Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle/Sun Enforces Pay-For-Security-Updates Plan

Posted by CmdrTaco on from the you-get-what-you-pay-for dept.

An anonymous reader writes "Recently, the Oracle/Sun conglomerate has denied public download access to all service packs for Solaris unless you have a support contract. Now, paying a premium for gold-class service is nothing new in the industry, but withholding critical security updates smacks of extortion. While this pay-for-play model may be de rigueur for enterprise database systems, it is certainly not the norm for OS manufactures. What may be more interesting is how Oracle/Sun is able to sidestep GNU licensing requirements since several of the Solaris cluster packs contain patches to GNU utilities and applications."

13 of 238 comments (clear)

  1. That's a nice server you got there by bigredradio · · Score: 5, Funny

    It would be a shame is something was to happen to it.

    --
    Flexible bare-metal recovery for Linux/UNIX
    1. Re:That's a nice server you got there by ircmaxell · · Score: 5, Insightful

      Actually, that brings up a point. Since this is about security flaws in their distribution, wouldn't this make them liable if something happened to your sever? "They gave me faulty software which THEY KNEW WAS FAULTY because they wanted to charge me $xx to get the fix"...? This isn't about feature updates (which they could justify charging for), it's about flaws in what they gave out... Now sure, you could say that the flaws were outside of their control because they came from upstream. But if that was the case, how in the world could they justify charging for those updates as not being extortion?...

      --
      If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
    2. Re:That's a nice server you got there by Zerth · · Score: 4, Insightful

      The part that says(slightly paraphrased for clarity) "this disclaimer may not be valid in some states and does not prevent you from exercising your rights, but hopefully confuses you enough that you don't realize you have any"

    3. Re:That's a nice server you got there by ircmaxell · · Score: 4, Insightful

      A contract to perform an illegal act is not a valid contract... Considering here the threat is that you can be attacked through the vulnerabilities that were provided in the original software package, I think the argument could be made that this is extortion. And if it is extortion, then they would become responsible for any damages occurring because of the extortion. So even though they disclaimed liability, they could still be held liable (If it is found to be extortion). The disclaimer of liability can been thrown out in cases of criminal negligence (If they installed a back door on your server and then exploited it, they would be liable for the damages regardless of what was in the license)... So it really doesn't matter in this particular case if you agreed to their terms or not so long as a court would agree that this is extortion...

      --
      If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
  2. Sidestep? by TheRaven64 · · Score: 4, Insightful

    What may be more interesting is how Oracle/Sun is able to sidestep GNU licensing requirements since several of the Solaris cluster packs contain patches to GNU utilities and applications

    The GPL doesn't prevent you from charging a fee for GNU software. It just stops you from preventing the people you sell it to from distributing it to everyone else. OpenSolaris is free and the source is available. If you are using Solaris (not OpenSolaris) then you are paying for a platform that has undergone some extra testing and comes with support guarantees. If this isn't important to you, then use OpenSolaris for free.

    --
    I am TheRaven on Soylent News
  3. Re:Just like Redhat by Anonymous Coward · · Score: 5, Informative

    o rly?

    http://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/

  4. Sidestepping Nothing by CritterNYC · · Score: 5, Insightful

    They're not sidestepping anything GPL-wise. The OS patches contain some GPL binaries and some proprietary binaries. They are side by side, which means the proprietary binaries are not subject to the GPL. The entire patch package, therefor, can't be redistributed. The GPL bits within the patch can be freely redistributed. As can the source for those bits, which Sun/Oracle is (presumably) making available as they always have to comply with the GPL.

    So, they are sidestepping nothing.

    --
    Portable versions of Firefox, GIMP, LibreOffice, etc
  5. Re:Was to be exepected by Capt+James+McCarthy · · Score: 4, Informative

    I don't want to sound negative, but I was always worried about Oracle buying Sun, for how it would impact negatively on Sun's business. For me the Oracle web site is so convoluted that it stinks of 'we designed this so that you to pay use to find it'. Everything feels designed to nickle and dime everything you try doing with them. This is based on experience of having get specific updates to fix certain known issues. If you don't agree with my perspective, I would gladly appreciate hearing about your experience.

