Slashdot Mirror
Oracle/Sun Enforces Pay-For-Security-Updates Plan
An anonymous reader writes "Recently, the Oracle/Sun conglomerate has denied public download access to all service packs for Solaris unless you have a support contract. Now, paying a premium for gold-class service is nothing new in the industry, but withholding critical security updates smacks of extortion. While this pay-for-play model may be de rigueur for enterprise database systems, it is certainly not the norm for OS manufactures. What may be more interesting is how Oracle/Sun is able to sidestep GNU licensing requirements since several of the Solaris cluster packs contain patches to GNU utilities and applications."
It would be a shame is something was to happen to it.
Flexible bare-metal recovery for Linux/UNIX
This isn't any different from what Redhat does. They charge for security updates and no one has gone crying about it. Can't all jump on Oracle for wanting to be paid for the development time put in for security updates ppl
they knew what they were getting in to. I say, let 'em crash.
"We have no morals."
CAPTCHA: Deplore.
What may be more interesting is how Oracle/Sun is able to sidestep GNU licensing requirements since several of the Solaris cluster packs contain patches to GNU utilities and applications
The GPL doesn't prevent you from charging a fee for GNU software. It just stops you from preventing the people you sell it to from distributing it to everyone else. OpenSolaris is free and the source is available. If you are using Solaris (not OpenSolaris) then you are paying for a platform that has undergone some extra testing and comes with support guarantees. If this isn't important to you, then use OpenSolaris for free.
I am TheRaven on Soylent News
... is knocking on the door of the competition.
There are many ways to take news like this. For those invested, it's a blow. For the free market and those looking for marketing opportunities (cough ... I'm talking to the competition) .... this is your opportunity to do something good to us looking for solutions and yourself (in recapturing market share). Make me an offer I can't refuse.
L'esperienza de questa dolce vita (The experience of this sweet life) - Dante Alighieri, The Divine Comedy
It's one thing to hold back updates that add new features, it's entirely a different thing to prevent users from freely acquiring Security Updates. Heck, the OS is a free download for both SPARC and x86...but you have to *pay* for security fixes?
Wait a second, isn't most of the development for Solaris driven by the OpenSolaris group?
/me goes off to RTFA
They're not sidestepping anything GPL-wise. The OS patches contain some GPL binaries and some proprietary binaries. They are side by side, which means the proprietary binaries are not subject to the GPL. The entire patch package, therefor, can't be redistributed. The GPL bits within the patch can be freely redistributed. As can the source for those bits, which Sun/Oracle is (presumably) making available as they always have to comply with the GPL.
So, they are sidestepping nothing.
Portable versions of Firefox, GIMP, LibreOffice, etc
This is one of many reasons why I run GNU/Linux...
I don't want to sound negative, but I was always worried about Oracle buying Sun, for how it would impact negatively on Sun's business. For me the Oracle web site is so convoluted that it stinks of 'we designed this so that you to pay use to find it'. Everything feels designed to nickle and dime everything you try doing with them. This is based on experience of having get specific updates to fix certain known issues. If you don't agree with my perspective, I would gladly appreciate hearing about your experience.
I am a Java developer and I hope that they don't extend this to Java or any other Sun technologies with a more 'open' culture.
Jumpstart the tartan drive.
...and another 'I' dotted in Oracle's plan to kill off Solaris, and force Linux as their high-end product.
I only have one Solaris server left, and I'm rapidly losing any real need to keep using it.
In fact, I will probably end up migrating off of Solaris this year, just to be done with it.
Linux works just fine on my Sparc hardware, even my Ultra Enterprise 2, which hasn't seen
upgrades or replacement parts in over 10 years. (and why it's still up and running, I don't know...)
Support FSF: Stop thinking with your wallet, and think with your imagination. (cc/non-commercial)
The fact that they're shipping GNU utilities is irrelevant here. The GPL compels you to distribute source and rights when you distribute a binary. There is no requirement to keep it up to date, and Sun/Oracle can do whatever they want with their Solaris cluster packs. What they can't do is distribute updates to paying customer and prevent those customers from passing the updates on to others (for the GPL-licensed parts, that is).
