Oracle’s non-disclosure security policy

Last week I was surprised to see a not-so-common Debian security update of mysql-5.1 upgrading its version from 5.1.49 to 5.1.61. This is not the way security updates works in Debian: once a security flaw is found, the patch is applied to the current stable release maintaining its version and not by repackaging the latest available version from upstream.
Looking for more information I realized that there could be several known incompatible changes and I should do a longer than expected test, before upgrading the production servers.
Great, I thought, what’s going on with mysql?
To make a long story short the problem is due to the non-disclosure security patch information from Oracle. Multiple vulnerabilities are present in the mysql 5.1 branch and Oracle does not disclose them: the only choice is to use the latest version Oracle states that is bug free and safe.
Unfortunately this is not the first time for Oracle (it happens all the time with all of its free and closed projects) but it’s the first time for mysql and Debian since the acquisition of Sun from Oracle.
This policy is considered bad behavior for security experts (hiding security informations is always a bad idea) and something that free software supporters does not understand (and does not want at all).
An ongoing discussion to decide the future of mysql support in Debian and Ubuntu has started and a lot of people is really thinking it is worth moving to new forked projects that are 100% backward compatible like MariaDB and Percona Server.
I think they have a good point.

This entry was posted on Saturday, March 17th, 2012 at 5:21 PM and is filed under security.

You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.