    I am a Java developer and I hope that they don't extend this to Java or any other Sun technologies with a more 'open' culture.

    I agree. I cringe every time I venture into the quagmire of oracle.com to obtain a CPU or look up information/patches for an older version of oracle. Sun's site was much easier to navigate through for patch clusters or specific patches themselves. Now that sun's site is folded into oracle's site, finding hardware information has become a pain. I did find that going to sunsolve still is the way to go though.

    --
    There are no loopholes. It's either legal or it's not.
  6. Re:Just another step... by Anonymous Coward · · Score: 5, Informative

    There's a big difference - it used to be you needed a contract to use their patch update manager (and one contract covered all machines), but not just download individual patches or patch clusters (which, BTW, are integrated into the latest full OS downloads, and in fact at least one Sun person I've seen has recommended just grabbing the latest full OS download and using that to apply updates!). Now, not only do you need a contract, but you need one for each machine and OS version separately, and you can't actually buy the contracts from Oracle anyway. There's NO way to purchase them online (in fact the one link that's been posted multiple times as "I've verified this works" by Sun/Oracle people takes you to the Oracle 404 page), and when you leave your name with the pre-sales people to have sales call you, you don't get called back (since there's no way to actually talk to a sales person directly).

    I suspect that Oracle is doing everything they can to passively kill Solaris without admitting it, that way they can say it wasn't their fault (or plan all along) when the regulators and shareholders come asking questions... If I had my choice, I'd be off Solaris completely, but at least for right now I don't. What's really interesting is what this is going to do to all those proprietary software vendors who require Solaris as the server OS for software used in regulatory compliance-audited environments. Since no patching = non-compliance, the ripple-effect is gonna be HUGE...

  7. Industry-wide needs to pro-consumer policy by discojohnson · · Score: 4, Insightful

    All security updates should be free as in beer. Patches that include features are for-pay. It's not my fault they released a product with security holes. I love car analogies, and it works pretty good here.

  8. Re:Was to be exepected by hoggoth · · Score: 4, Funny

    I wanted to play with a particular technology from a company that was acquired by a company that was acquired by Oracle. I called Oracle and got passed from department to department. Nobody had ever even heard of this technology or the company they had acquired years ago. One rep was willing to sell me a license to use the technology for many thousands of dollars even though he himself couldn't find any mention of it inside Oracle, with the caveat that I would have to FIND IT myself because he didn't have any idea where it might be. After being transferred back to the same person the fourth or fifth time I gave up with the phone and started googling for the technology. I found a web page deep inside Oracle's website that had the entire thing, source code and all, available. There were no disclaimers, there was no license, just instructions on how to download it, compile it, install it, and use it.

    So I did.

    I suspect Oracle is run by the Department of Motor Vehicles.

    --
    - For the complete works of Shakespeare: cat /dev/random (may take some time)
  9. As a industry best practice... by Mr.Fork · · Score: 4, Insightful

    This goes back to the story of the Scorpion and the Frog. A scorpion was travelling across the land when he came to a river. Wanting to get across, he approached a frog to help him get across.
    The frog replied "Why should I help you across because you will sting me and we will both drown."

    The scorpion said "I promise not to sting you."

    They are half-way across the river then the scorpion is startled by a splash of water and stings the frog. The frog cries out as his body begins to paralyze "Fool! You have doomed us both as I predicted."

    The scorpion replies "Fool? What did you expect Frog? I am a scorpion."

    Oracle is a Scorpion. Anyone who thought otherwise when they purchased SUN is a fool.

    --
    Management is doing things right; leadership is doing the right things. - Peter F. Drucker
  10. Re:Just like Redhat by harmonise · · Score: 5, Funny

    o rly?

    O'Reilly is over here: ftp://ftp.oreilly.com/

    --
    Cory Doctorow talking about cloud computing makes as much sense as George W Bush talking about electrical engineering.