Mysql install help

[Billy Verreynne (JW)]

Peter Lieverdink wrote:

>> Why? There is not a -single- sound and solid business or technical
>> reason to backup that statement.

>Try this one then:
>
> "US-CERT Technical Cyber Security Alert TA06-018A --
> Oracle Products Contain Multiple Vulnerabilities"

Awe come on! That is a truly lame example (sorry for being so blunt
Peter, it is not personal). Show me a product that does -not- have
vulnerabilities. Including Ubuntu!

The issue in this regard is the security features and flexibility that
exist already, and how the vendor respond to the discovery of new
vulnerabilities.

> You can't patch your non-free Oracle XE to fix these issues.

You can. It depends on -what- the problem/vulnerability is. For
example, the default could be that EXECUTE privs exist on UTL_FILE and
has been granted to default role FOO and PUBLIC access has been
granted on that role. (issues like this existed in prior versions)

It could be a problem in the HTP PL/SQL system package - for which the
source exist in your $ORACLE_HOME/rdbms/admin directory. Which is
easily vi'ed and fixed.

Not all vulnerabilities are about the db core (binary executables) -
in fact, few are.

> All you can do is wait for Oracle to fix them for you,
> and hope they let you know when they do.

More lameness Peter. I do not mind sensible arguments, but this is
grasping at straws. Oracle Metalink automatically notifies users of
vulnerabilities (especially new ones) and also inform users of
downloadable security fixes. (last week I received such a notification
of the latest security fixes)

Also, the vast majority of these vulnerabilities are -not- in the
Oracle database product, but other products that use the database.
E.g. Oracle Financials, Oracle Application Server, etc. etc.

The critical security fixes for Oracle 9i released Q4/2005 did not fix
a -single- vulnerability in my core 9i databases as there was nothing
broken security wise.

Then there are step-by-step guides like that of Pete Finnegan that
tells you exactly how to harden an Oracle server. (of course, not
forgetting that an Oracle server should reside on a secure and heavily
firewalled network behind the DMZ - and if that is compromised you
have a lot of other even more critical security issues at hand)

> Anyway, did Wade get his setup working? That was the whole
> point of the exercise, was it not?

And what about the point of making an informed decision when
installing and using software? Especially when it comes to databases?

Open Source and GNU/GPL are not Quality Seals Of Approval. It does not
mean that the product is truly free. Nor does not mean that the
product is better.

I know Java/J2EE is a religion. From reading postings here, it sounds
like some are trying to turn Open Source into one too.. where the only
criteria is that of any religion. Blind faith. Nothing else.

--
Billy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail and its contents are subject to the Telkom SA Limited
e-mail legal notice available at
http://www.telkom.co.za/TelkomEMailLegalNotice.PDF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~