"The invisible and the non-existent look very much alike." -- Delos B. McKown
Interestingly, we had support contracts for several SPARC machines until recently, but when the time
for renewal came around SUN didn't send any notice, and we let it go. I think of this as
"passive/aggressive" behavior on their part and seems typical of our experience with the administrative
side of SUN, although past adventures (such as wrong addresses on shipments) have been worse. .
Presumably if you obtained the GPL binaries/source from SUN, its legal to redistribute those patches. But there is nothing in the GPL requiring SUN to give you those patches, code or binaries.
If they give you the binaries, they need to give you the source. But if they choose not to give you the binaries (i.e. you elect not to pay for a Solaris contract), they are not obligated to give you anything (binaries or source)
Actually, people DID cry about it and as all of the source was available, those wonderful persons behind Centos took the RHEL source and packaged it themselves. I am not sure how much of the Solaris code is available for repackaging, but maybe someone will do the same for Solaris.
getting fdisked and Debian GNU/Linux is getting installed on them as we speak.
Politics is Treachery, Religion is Brainwashing
http://wikis.sun.com/display/SunSolve/How+Entitlement+Works?focusedCommentId=199106033#comment-199106033
Looks like they just made a mistake with their product catalog
Just because they're selling the security updates doesn't mean they're in violation. I think it's highly likely that Sun/Oracle will go right ahead and sell their updates, and make the source code available (via the web?) for the GNU parts. Offering the source for the GNU packages wouldn't cut into their sales much, as most of their customers are probably not inclined to compile this code for themselves anyway (if they were, my thinking is that they probably wouldn't be running Sun). And even if they were, they'd miss out on updates to the proprietary parts of the code.
I'm having trouble seeing what the big deal is here.
I can't think of any IBM product on the "distributed platforms" (i.e not mainframe or i5OS) where the fixpacks are not available for free.
There is no such thing as luck. Luck is nothing but an absence of bad luck.
The linked thread already points out that this was a mistake, not intentional, and provides a link to the Sun site with details.
So long to Solaris as a viable alternative to Linux and so long to OpenSolaris. Who's going to bother using an operating system that you have to pay to ensure it's secure.
Prior to the merger with Oracle, Sun had been moving toward this for some time. They were gradually restricting access to more and more of the Sunsolve site, and it got a major rework last year. At that time, Solaris Recommended and Security patch bundles became available only to current subscribers.
"Prior to the merger with Oracle, Sun had been moving toward this for some time. They were gradually restricting access to more and more of the Sunsolve site, and it got a major rework last year. At that time, Solaris Recommended and Security patch bundles became available only to current subscribers"
Where, got any links to articles about this? How does this relate to OpenSolaris
All security updates should be free as in beer. Patches that include features are for-pay. It's not my fault they released a product with security holes. I love car analogies, and it works pretty good here.
This goes back to the story of the Scorpion and the Frog. A scorpion was travelling across the land when he came to a river. Wanting to get across, he approached a frog to help him get across.
The frog replied "Why should I help you across because you will sting me and we will both drown."
The scorpion said "I promise not to sting you."
They are half-way across the river then the scorpion is startled by a splash of water and stings the frog. The frog cries out as his body begins to paralyze "Fool! You have doomed us both as I predicted."
The scorpion replies "Fool? What did you expect Frog? I am a scorpion."
Oracle is a Scorpion. Anyone who thought otherwise when they purchased SUN is a fool.
Management is doing things right; leadership is doing the right things. - Peter F. Drucker
That's an entirely different topic than what we are discussing here (whether Oracle is side-stepping the GPL by only making patches available to paying customers). That's why I said presumably and don't feel like taking the time to download the full Solaris and OpenSolaris packages to see what source is where. Considering they have OpenSolaris with all the source available for all bits we'd be worried about up (and anything GPLed in Solaris is also in OpenSolaris), I think they're good. Either way, it doesn't affect the discussion here, which is that Oracle is within their rights to distribute the patches only to paying customers.
Additionally, there is NOTHING requiring Oracle to separate their GPL and non-GPL patch components to support people who aren't paying for support.
Portable versions of Firefox, GIMP, LibreOffice, etc
The problem here is not that they are doing this, but that they are doing this NOW.
RHEL was pay-to-update from day one. Everyone considering RHEL knew this and could decide whether that was what they wanted to go with.
The difference here is that users who have been using Solaris for years and making do with critical updates are now unable to keep their systems secure.
Oracle is changing the rules of the game in mid-stream. That is where the problem is.
Were they to come out with Solaris 11 and proclaim THEN that security updates to THAT version of the OS would be pay-to-play, then that would be fine.
What isn't fine is yanking the rug out from under people. Especially in this economy.
I think this is a fine example of why users should be wary of freeware. (Not to be confused with open source). Sooner or later, you pay for what you get.
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
Yea.
Sale rep to programmer: "Put more bugs in the software, I'm making a killing here!"
I just want to congratulate Oracle on doing everything it can to kill off Solaris passively so they don't have to admit what they're doing. I need a Solaris support contract in order to keep a few systems running specialized software in a compiance-audited environment up to date. This is software that is run in many environments where the inability to keep them patched is a showstopper. However, I can't seem to purchase a support contract. The only page that even lists the ability to purchase it is broken (see dpfloyd's comment), and I have not receved a call back from Oracle/Sun sales in nearly a week (and that was after getting bounced through 6 different people to a support person who at least knew to forward my info to a Sun-related salesperson, or so they said). Additionally, if you click the "How to Purchase a Contract" it provides no actual info on how to do that, and the link it has to "Learn More" takes you into an infinite loop of "click here, now click here, now click here - oh, wait, I'm back where I started" when you try to find out about Sun Solaris support.
I hope I'm wrong about what's happening, but I can't say that any of this gives me the warm fuzzies. I'd say that if I had control over the platform I'd migrate those systems off of Solaris to another OS, but I'm guessing that's exactly what Oracle wants...
Can SOMEONE at Oracle/Sun please tell me how to purchase a support contract to download OS patches? If not, can someone from Oracle/Sun officially tell me to bugger off so I can tell my boss that we're never going to be able to update those servers again and we can start planning on how we're going to get around that issues?
Thanks.
Does this mean that CIA, DoD, et al will be dropping Sun requirements since this is now a foreign company that likes to change the rules (although I'm sure they all have support contracts, so technically nothing changes for them)? I was told by a CIA headhunter once that Sun was the only *nix they used due to some Congressional mandate of some sort (although that was almost a decade ago).
Yes, that was certainly the plan a year ago.
It's no longer the plan. You'll soon need to flip it around.
Solaris is now a great tool to help Oracle force people to one and only one vendor (Oracle) for just about everything. That's the new plan. And Linux fits in that plan right now, but probably won't in a few years, if they can get people to trust them as hardware vendors, and they can keep the quality of Solaris testing up.
Oracle sees Sun as a company with a LOT of great stuff, but both weak and incompetent, since it didn't squeeze cash out of people on every single thing it did. Oracle is right now in an orgasmic frenzy to take everything Sun had and monetize it -- some at the start, though that's less important, but EVERYTHING must bring in cash via support and updates. Furthermore, expect to see every piece slowly being changed slightly to push you towards coupling with other Oracle tools.
Which is why open systems, like Linux, don't help Oracle in the long run. Open systems give you flexibility, and flexibility is bad. Oracle is pushing to get the whole enterprise, from soup to nuts. In the words of an IBM rep I was talking to about this: "We tried that 15 years ago, and it almost killed the company."
Oracle started doing Linux not because they like open systems (they don't), but because A. they could control it a little through their own distro and B. they could get the support contracts, instead of the money going to Red Hat. Now they have Solaris. They'll push that like crazy and move people onto it, since they can certainly control it a lot better than they can control Linux, and instead of some of the support dollars going to Oracle, ALL of the support dollars will go to them.
This reminds me of all those PPL downloading IOS images from Russia because they are too poor to pay Cisco to prevent their routers from being 0wned.
Guess vendors will do whatever they can get away with even if their actions are morally questionable. At least MS has a reasonable policy WRT paid support if the problem is caused by a defect in their software the fees can be waived.
