Hacker News new | past | comments | ask | show | jobs | submit login

The problem is they don't.

It's pretty trivial to break orcaleSQL from a security standpoint. If and when you report a major issue, it'll be fixed in 2-3 years, and only the issue you outlined.

For example. I submit a bug concerning parsing, utf-8 backslash not working. Orcle will fix the bug for only that utf-8 code point, and not all other utf-8 points that also cause the bug. It'll also take them 1-2 releases and they may not back port it. 1




This is almost certainly because the engineers in charge of fixing the bugs are judged solely on the number of tickets they clear, and they could give a crap about the quality of the product as a whole or about Oracle generally.


This is the reason that FOSS and being able to change the code yourself is so valuable. Nobody has time to wait 2 years for a fix. By the time the patch comes out, it will break all of the workaround code written to fix Oracle's bug in the first place.


> Oracle will fix the bug for only that utf-8 code point, and not all other utf-8 points that also cause the bug

Heh:

> [...] (and without learning lessons from what you find, it really is “whack a code mole”) [...]


wow, how do they fix _only_ one code point!??! that's gonna take more effort than just properly fixing it no?


    switch (c) {
    case BAD_CODEPOINT1:    //bug 30943
    case BAD_CODEPOINT2:    //bug 32821
    /*....*/
    }


?


How did you get your hands on Oracle code? The blog post made it pretty clear they won't let you read it.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: