprises, MUST be fully examined and qualified. The comment above about being a year or two behind on patches because patches might break stuff, is relevant here. Again, humans write code and humans make mistakes, even on code meant to fix other broken code. Look at Apple's recent patch-to-fix-a-patch-to-fix-a-patch issue from several weeks back. I applaud Oracle for trying to get quality patches out. However, I would say that there comes a point when you just have to feel comfortable with the patch you have and get it out the door. Better to look like you're doing something while you get things together, even if what you do is not ideal, than to look like you're doing nothing and appear incompetent or unresponsive.
Basically...this is not uncommon across the software industry.
Most of the companies are not mature and entrenched with bureocracy. Staff probably turns over twice a year now when a decade ago devoted "well paid" developers worked long hours to make sure a patch or update was ready for release.
Now from my perspective, as a DBA responsible for installing and overseeing the installation of software patches on database and application servers, I can't really say this is happening any longer.
I don't simply patch Oracle becasue they say it's "critical". Updates and patching is only done if needed to keep the applcation going and to keep users working. If the risk of not patching comes into play then we patch.
Unfortunately for us, many software makers they have discovered the joys of consulting fees to bolster fading profit and market share, rather than actually delivering quality service and product to existing customers.
Particulary in smaller software makers. Selling the sizzle and delivering the bacon later is all too common now. And many times you end up with something much less than "bacon".
Anyone who works with canned apps in a large heterogenous IS environment knows what I am talking about.
And "we" the customers are partly to blame for allowing software makers to have thier way with us. I for one refuse to "pay" to vendors develop working patches for their software...there are a thousand and one ways for software vendors to take advantage of clients. It is up to the IT professionals to hold them to contracts and simple concepts like the delivery of software, updates and patches that actually work as claimed.
So it is up to us to demand full documentation, and READ IT. Test the systems completely and be more "critical" of the vendors claims...if you have to be hard ass to do so...so be it.
Lest we forget, Oracle as a database system is exponenetially more complex than Unix itself, and in fact will probably come to include a linux distro before its all over. Oracle is a funny company, they make REALLY REALLY good databases (no... I mean it), but then they go out and release buggy features with holes in em. The truth? Most of these holes are in shit like ONames (the oracle version of computer browser... Let me expand on this a bit, for 8i Onames had a security hole that was fixable by using the ip address instead of UNC names for target boxes. Easy to workaround, and really more of an annoyance). Long story short, Oracle's the BEST at databases, not because they have some great code team somewhere in a closet doing innovative things but because they've been working on the same core product since 1977.
It's the same story each release, Oracle marketing trumpets up the latest and greatest Java Parser! then everyone ignores it and goes back to Listeners (which consequently have very few bugs at this point).
So yeah, patches are important, and yeah I apply em, but with Oracle ONLY (and maybe Solaris) to me this is indeed not a big deal.
chitlenz
Imagination is the silver lining of Intelligence.
I'm an Oracle DBA by trade and was able to patch my test systems running Oracle 9iR2 within days of the scheduled release date.
The article makes it sound like the target date was missed entirely, and while I know there are delays for some releases, others were made available as planned.
Why do I get the feeling that most of the complaining here is by people who don't actually use the product?
F*ck you Larry
Signed,
An Oracle Customer
Maybe they are trying to live up to that old "unbreakable" campaign. If they don't release any patches, it's tough to break anything.
If you think this applies to just their database software, think again. I've had Oracle ship me gold cut CDs for their OAS app server on several occasions and have seen Oracle Finanaicals implementations go through over 1000 patches over the course of a year.
I have a small business. We generate traffic from search engines. A hiccup in a system (ours, our ISP's, Google's, Yahoo's, etc.) can cost us serious money, and potentially put us out of business and our employees out of jobs. Those that have businesses build around WoW can potentially lose money if Blizzard chokes on their mailing of the money, or other things beyond their control.
Are these businesses significant on the scale of a wire payment from Wal-Mart -> Rubbermaid not going through, or a transfer from Nike to their textile plant in China?
Of course not.
However, for those that own those businesses and work in those businesses, it is just as significant.
Point being, as the onling games generate larger and larger supporting economies, downtime ceases to just be an inconvenience (and potential loss of customers... certainly some users on the edge between continuing to play and quit are pushed to the quit site when they can't play when they want), and begins to effect the livelihood of many.
The fact that it isn't your livelihood doesn't mean that it doesn't exist. Sure, WoW related activities won't be at the level of a trading desk at Citi, but it still affects people and that matters.
Oracle Applications is the biggest POS I've ever seen. We've designated every Saturday as 'Oracle downtime', meaning the apps go offline all day to fix the latest f-up during the week. I'm convinced the UI was designed by a monkey flinging feces at the screen. It's that bad.
FTFS: But they are amateurs on everything security related.
Exactly - because only amatuers would force their customers to use cscript as part of the patching process.
M$ and Firefox manage to release security patches that install themselves. Why can't/won't Oracle do the same?
Maybe it's job security for that abortion known as MetaLink.
Or maybe it's so these clowns can charge Oracle's customers $1000 an hour to not fix anything.
What?
Oracle E-Business Suite.
a.k.a.: "Look on my works, ye mighty, and have a chuckle at my goddamn expense."
Singlehandedly destroyed our call center response times (was at under 1m:00s on a bad day, under 0m:15s on a good day, promptly jumped up to about 10m:00s, and there were no more good days), and after running it for about 8 months now, it still regularly has to go down for essential upgrades. Part of that is, no doubt, the company's IT bungling and inadequate testing, but Oracle's eBS sucks.
