Hacker News new | past | comments | ask | show | jobs | submit login

>customers Should Not and Must Not reverse engineer our code. However, if there is an actual security vulnerability, we will fix it. We may not like how it was found but we aren’t going to ignore a real problem...We will also not provide credit in any advisories we might issue. You can’t really expect us to say “thank you for breaking the license agreement.”

Until I read this, I didn't think it was possible for me to hate Oracle more, because I'm forced to work with their software and that makes me already hate them quite a bit.

The problem is they don't.

It's pretty trivial to break orcaleSQL from a security standpoint. If and when you report a major issue, it'll be fixed in 2-3 years, and only the issue you outlined.

For example. I submit a bug concerning parsing, utf-8 backslash not working. Orcle will fix the bug for only that utf-8 code point, and not all other utf-8 points that also cause the bug. It'll also take them 1-2 releases and they may not back port it. 1

This is almost certainly because the engineers in charge of fixing the bugs are judged solely on the number of tickets they clear, and they could give a crap about the quality of the product as a whole or about Oracle generally.

This is the reason that FOSS and being able to change the code yourself is so valuable. Nobody has time to wait 2 years for a fix. By the time the patch comes out, it will break all of the workaround code written to fix Oracle's bug in the first place.

> Oracle will fix the bug for only that utf-8 code point, and not all other utf-8 points that also cause the bug


> [...] (and without learning lessons from what you find, it really is “whack a code mole”) [...]

wow, how do they fix _only_ one code point!??! that's gonna take more effort than just properly fixing it no?

    switch (c) {
    case BAD_CODEPOINT1:    //bug 30943
    case BAD_CODEPOINT2:    //bug 32821


How did you get your hands on Oracle code? The blog post made it pretty clear they won't let you read it.

If you're forced to use their software, and you disagree with their strong closed-source stance, you should share your views with whoever is doing the "forcing" (your employer?). If they don't listen, it's on them.

Oracle has a very specific, clear opinion on the matter and it is valid to have that opinion. I don't agree with them, but I respect that we're allowed to disagree. Instead of hating them, I just don't use any of their stuff if I can help it (except Java).

There's no need to be filled with hate over it. Change what you can change and don't worry about the rest.

It's not that simple I don't think.

How much of my private information, as kept by government or private organizations, are stored in Oracle databases that are less secure because of their boneheaded stance on this?

People have all sorts of reasons for choosing Oracle solutions. I am not in a position to influence all those people, even when their choices affect me directly.

Oh yes, I agree. That is why I think it makes sense to tell everyone you can about the issue. However, there is only so much anyone can do about it, and technically it isn't Oracle's fault that people won't listen, only the bugs/vulnerabilities in their products.

A crude example: Imagine you're a janitor. Your company only supplies you with buckets from Leaky Bucket, Inc. Their buckets always leak, creating more messes that you have to clean up. Sure, Leaky Bucket, Inc. needs to fix their bucket processes, but I'd be more angry at the company for continuing to use buckets from a shoddy manufacturer.

I think it's perfectly reasonable to be plenty angry at Leaky Bucket, Inc for forbidding end users from patching their buckets.

Why should you be angry? They are just being stupid. Being stupid is something humans do naturally. Choosing to rely on someone who is verifiably stupid (in your opinion) is significantly worse, I think, than the original stupidity.

edit: And by the way, the very first time you are forbidden from patching a bucket you could patch yourself should be the red flag that tells you to use different buckets. Move on to better things and encourage others to do so too.

I can understand the argument that I shouldn't be upset with my cat because he claws my feet under a blanket; it's his natural instinct.

I can't understand the argument that I shouldn't be upset with a human being because they're stupid, and make stupid decisions. Humans are capable of introspection, education, and change.

I don't think it's unreasonable to expect more of my fellow humans than of my cat.

But I guess I won't be mad at you.

It is totally fine to be frustrated by humans being stupid, but some humans really do have less cognitive abilities than others. In at least some of those cases it isn't their fault necessarily.

So, I'm just making the point that frustration makes sense, but hate probably doesn't. They certainly aren't intending to be stupid, but it is frustrating that we can't show them the error of their reasoning sometimes.

Refusal to introspect is not a lack of cognitive ability, it is a choice that is appropriate to shame.

Legacy systems...

That being said, as a (forced) Oracle customer I have been and will continue to do everything in my power to migrate off of Oracle's eco-system. This ridiculously offensive post by their CSO is just more motivation.

I think that is a very reasonable course of action, and that is my point. Rather than complain about the no-reverse-engineering thing, you really should just move everything you can off of Oracle systems if you disagree with them on this.

The software is the good part of Oracle. You figure out the rest.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact