Mysql install help

Peter Lieverdink ubuntu at cafuego.net
Mon Jan 23 14:28:39 UTC 2006


Billy Verreynne (JW) wrote:
> Peter Lieverdink wrote:
> 
>>> Why? There is not a -single- sound and solid business or technical
>>> reason to backup that statement.
> 
>> Try this one then:
>>
>> "US-CERT Technical Cyber Security Alert TA06-018A --
>> Oracle Products Contain Multiple Vulnerabilities"
> 
> Awe come on! That is a truly lame example (sorry for being so blunt
> Peter, it is not personal). Show me a product that does -not- have
> vulnerabilities. Including Ubuntu!

Ubuntu is a suite of over 18,000 packages. Oracle has somewhat less, I 
believe.

It mentions there are 80 ("Eighty") !!! That's a LOT of bugs before 
releasing patches! I just pulled it up because it happened to catch my 
eye the other day. I have yet to find a CERT email that mentions 
anywhere *near* 80 vulnerabilities. Even if I do divide that by the 13 
listed products, I still get over 6 vulnerabilities per product.

> The issue in this regard is the security features and flexibility that
> exist already, and how the vendor respond to the discovery of new
> vulnerabilities.
> 
>> You can't patch your non-free Oracle XE to fix these issues.
> 
> You can. It depends on -what- the problem/vulnerability is. For
> example, the default could be that EXECUTE privs exist on UTL_FILE and
> has been granted to default role FOO and PUBLIC access has been
> granted on that role. (issues like this existed in prior versions)
> 
> It could be a problem in the HTP PL/SQL system package - for which the
> source exist in your $ORACLE_HOME/rdbms/admin directory. Which is
> easily vi'ed and fixed.
> 
> Not all vulnerabilities are about the db core (binary executables) -
> in fact, few are.

And if they are, can you patch them?

>> All you can do is wait for Oracle to fix them for you,
>> and hope they let you know when they do.
> 
> More lameness Peter. I do not mind sensible arguments, but this is
> grasping at straws. Oracle Metalink automatically notifies users of
> vulnerabilities (especially new ones) and also inform users of
> downloadable security fixes. (last week I received such a notification
> of the latest security fixes)

Do you need to register for that? I don't know much about it, the last 
time I tried Oracle 8i, a few years ago, its (Java-only) setup didn't 
work unless you ran a local X server. With respect to "... should reside 
on a secure ...", I decided I didn't need a DBM that required me to 
install X.

> Also, the vast majority of these vulnerabilities are -not- in the
> Oracle database product, but other products that use the database.
> E.g. Oracle Financials, Oracle Application Server, etc. etc.
> 
> The critical security fixes for Oracle 9i released Q4/2005 did not fix
> a -single- vulnerability in my core 9i databases as there was nothing
> broken security wise.
> 
> Then there are step-by-step guides like that of Pete Finnegan that
> tells you exactly how to harden an Oracle server. (of course, not
> forgetting that an Oracle server should reside on a secure and heavily
> firewalled network behind the DMZ - and if that is compromised you
> have a lot of other even more critical security issues at hand)
> 
>> Anyway, did Wade get his setup working? That was the whole
>> point of the exercise, was it not?
> 
> And what about the point of making an informed decision when
> installing and using software? Especially when it comes to databases?

I thought he asked for help with mysql, not for help replacing it.

> Open Source and GNU/GPL are not Quality Seals Of Approval. It does not
> mean that the product is truly free. Nor does not mean that the
> product is better.

Actually yes, the GPL does mean the product is free. No, you can't take 
the work MySQL AB did and sell it as your own, but then again, it's a 
lot freer then Oracle, where you can't do anything at all with patches 
or modifications to the product.

I'm sure there are BSD licensed DBs, should you feel the need for fork a 
payware version.

The Quality Seal of Approval is handed out by who? Why should I care 
about their opinion on anything whatsoever? I can print really pretty 
Seals Of Approval on my own colour printer.

> I know Java/J2EE is a religion. From reading postings here, it sounds
> like some are trying to turn Open Source into one too.. where the only
> criteria is that of any religion. Blind faith. Nothing else.

Not at all, the right tool for the right job, eh? From what I could 
tell, Wade just wanted help getting mysql to work. How is "you should 
use oracle" a sensible solution to that? Or not religion?

- P.




More information about the ubuntu-users mailing list