FAQ
This person has obviously never applied a one off fix for Oracle on Linux.
I counted no less than 334 patches for Oracle 10g R1 10.1.0.4 from a search
on Metalink.
Fixes get created more than once a quarter.
I guess that a "security blog peruser" just skims the surface looking for
quotes.

from this article: *Security Blog Log: Oracle makes Microsoft look good
* By Bill Brenner
20 Jan 2006 | SearchOracle.com
<http://searchoracle.techtarget.com/columnItem/0,294698,sid41_gci1161076,00.html?track=NL-94&ad=541204>
http://searchoracle.techtarget.com/columnItem/0,294698,sid41_gci1161076,00.html?track=NL+94&ad=541204

"While Microsoft has a monthly process, he said, "Once in a blue moon
[Oracle] comes out with so many patches it is difficult to count them. One
such time was this week. Putting Oracle's ability aside for a moment, I
would like to just tell Oracle one thing: A THOUSAND PATCHES RELEASED AT
ONCE IS HORRIBLE, GET A GRIP!""

IMHO:

released at once as a
regression-tested set is far more preferable to me if I'm trying to schedule
maintenance windows around month-end/quarter-end/year-end closes, etc.

I tend to agree with this gentleman:
"At least with a quarterly process you know when the next release is coming
and you can schedule the deployment work well ahead of time," Nirnay Patil,
DBA for Boston-based wireless communications provider American Tower Corp.,
said at the time. "You can work out the manpower issues and all that. And
when the patches come out, there's time to test things more carefully."

Paul

By the way:

Notice*
*Scheduled Downtime : Network Outage on Jan 20th and Jan 27th*

Patch Downloads will be unavailable due to maintenance starting from 6:00 PM
(PDT) on Friday, January 20th until 12.00 PM (PDT) Saturday, January 21st
and again from 6:00 PM (PDT) on Friday, January 27th until 6:00 PM (PDT) on
Saturday, January 28th.

You will not be able to download any patches during the outage ! Therefore,
if you have any planned patch associated tasks, we strongly encourage you to
schedule them for completion prior to this outage. However, in case of
emergency, you can contact Oracle
Support<http://www.oracle.com/support/contact.html>for patch delivery
during this downtime.

Search Discussions

  • Niall Litchfield at Jan 25, 2006 at 10:16 pm

    On 1/25/06, Paul Drake wrote:
    I tend to agree with this gentleman:
    "At least with a quarterly process you know when the next release is
    coming and you can schedule the deployment work well ahead of time," Nirnay
    Patil, DBA for Boston-based wireless communications provider American Tower
    Corp., said at the time. "You can work out the manpower issues and all that.
    And when the patches come out, there's time to test things more carefully."
    I tend not to. At least I agree that patching things once a quarter is not
    unreasonable, I can't believe that patching things several years after they
    are reported is sensible. Then there are the changing advisories and
    checksums. Sadly I suspect that Oracle will get security between 3 and 6
    months after oracle databases are widely penetrated. Given that my id, my
    benefits, my employment details etc depend on Oracle databases this scares
    me silly.

    The 3 -6 months by the way is the timescale where the supplier blames the
    customers for not applying all of the 344 one off patches after testing them
    first.
  • Paul Drake at Jan 25, 2006 at 10:54 pm

    On 1/25/06, Niall Litchfield wrote:
    On 1/25/06, Paul Drake wrote:

    I tend to agree with this gentleman:
    "At least with a quarterly process you know when the next release is
    coming and you can schedule the deployment work well ahead of time," Nirnay
    Patil, DBA for Boston-based wireless communications provider American Tower
    Corp., said at the time. "You can work out the manpower issues and all that.
    And when the patches come out, there's time to test things more carefully."
    I tend not to. At least I agree that patching things once a quarter is not
    unreasonable, I can't believe that patching things several years after they
    are reported is sensible. Then there are the changing advisories and
    checksums. Sadly I suspect that Oracle will get security between 3 and 6
    months after oracle databases are widely penetrated. Given that my id, my
    benefits, my employment details etc depend on Oracle databases this scares
    me silly.

    The 3 -6 months by the way is the timescale where the supplier blames the
    customers for not applying all of the 344 one off patches after testing them
    first.


    --
    Niall Litchfield
    Oracle DBA
    http://www.niall.litchfield.dial.pipex.com
    Niall,

    What I should have typed was - I do not want to have to apply one-off
    patchsets across servers distributed around the globe every week with no
    advanced notice. I am not supporting the lag in the turn-around time of the
    fixes that Alex describes. I am simply advocating that it is difficult to
    obtain maintenance windows for production systems, particularly near closing
    periods. I prefer to not apply patches if such patches are not required. I
    would prefer to apply regression-tested patchsets, such as 10.1.0.5. Of
    course that is not the reality we deal with, when one-off patches are
    available to remedy critical vulnerabilities.

    Oracle's boilerplate disclaimer on one-off patches used to read something
    along the lines of " ... you must have located this patch off of an exact
    bug number ... this is not regression tested ..."

    Backing out one-off patches on 8.1.7.4 was not really an option - re-install
    was the supported path.

    I can recall 8.1.7.4.6 breaking utl_smtp (utl_tcp) functionality on win32,
    requiring the 8.1.7.4.17 patch (officially) or borrowing a few files from a
    healthy home as a work-around. I don't like "one-off patch land". I don't
    like "loss of functionality land" due to bugs in new code.

    So my real point is in patching vulnerabilities, rather, critical issues (in
    bulk) as quickly as possible with ideally a less than 3 months turn around
    time from Oracle. I think that is what David Litchfield was after when he
    blasted Oracle after the CPUOct2005 mess.

    Ok - its nearly 6 pm, time for my maintenance window for patching.

    Paul

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouporacle-l @
categoriesoracle
postedJan 25, '06 at 7:57p
activeJan 25, '06 at 10:54p
posts3
users2
websiteoracle.com

2 users in discussion

Paul Drake: 2 posts Niall Litchfield: 1 post

People

Translate

site design / logo © 2022 Grokbase