Simon Phipps, who's Computer World UK blog isn't aggregated on Planet MySQL, has a blog post which reveals the truth behind the missing MySQL test cases that many of us commented on some time ago (including myself). You can read Simon's blog post here.
As you remember, there were various things that happened (or rather ceased to happen) during the Summer which led to people complaining that Oracle's MySQL is closing down. As a result of the uproar, source code trees at Launchpad were immediately refreshed. Otoh, there was never any public explanation why test cases for new bug fixes are withheld.
Simon has been active to find out the answer, and has found an "anonymous source" (who just might be an Oracle employee who knows what he is talking about...) who explains that the reason is really just a mandate from Oracle's security team and MySQL personnel are not necessarily very happy about it. The really absurd part is that Oracle also has a policy that forbids anyone from making a public explanation about any of this (basically leaving the field wide open to everyone else to comment on it instead...)
I'd like to thank Simon - the godfather of former Sun open source projects - for being active and mediating in this dilemma the MySQL team found themselves in. To communicate this way is kind of weird in an open source community, but at least it's something. Since I don't expect Oracle to change, I'm sure we will have similar situations in years to come, maybe a similar procedure can be used then too.
PS: For comparison, it might be worth comparing Oracle's approach (as described in Simon's post) to MariaDB's responsible disclosure process of the recent security bug allowing you to login without password 1% of the time (ie. pretty serious security issue). The MariaDB team didn't publish the bug or test case either, they first shared it with Oracle, then it was given to Linux distributions, and once updates were in place, then details of the bug were publicly disclosed.
- Add new comment
- 20200 views
Yes, I've heard this version
Yes, I've heard this version too. About a month ago someone told me on IRC about the security blog post and that it, perhaps, could be a possible explanation. Another possible explanation seemed to be that some test cases might contain confidential customer data. But this really doesn't explain why the test cases that one can see at bugs.mysql.com are made "private" too.
Of course, there is a Hanlon's razor. