Oracle/Sun Enforces Pay-For-Security-Updates Plan

An anonymous reader writes "Recently, the Oracle/Sun conglomerate has denied public download access to all service packs for Solaris unless you have a support contract. Now, paying a premium for gold-class service is nothing new in the industry, but withholding critical security updates smacks of extortion. While this pay-for-play model may be de rigueur for enterprise database systems, it is certainly not the norm for OS manufactures. What may be more interesting is how Oracle/Sun is able to sidestep GNU licensing requirements since several of the Solaris cluster packs contain patches to GNU utilities and applications."

That's a nice server you got there

[bigredradio]

It would be a shame is something was to happen to it.

Re:That's a nice server you got there

[Em+Emalb]

That's a nice joke you have there. It'd be a shame if someone were to moderate it. ;)

Re:That's a nice server you got there

[ircmaxell]

Actually, that brings up a point. Since this is about security flaws in their distribution, wouldn't this make them liable if something happened to your sever? "They gave me faulty software which THEY KNEW WAS FAULTY because they wanted to charge me $xx to get the fix"...? This isn't about feature updates (which they could justify charging for), it's about flaws in what they gave out... Now sure, you could say that the flaws were outside of their control because they came from upstream. But if that was the case, how in the world could they justify charging for those updates as not being extortion?...

Re:That's a nice server you got there

[Zerth]

The part that says(slightly paraphrased for clarity) "this disclaimer may not be valid in some states and does not prevent you from exercising your rights, but hopefully confuses you enough that you don't realize you have any"

Re:That's a nice server you got there

[ircmaxell]

A contract to perform an illegal act is not a valid contract... Considering here the threat is that you can be attacked through the vulnerabilities that were provided in the original software package, I think the argument could be made that this is extortion. And if it is extortion, then they would become responsible for any damages occurring because of the extortion. So even though they disclaimed liability, they could still be held liable (If it is found to be extortion). The disclaimer of liability can been thrown out in cases of criminal negligence (If they installed a back door on your server and then exploited it, they would be liable for the damages regardless of what was in the license)... So it really doesn't matter in this particular case if you agreed to their terms or not so long as a court would agree that this is extortion...

Re:That's a nice server you got there

[Lunix+Nutcase]

So that's a no on having any relevant statutory or case law to back up the claim that they could be successfully sued for extortion? Yeah, I thought so.

Re:That's a nice server you got there

[ircmaxell]

If you bought a lock and three years later someone found a way to pick it would you expect the company to give you a new lock?

No. But if I bought a lock that claimed to be secure, and a few months down the line someone figured out that you could unlock it by simply putting a paperclip in the end, I would expect them to give me a new lock. I expect a reasonable level of security, and I expect a reasonable length of support for that security. If they told me 1 month after purchase that they weren't going to fix security issues, I'd be flabbergasted. If there was a critical zero day vulnerability found, I expect it fixed yesterday (In understand that in reality it takes time, but I expect the fix in a reasonable amount of time, not years). And since it was a fundamental flaw in the original design, I either way the fix for free, or a free upgrade to software that doesn't contain the fundamental flaw. Just because they get away with it doesn't make it right...

It takes money to patch security issues and issue updates that money has to come from somewhere.

When I purchase a product, I expect that product to work. When I pay for support, I pay so that I have someone to call if something goes wrong. I don't pay support so that the company can offset its costs from the purchase price. So the money they spend on security should come from the purchase price (after all, security is a subset of development rather than a subset of support), not the service contract.

Now if could just kill software patents because they are as dumb as patenting a story, song, movie, or equation.

I agree 110%...

Re:That's a nice server you got there

[Perl-Pusher]

By that measure then no need for Toyota to recall anything. You paid for the current version of the vehicle so they can just charge to fix your death trap. As long as its reasonable, labor, parts of course! I'm waiting for someone to set a legal precedent here. The day a software company becomes liable for negligence will forever change IT. I can see it happening at a hospital where access to vital information was lost and someone dies.

Re:That's a nice server you got there

[wytcld]

"It would be a shame if your nice [online] storefront got broken into and wrecked. Yeah, we sold you that front door and lock. Well, you should know there's a little problem we've discovered with it. We could fix it for you, for a price. Or you might expect to find a couple of guys have opened that lock at night and run through your place with wrecking bars, one of these mornings."

Classic protection racket. My Italian relatives would totally approve.

Just like Redhat

[shafty023]

This isn't any different from what Redhat does. They charge for security updates and no one has gone crying about it. Can't all jump on Oracle for wanting to be paid for the development time put in for security updates ppl

Re:Just like Redhat

o rly?

http://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/

Re:Just like Redhat

[jedidiah]

Oracle is redistributing the works of others... just as if they were passing around copies of msoffice.

Now of course something like that comes with legal complications.

Merely claiming that this is another case of "entitlement mentality" is dishonest and *ssinine.

Re:Just like Redhat

[harmonise]

o rly?

O'Reilly is over here: ftp://ftp.oreilly.com/

Sidestep?

[TheRaven64]

What may be more interesting is how Oracle/Sun is able to sidestep GNU licensing requirements since several of the Solaris cluster packs contain patches to GNU utilities and applications

The GPL doesn't prevent you from charging a fee for GNU software. It just stops you from preventing the people you sell it to from distributing it to everyone else. OpenSolaris is free and the source is available. If you are using Solaris (not OpenSolaris) then you are paying for a platform that has undergone some extra testing and comes with support guarantees. If this isn't important to you, then use OpenSolaris for free.

Re:Sidestep?

[flaptrap]

...and I quote (from gnu.org gpl-faq

        The GPL does not require you to release your modified version, or any part of it. You are free to make modifications and use them privately, without ever releasing them. This applies to organizations (including companies), too; an organization can make a modified version and use it internally without ever releasing it outside the organization.

        But if you release the modified version to the public in some way, the GPL requires you to make the modified source code available to the program's users, under the GPL.

        Thus, the GPL gives permission to release the modified program in certain ways, and not in other ways; but the decision of whether to release it is up to you. ...and...

If you commercially distribute binaries not accompanied with source code, the GPL says you must provide a written offer to distribute the source code later. When users non-commercially redistribute the binaries they received from you, they must pass along a copy of this written offer. This means that people who did not get the binaries directly from you can still receive copies of the source code, along with the written offer.

The reason we require the offer to be valid for any third party is so that people who receive the binaries indirectly in that way can order the source code from you.

Re:Sidestep?

[hellraizer]

it may be so ... but .... Quoting Oracle's web page ... "Licensing Information By accessing the software on this Web site, you agree that (1)(a)you have already obtained a license from Sun, or a Sun partner, for your current use of the software; and (b) that your Sun License Agreement, Sun Partner Agreement, or other license agreement with Sun or a Sun partner, together with the applicable Entitlement or order document with Sun or a Sun partner, governs your use of the software, or (2) if you have not already obtained a license from Sun or a Sun Partner for your use of the software, the Sun Microsystems License Agreement on this Web site governs your use of the software for the time specified in such agreement. Note: Programs downloaded for trial use or downloaded as replacement media may not be used to update any unsupported programs " The word LICENCE comes up very often .... am i wrong about this ???

Re:Sidestep?

[spamcop]

Solaris is free to download and install and to use for ONLY 90 DAYS! They changed this licence only few days ago. http://www.sun.com/software/solaris/popup.jsp?info=17 Quote: Solaris 10 Download Customers bla bla bla... Please remember, your right to use Solaris acquired as a download is limited to a trial of 90 days, unless you acquire a service contract for the downloaded Software.

Mr. Opportunity

[abbynormal+brain]

... is knocking on the door of the competition.

There are many ways to take news like this. For those invested, it's a blow. For the free market and those looking for marketing opportunities (cough ... I'm talking to the competition) .... this is your opportunity to do something good to us looking for solutions and yourself (in recapturing market share). Make me an offer I can't refuse.

Sidestepping Nothing

[CritterNYC]

They're not sidestepping anything GPL-wise. The OS patches contain some GPL binaries and some proprietary binaries. They are side by side, which means the proprietary binaries are not subject to the GPL. The entire patch package, therefor, can't be redistributed. The GPL bits within the patch can be freely redistributed. As can the source for those bits, which Sun/Oracle is (presumably) making available as they always have to comply with the GPL.

So, they are sidestepping nothing.

Re:Sidestepping Nothing

[Wannabe+Code+Monkey]

Don't 'presume'. ARE they offering the source code for the gpl portions of the patches? If they are, get those. If they aren't, it isn't side stepping, it's flat out breaking.

I think you'll find that 'not presuming' is exactly what the parent is doing. The summary said, "What may be more interesting is how Oracle/Sun is able to sidestep GNU licensing requirements". And the poster is saying, "Hey lets slow down a second, are we sure Oracle isn't giving access to the source code to their customers?" Remember, there's nothing stopping Oracle from charging for GPL source code, and they only have to provide access to the source code to the people they distribute the binaries to. So if you don't have a support contract with Oracle, they don't have to provide you with the source code because they're not providing you with the binaries either. However, if one of their customers decides to redistribute the source code, there's nothing Oracle can do about that.

Was to be exepected

[Midnight+Thunder]

I don't want to sound negative, but I was always worried about Oracle buying Sun, for how it would impact negatively on Sun's business. For me the Oracle web site is so convoluted that it stinks of 'we designed this so that you to pay use to find it'. Everything feels designed to nickle and dime everything you try doing with them. This is based on experience of having get specific updates to fix certain known issues. If you don't agree with my perspective, I would gladly appreciate hearing about your experience.

I am a Java developer and I hope that they don't extend this to Java or any other Sun technologies with a more 'open' culture.

Re:Was to be exepected

[Capt+James+McCarthy]

I don't want to sound negative, but I was always worried about Oracle buying Sun, for how it would impact negatively on Sun's business. For me the Oracle web site is so convoluted that it stinks of 'we designed this so that you to pay use to find it'. Everything feels designed to nickle and dime everything you try doing with them. This is based on experience of having get specific updates to fix certain known issues. If you don't agree with my perspective, I would gladly appreciate hearing about your experience.

I am a Java developer and I hope that they don't extend this to Java or any other Sun technologies with a more 'open' culture.

I agree. I cringe every time I venture into the quagmire of oracle.com to obtain a CPU or look up information/patches for an older version of oracle. Sun's site was much easier to navigate through for patch clusters or specific patches themselves. Now that sun's site is folded into oracle's site, finding hardware information has become a pain. I did find that going to sunsolve still is the way to go though.

Re:Was to be exepected

[hoggoth]

I wanted to play with a particular technology from a company that was acquired by a company that was acquired by Oracle. I called Oracle and got passed from department to department. Nobody had ever even heard of this technology or the company they had acquired years ago. One rep was willing to sell me a license to use the technology for many thousands of dollars even though he himself couldn't find any mention of it inside Oracle, with the caveat that I would have to FIND IT myself because he didn't have any idea where it might be. After being transferred back to the same person the fourth or fifth time I gave up with the phone and started googling for the technology. I found a web page deep inside Oracle's website that had the entire thing, source code and all, available. There were no disclaimers, there was no license, just instructions on how to download it, compile it, install it, and use it.

So I did.

I suspect Oracle is run by the Department of Motor Vehicles.

Re:Was to be exepected

[sjames]

If only Oracle had one of those data-thingamajigies that lets you search for information and retrieve it.

Just another step...

[ak_hepcat]

...and another 'I' dotted in Oracle's plan to kill off Solaris, and force Linux as their high-end product.

I only have one Solaris server left, and I'm rapidly losing any real need to keep using it.
In fact, I will probably end up migrating off of Solaris this year, just to be done with it.

Linux works just fine on my Sparc hardware, even my Ultra Enterprise 2, which hasn't seen
upgrades or replacement parts in over 10 years. (and why it's still up and running, I don't know...)

Re:Just another step...

[pedestrian+crossing]

This policy was in place -long- before the Oracle deal. It has been over 3 years since you needed a support contract to get patches...

Re:Just another step...

There's a big difference - it used to be you needed a contract to use their patch update manager (and one contract covered all machines), but not just download individual patches or patch clusters (which, BTW, are integrated into the latest full OS downloads, and in fact at least one Sun person I've seen has recommended just grabbing the latest full OS download and using that to apply updates!). Now, not only do you need a contract, but you need one for each machine and OS version separately, and you can't actually buy the contracts from Oracle anyway. There's NO way to purchase them online (in fact the one link that's been posted multiple times as "I've verified this works" by Sun/Oracle people takes you to the Oracle 404 page), and when you leave your name with the pre-sales people to have sales call you, you don't get called back (since there's no way to actually talk to a sales person directly).

