"Database giant Oracle Corp. has faced mounting criticism of its security patching process during the last two years.
Its quarterly Critical Patch Updates (CPUs) are typically followed by reports from security researchers of flaws not being fixed as advertised. The Redwood Shores, Calif.-based vendor has also been accused of sitting on vulnerabilities that are more than a year old, and of releasing patch bulletins that are hopelessly difficult to decipher. That criticism will likely continue after the next CPU is released July 18."
This is an interesting interview by Bill Brenner with Darius Wiles and John Heimann who are bith inextricably linked to the buidling, testing and releasing of patches. I thought some of the answers are weak and fluffy. For instance Darius says that they sometimes do not see issues that become later apparent in fixes when they are installed on customer platforms. Why would a customer platform cause a fix to become invalid? do Oracle not install from the same media as customers when testing? - probably not.
Also John suggests that the Oracle code is more complex than the shuttle, I would hope so, its a huge product and the shuttle is around 25 years old, technology has moved on apace.
There are some positive messages, the fact that Oracle is now ficused on standards, training, secure coding, use of tools such as Fortify, also that fact that they are now talking openly to Bill is a good sign that Oracle now recognise (publicly) that there are problems with the patch process, the pace of fix releases. I am also impressed that they are taking on board the issues around the CPU documentation and are considering releasing more details, the audiences and so on. lets see what improves.