It's horribly designed, it's slow as all hell in anything related to retrieving information (which, y'know, they might be good at, being database folks), and it's a major resource hog. Also, it's fucking designed for an 800x600 resolution, WHEN ALL CS-rep PC'S HAVE 1280x1024 SCREENS!! And the screens don't stretch, they have fixed geometry!
I swear, if someone, some day, walks up to me and says "Hi, I used to work on Oracle's E-Busine", that's as far as they'd get before I punch their stinking face in.
At first glance, I thought the headline was "Orrin Hatch Becoming Irrelevant."
One can dream, I suppose.
DMCA - Chilling free speech since 1998.
This is just one more example of how offshoring development causes disorganization and a lack of control in timeliness and quality of product. You can not base complex software development in remote locations because "it's cheaper" and expect not to have problems with issues related to poor communication, timeliness and product quality. There is too much loss of control of the development process and significantly less motivation for quality and success when there is little downside to failure. The company closes your outsourcing center? Move onto the next sucker who thinks it's a good idea and is hiring.
Until company executives see the financial impact that losses from these ventures produce the people taking advantage of the situation will continue to profit and not produce.
Can you tell I think outsourcing offshore is one of the stupidest decisions a company can make? And, it's not due to the lost jobs in the U.S. that I have my opinion.
The Master (Angelo Rossitto) in Mad Max Beyond Thunderdome, "Not shit, energy!"
Remember, it takes time for change to occur, especially when it comes to enterprise information systems. Many companies have invested very large sums of money in Oracle-based database systems. It's not feasible for them to move to another solution any time soon. So for the time being, there is still demand for products from Oracle.
The main area to focus on is new development. This is an area where PostgreSQL, for instance, is really shining. It offers many of the features needed by large, corporate data infrastructures, while offering almost none of the problems associated with Oracle's offerings. In the near future, we likely won't be hearing anywhere near as much about Oracle as we do today, since it just won't be a component of most of the information systems of tomorrow.
Right now, we're in the transition period. Most new development is not taking place with Oracle, but there is still much in the way of legacy systems using their products, thus making it appear as though there is still demand.
This is very similar to what we witnessed during the late 1980s and early 1990s, with respect to corporate networks. By the mid-1980s it was clear that centralized mainframes were on the way out, with distributed desktop or workstation systems taking over. However, it did take until the mid- to late-1990s for the vast majority of Big Iron to be retired and replaced with new, non-mainframe solutions. It did take some buffer time for the old systems to be replaced, be it for technical or financial reasons.
I know that I certainly look at the list of bugfixes in the patches and note that we usually don't need them.
We'll schedule a time to apply patches, but the stuff they've got all these "shocking" bugs in are the non-essential stuff.
Oh no! You can crash my application! Or you can crash my listener! At least you can't get to my credit card information, transaction logs, or anything sensitive.
Hell, lock the machines down the way you're supposed to do it, and 70% of the bugs are irrelevant anyway.
Practice good security and use good programming practices on your side, and you won't even sniff at the holes people bring up. I mean, who the hell grants the ability to look at the DBA_USERS table to everyone anyway?
The GP is right. You may actually not really need to patch.
How we got this far on the myth that software development can't be controlled is beyond me. Some old fasion project managment will keep any project on track, but we devs have managed to convince the managers that software development can't be estimated. Construct a Skyscraper and it's no problem to have a time line, but code an app... whoa, that has so many issues. Does construction have zero surprises along the way?
The truth of the matter is development is slow from lack of focus, and it starts with us the developers. Put down the damn Ruby on Rails book and focus on the language and tools you are actually using. (you can still do all the ruby you want at home). If ruby makes sense, then the company as a whole will move to it so we can all focus on it, but as long as you "do your own thing" you are part of the problem.
Oracle has the people, the money, and yes - the time. If it's still not working, then they don't have the method. Software development is not a special and unique snowflake - it can be managed like everything else.
Oracle is too busy buying competitors and fusing disparate technologies together to be bothered with unexciting stuff like security patches. Hiring entry level developers and making them do patches is a good way for them to learn the Oracle. ;-)
Oracle critical patches announced in the April 2006 CPU are still not available for download and the ETA is now set for May 15
I downloaded the CPUAPR06 from metalink 2 weeks ago. The other 7 DBAs in my company also downloaded it too. But I will admit, one DBA said it failed on his test database, so the QA issue is true.
As a 6 year Oracle DBA, all I have to say is that dealing with Oracle's patching is becoming a huge PITA to manage. At first, I was really worried when our management switched some of our servers to EnterpriseDB a few months ago because they don't as many features as Oracle, but I think a little differently about EnterpriseDB and PostgreSQL now. EnterpriseDB's support people kick ass and respond a helluva lot faster than any TAR I've entered into MetaLink and we haven't had to patch at all for security holes. The only patch we've done to EnterpriseDB was for a few additional Oracle compatibility features. If you have a small to medium Oracle app, consider getting EnterpriseDB or PostgreSQL instead... it will make your life as a DBA much easier. The only thing I wish was that EnterpriseDB had a MetaLink-type site for more information, but all in all MetaLink is a PITA to navigate and find stuff.
If you are cranking out yet another web application, or a standardized patterns-following data system, then you have a point.
When you are chasing bugs and adding new features...these things are quite variable.
Here's an analogy...wiring a car on an assembly-line takes constant time, but solving a wiring problem on an existing car takes variable time.
Blar.
Go check out Blue Lane Technologies... Apparently they emulate patches on the network so you don't have to touch the servers themselves. They've also already got a patch out that covers ALL THE AFFECTED ORACLE RELEASES. Yeah, I'm impressed too.