I suspect that Oracle is doing everything they can to passively kill Solaris without admitting it, that way they can say it wasn't their fault (or plan all along) when the regulators and shareholders come asking questions... If I had my choice, I'd be off Solaris completely, but at least for right now I don't. What's really interesting is what this is going to do to all those proprietary software vendors who require Solaris as the server OS for software used in regulatory compliance-audited environments. Since no patching = non-compliance, the ripple-effect is gonna be HUGE...

Re:Just another step...

[Paul+Jakma]

I think you've missed the point. Sun still made security patches generally available, Oracle have made those $$-only as well now.

The GPL does not apply here

[jonwil]

Presumably if you obtained the GPL binaries/source from SUN, its legal to redistribute those patches. But there is nothing in the GPL requiring SUN to give you those patches, code or binaries.

If they give you the binaries, they need to give you the source. But if they choose not to give you the binaries (i.e. you elect not to pay for a Solaris contract), they are not obligated to give you anything (binaries or source)

There's an easy solution to the GNU issue...

[sean.peters]

Just because they're selling the security updates doesn't mean they're in violation. I think it's highly likely that Sun/Oracle will go right ahead and sell their updates, and make the source code available (via the web?) for the GNU parts. Offering the source for the GNU packages wouldn't cut into their sales much, as most of their customers are probably not inclined to compile this code for themselves anyway (if they were, my thinking is that they probably wouldn't be running Sun). And even if they were, they'd miss out on updates to the proprietary parts of the code.

I'm having trouble seeing what the big deal is here.

Re:There's an easy solution to the GNU issue...

[bill_mcgonigle]

I'm having trouble seeing what the big deal is here.

Oracle is building a successful business around open source software in the full spirit of the GPL. They must be destroyed at all costs .. oh, wait.

"de rigueur for enterprise"? Not for DB2

[Kenneth+Stephen]

I can't think of any IBM product on the "distributed platforms" (i.e not mainframe or i5OS) where the fixpacks are not available for free.

Industry-wide needs to pro-consumer policy

[discojohnson]

All security updates should be free as in beer. Patches that include features are for-pay. It's not my fault they released a product with security holes. I love car analogies, and it works pretty good here.

Re:Industry-wide needs to pro-consumer policy

[RivieraKid]

Industry-wide needs to pro-consumer policy

Only problem with that is Sun/Oracle aren't selling to consumers.

As a industry best practice...

[Mr.Fork]

This goes back to the story of the Scorpion and the Frog. A scorpion was travelling across the land when he came to a river. Wanting to get across, he approached a frog to help him get across.
The frog replied "Why should I help you across because you will sting me and we will both drown."

The scorpion said "I promise not to sting you."

They are half-way across the river then the scorpion is startled by a splash of water and stings the frog. The frog cries out as his body begins to paralyze "Fool! You have doomed us both as I predicted."

The scorpion replies "Fool? What did you expect Frog? I am a scorpion."

Oracle is a Scorpion. Anyone who thought otherwise when they purchased SUN is a fool.

Re:As a industry best practice...

[ducomputergeek]

This is why the day the deal was announced we started migrating everything we could to PostgreSQL and FreeBSD (ZFS & DTrace Support). I had decent respect for Sun and have had some damn good products and service over the past 15 years or so. Oracle is a company that I absolutely had dealing with as a vender. We *have* to support Oracle because that is what some of our clients deploy on. Doesn't mean we have to like it. Honestly, for what we do, we've only had one client that had a HA requirement and they were already running Oracle. For all our other clients PostgreSQL has been able to handle everything we can throw at it and with the new cluster/replication/HA hot standby support in PostgreSQL 9, it looks like it will fill in those gaps that we currently use DB2 or Oracle for.

Re:As a industry best practice...

[ma3382]

During the time frogs are submerged under water or buried in soil they breathe through their skin.

Re:As a industry best practice...

[RivieraKid]

Unless they've been stung by a Scorpion, in which case the venom will kill or paralyse them, thus preventing them from breathing.

a case of programmed cell death - apoptosis

I just want to congratulate Oracle on doing everything it can to kill off Solaris passively so they don't have to admit what they're doing. I need a Solaris support contract in order to keep a few systems running specialized software in a compiance-audited environment up to date. This is software that is run in many environments where the inability to keep them patched is a showstopper. However, I can't seem to purchase a support contract. The only page that even lists the ability to purchase it is broken (see dpfloyd's comment), and I have not receved a call back from Oracle/Sun sales in nearly a week (and that was after getting bounced through 6 different people to a support person who at least knew to forward my info to a Sun-related salesperson, or so they said). Additionally, if you click the "How to Purchase a Contract" it provides no actual info on how to do that, and the link it has to "Learn More" takes you into an infinite loop of "click here, now click here, now click here - oh, wait, I'm back where I started" when you try to find out about Sun Solaris support.