Oracle is stuck in the dark ages. Its security record is absolutely abysmal compared to its competition in the RDBMS space. Unbreakable? As a HPC cluster for botnets - certainly.
Yes I'm just pissed off at Oracle because I accidently forgot I had an instance of Oracle running and my system got rooted as a result. Its really quite sad considering their first customers were three-letter-agency.
Novell has started the same thing - unless you have a maintenance contract, no support pack for your SuSE distro. It stinks.
Funny, I was just reading this blog post last night.
Danese Cooper is a long time open source advocate who formerly worked at Sun, among others, and is recently the new CTO at the Wikimedia Foundation after the recent departure of Brion Vibber for a micro-blogging upstart.
New DivaBlog: Assimilation begins...Oracle Censors Blogs.Sun.Com
Remaining Snoracle employees have until May to migrate their personal blogs to a non-Oracle-owned hosting service...but if even after such migration, anyone who mentions work on a personal blog forfeits their editorial self-determination, as Oracle believes the blog then becomes Oracle property subject to their draconian rules.
That sounds a mite drama-queeny until you factor in that she helped to create Blogs.Sun.Com and probably cared a lot about the culture of her former employer.
What you don't see in the picture behind the Borg ship is that giant cone thing that eats solar systems, and on the underside of the Borg ship, Ellison's personal executive-escape-yacht launch portal.
On an engineering note, pretty obvious that the Borg ship was designed by a DBA for optimum table access efficiency. This of course limits the scalability. On a a planetary scale, starships come in any shape you like, so long as the shape is an oblate sphere. Of the two, I'd say Darth had more vision.
1) Realizing this is a stupid thing, they'll break updates into a Feature Stream and a Maintenance Stream.
2) Supporting the OS and developing hardware will drive them to bankruptcy
Oracle has a profit motive to release buggy products?
Shh.
GPL does not mean they have to give their product away for free to anyone who asks.
It means that whatever pieces of code they use that are under the GPL, they cannot block re-distribution of; and they must provide "access to code to customers who ask". *NOT* to "anyone". And they are free to distribute said code however they want. They can do it by insisting that the customer pay $9.95 shipping to receive just the GPL code on a CD-ROM, AND insist that only paid customers can even place this order.
But, once a customer has received their CD-ROM, they can't do anything to stop that customer from putting an ISO of that CD-ROM on the 'net.
Finally, they can encumber their code with trademark-encumbered pieces for which a user would have to acquire a trademark license, (at least, in GPL 2,) at whatever cost they want. Yes, the customer could remove the trademarked bits and redistribute under another name all they want. But that does prevent "straight out of the box" redistribution.
Just look at Red Hat.
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
Feature updates (or upgrades) aside, how can they produce a fix to a known problem and then demand that the customer pay to get the fix? In the midst of Toyota's recall PR disaster you would think that maybe somebody at Oracle would have a clue that maybe this is a bad idea. As for comparisons to Linux distro's those arguments don't apply because you're paying for the convienience of the distro in collecting all the updates and packaging them for their OS. In Linux, you can always go out and get the updates yourself directly from the package maintainers directly. --That's simply not possible with Solaris security patches. The only place to get them is from Sun. If they want to charge for "feature" upgrades, fine. But to deliberately withhold security patches is irresponsible and bad business.
The title of this article is incorrect. It should read Oracle announces its products will become less secure over time. This will be true because they will permit malware to infect a percentage of their installations, which in turn will corrupt others by providing an internal platform for hackers to penetrate otherwise secure systems. Either a product is secure or it is not. Oracle is merely announcing that their products will not be secure.
This is the most absurd piece of news I've come across this year! Why on earth should I pay to have Oracle/Sun fix their own bugs?
Obviously Security flaws are bugs. If any security vulnerabilities are identified, they should be ethically and morally obligated (ie assuming that the legal angle is unenforceable) to fix these and distribute the patches for free.
Isn't there anything called accountability/responsibility left any more?!? We are a huge Sun shop and one of the reasons we loved Sun so much is the fact that it was not a blood-sucker when it came to things like patches, software, etc. Unlike a company like HP, who charged for everything from multipathing software to UNIX resource mgt tools (which should be defacto standard of any mature OS).
