At the end of Toms speech I asked a question. "Will we get critical security patches for Oracle?". Tom's answer was that "off the record" he is pushing for it but its not decided internally. In fact he told me top blog about the issue here! I pointed out aftert Tom's answer that XE is likely to become very widely deployed on peoples desktop PC's, websites and many more. This. with the explosion of broadband useage effectively means more Oracle databases will be exposed to the world wild web. I pointed out as the number of Oracle instances grows the likelyhood of a slammer type worm grows. In fact I talked here yesterday about someone releasing a concept code for an Oracle worm on the full disclosure list. Whilst this worm did not do much a real one could follow brought on by wide deployment.
In security terms the attack surface will increase. For people who know a lack of patches can be worked around by not exposing the database but most people will download it or get it as part of another application and will not be aware and could expose the software. If critical bugs are found and become publically known everyone who downloads or deploys XE deserves recourse to security patches. Ideally XE would be included in the CPU updates and patches made available not via metalink.
Please Oracle, give us free access to security patches for XE!!