I hope I'm wrong about what's happening, but I can't say that any of this gives me the warm fuzzies. I'd say that if I had control over the platform I'd migrate those systems off of Solaris to another OS, but I'm guessing that's exactly what Oracle wants...

Can SOMEONE at Oracle/Sun please tell me how to purchase a support contract to download OS patches? If not, can someone from Oracle/Sun officially tell me to bugger off so I can tell my boss that we're never going to be able to update those servers again and we can start planning on how we're going to get around that issues?

Thanks.

Stop stepping.

[wonkavader]

Yes, that was certainly the plan a year ago.

It's no longer the plan. You'll soon need to flip it around.

Solaris is now a great tool to help Oracle force people to one and only one vendor (Oracle) for just about everything. That's the new plan. And Linux fits in that plan right now, but probably won't in a few years, if they can get people to trust them as hardware vendors, and they can keep the quality of Solaris testing up.

Oracle sees Sun as a company with a LOT of great stuff, but both weak and incompetent, since it didn't squeeze cash out of people on every single thing it did. Oracle is right now in an orgasmic frenzy to take everything Sun had and monetize it -- some at the start, though that's less important, but EVERYTHING must bring in cash via support and updates. Furthermore, expect to see every piece slowly being changed slightly to push you towards coupling with other Oracle tools.

Which is why open systems, like Linux, don't help Oracle in the long run. Open systems give you flexibility, and flexibility is bad. Oracle is pushing to get the whole enterprise, from soup to nuts. In the words of an IBM rep I was talking to about this: "We tried that 15 years ago, and it almost killed the company."

Oracle started doing Linux not because they like open systems (they don't), but because A. they could control it a little through their own distro and B. they could get the support contracts, instead of the money going to Red Hat. Now they have Solaris. They'll push that like crazy and move people onto it, since they can certainly control it a lot better than they can control Linux, and instead of some of the support dollars going to Oracle, ALL of the support dollars will go to them.

Title of Article Is Incorrect

[turkeyfish]

The title of this article is incorrect. It should read Oracle announces its products will become less secure over time. This will be true because they will permit malware to infect a percentage of their installations, which in turn will corrupt others by providing an internal platform for hackers to penetrate otherwise secure systems. Either a product is secure or it is not. Oracle is merely announcing that their products will not be secure.

Absurd!

[tinker_taylor]

This is the most absurd piece of news I've come across this year! Why on earth should I pay to have Oracle/Sun fix their own bugs?
Obviously Security flaws are bugs. If any security vulnerabilities are identified, they should be ethically and morally obligated (ie assuming that the legal angle is unenforceable) to fix these and distribute the patches for free.

Isn't there anything called accountability/responsibility left any more?!? We are a huge Sun shop and one of the reasons we loved Sun so much is the fact that it was not a blood-sucker when it came to things like patches, software, etc. Unlike a company like HP, who charged for everything from multipathing software to UNIX resource mgt tools (which should be defacto standard of any mature OS).

Re:Absurd!

[zwede]

That would be the traditional capitalist way. The modern capitalist way would be to hire lobbyists to convince government to pass a law making ethics illegal.

Re:Absurd!

[KharmaWidow]

It has nothing to do with ethics! Ethics are subjective, as well.

For it to be unethical, the company would have to release software knowing that the bugs or security holes exist *for the purpose of* selling a fix. As much as we like to hate big companies, I highly doubt that is the cast.

No one with a sound or mature mind would believe that buying software these days is going to be without bugs or eventual security holes. Its *impossible* to make perfect software when the makers are unanimously imperfect.

People are benefiting from the buggy software - otherwise they wouldn't use it at all. They need to compensate for that use.

There are a multitude of issues to accommodate for - many of which are due to user error and failure of users adhere to specs or follow necessary procedures.

Nor is it an issue of capitalism. If you just open your eyes and look around some of the most notable infamous people are are socialists or communists.

I think people need to grow a pair... and acknowledge that if you want people to do stuff for you, you need to compensate them for it. Thinking you are entitled to free support, perpetually is living in a fantasy world.