Oracle rebuffs MySQL security update criticisms

Summary:The way Oracle provides patches and information about security issues for open-source database MySQL has drawn criticism, but the company is sticking to its guns.

Oracle has defended the frequency of bug fixes for its popular open-source database MySQL , along with the information provided by the security-update process.

Tomas Ulin, vice president of MySQL engineering, said users are best served by the degree of transparency and frequency of the database's present critical-patch system.

"Our highest priority is to protect our users and customers and we think that is best done by not providing exploits that are publicly available," he said.

Ulin said customers can always ask for hot fixes for specific bugs if they have specific concerns. "Yes, there might be some user out there who is really eager to get a specific bug fix but in general the community and the customers update very rarely. They don't want to touch their working environment," he said.

MySQL follows the update policy that Oracle implements overall, Ulin said, with bugs or Common Vulnerabilities and Exposures (CVE) numbers and the release in which they are fixed announced four times a year on a predefined date.

"That's publicly available and that's where we publicly announce which bug fixes are tied to which release. You won't find that [information] through release notes. But we've chosen to group it together via the critical-patch update," he said.

MariaDB criticism

Criticism of Oracle's approach to MySQL security recently surfaced in a blog post on the website of MariaDB, the rival community-developed branch of MySQL. Its author, Sergei Golubchik, VP of architecture at MariaDB, said he was growing increasingly concerned about the Oracle approach to MySQL security.

"And the fact that I was solely responsible for the security@mysql.com for about 10 years, doesn't make it easier. On the contrary, it only emphasises the changes in attitude," he wrote.

Among the criticisms, he lists a slower response to critical bug fixes, very little information about security vulnerabilities, and critical-patch updates "carefully stripped from anything that might help to understand the problem, it takes hours to map them to code changes".

Planning upgrades

MySQL's Ulin said the present system enables database users to plan upgrades. "You can go in and see the CVE number, the CVSS [Common Vulnerability Scoring System] ratings and so on around a bug and make a judgement call that this is something that requires me to update or whether I should just wait for the next one," he said.

He said the three-monthly critical-patch updates continue to be an effective approach. "That, we find, has been successful in the past and successful moving forward as well," Ulin said.

"There have always been opinions out there that there should be some other way and I can't really comment on that," he added.

Topics: Enterprise Software, Big Data, Open Source, Security

About

Toby Wolpe is a senior reporter at ZDNet in London. He started in technology journalism when the Apple II was state of the art.

Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.