That's got to be the thing that finally makes me ditch Solaris and OpenSolaris. As much as I hoped to have built my next system based on that true Unix, but it won't happen now. This is it for me and I'm sure I'm not the only one.
Cry to mommy.
What they are doing is perfectly permitted by the GPL. If you do not understand that, then you do not understand the GPL.
Over-the-top Response Guy! Giving "Over-the-Top Responses" since 1970.
Oracle/Sun -
If you're reading this, this is a monumentally stupid idea from a brand management perspective.
Do you really want to be the vendor known for cracked boxes?
When the incident reports go up and "OS: Solaris" is moving to the top, I know what most execs would say.
It won't be "we should pay more for support", it'll be "switch operating systems".
Windows- Pay money upfront and get security updates for free. Solaris - Pay no money upfront then pay for security updates. While its initially a bit of a surprise its not outrageous.
I think Oracle wants to rid the world of Solaris. That's the intent I get from this gesture. I was considering Solaris for some servers, but this nails the coffin firmly shut.
Microsoft makes critical security updates available even to users it knows are pirating the operating system.
And it's not because they're being nice. It's because it's bad for everyone to have unpatched users out there.
Sun wouldn't let you into their support site without having a support contract - which included hotfixes and service packs. Of course nothing prevented you from getting the files from a friend who did have a contract - maybe that is what they are enforcing?
When I buy software, and it has a bug that allows cracking, that’s the same thing as buying a car and then noticing that it accelerates to death.
It’s the developer company’s duty to fix it ASAP, or face a lawsuit. For not complying with the contract and for fraud.
Asking money for it will only make the standing weaker in front of the judge.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
then we will be paying for Java and next mySQL on the desktop.
They didn't buy Sun to loose money, not that crowd.
When your primary clients are .gov and large enterprise, "extortion" is about he only way left to conduct business.
I think Oracle is forcing other companies to pay money.
Saleh Alsanad http://www.google.com/profiles/q8mosfet
Unless your patching together something custom, like cheap commodity x86 hardware + solaris + a bunch of open source apps (tomcat/apache/whatever), in an enterprise setting, there would be zero chance of not having a support contract.
Sun hardware + Sun OS + most likely some enterprise sun software (ldap, email, identity management) = support contract required. Not required by Sun, but required by any system administrator who has experience and is responsible.
Sun has never marketed to the guy who buys a bunch of x86 dells and tries to setup his own web/app cluster. The market is large institutions, with tons of servers, professional sys admins, and a need for highly responsive enterprise support. And in environments like that, you most likely have many layers of security, with the OS just being one of them.
So what incentive does Sun/Oracle have for maintaining the status quo of having a support contract for the latest patches? Well most likely to reinforce that image that Sun Server+Sun Software = Enterprise Solution. I imagine they'd rather not have tens of thousands of amateur solaris installs diluting the Sun/Solaris image, as they fail, get hacked, or don't perform well.
For the hordes that want to try Solaris, there's Open Solaris. All the patches and open source code you want. Personally, I think they are better than other OS makers, like say MS, in that you can download Enterprise Solaris free, install it, use it, whatever. In fact, you can download almost all Sun Enterprise Software for free and play with it. But if you are going to roll it out to the public, and want support+patches+on site help, etc... you need to pay.
This would be like Microsoft allowing the download of any of their OS or other products for free, unlimited, no time trial, but just charging for patches. It basically would allow college students, hobbyists, and the curious to use, for as long as they want, all MS products. But the day that user decides to open a business supported by Microsoft servers, he knows he needs to pay to have support.
I wouldn't mind seeing Oracle/Sun becoming more open source over time, in that more and more software, including patches, are completely free. But the current model isn't draconian by any means. It is a balance between allowing a wide audience to explore your software, while retaining a guaranteed revenue stream from serious businesses.
Actually, this was in place LONG before Oracle bought sun, at least October 2007. They switched from 'Pay for the software and updates are free' to 'Software is free, pay for updates'
Do some research and stop spreading FUD.
Sun started doing paid for updates 3 years ago. 2 years before Oracle made the buy offer. Get your facts straight