Oracle has defended the frequency of bug fixes for its popular open-source database MySQL, along with the information provided by the security-update process.
Tomas Ulin, vice president of MySQL engineering, said users are best served by the degree of transparency and frequency of the database's present critical-patch system.
"Our highest priority is to protect our users and customers and we think that is best done by not providing exploits that are publicly available," he said.
Ulin said customers can always ask for hot fixes for specific bugs if they have specific concerns. "Yes, there might be some user out there who is really eager to get a specific bug fix but in general the community and the customers update very rarely. They don't want to touch their working environment," he said.
MySQL follows the update policy that Oracle implements overall, Ulin said, with bugs or Common Vulnerabilities and Exposures (CVE) numbers and the release in which they are fixed announced four times a year on a predefined date.
"That's publicly available and that's where we publicly announce which bug fixes are tied to which release. You won't find that [information] through release notes. But we've chosen to group it together via the critical-patch update," he said.
Criticism of Oracle's approach to MySQL security recently surfaced in a blog post on the website of MariaDB, the rival community-developed branch of MySQL. Its author, Sergei Golubchik, VP of architecture at MariaDB, said he was growing increasingly concerned about the Oracle approach to MySQL security.
"And the fact that I was solely responsible for the email@example.com for about 10 years, doesn't make it easier. On the contrary, it only emphasises the changes in attitude," he wrote.
Among the criticisms, he lists a slower response to critical bug fixes, very little information about security vulnerabilities, and critical-patch updates "carefully stripped from anything that might help to understand the problem, it takes hours to map them to code changes".
MySQL's Ulin said the present system enables database users to plan upgrades. "You can go in and see the CVE number, the CVSS [Common Vulnerability Scoring System] ratings and so on around a bug and make a judgement call that this is something that requires me to update or whether I should just wait for the next one," he said.
He said the three-monthly critical-patch updates continue to be an effective approach. "That, we find, has been successful in the past and successful moving forward as well," Ulin said.
"There have always been opinions out there that there should be some other way and I can't really comment on that," he added.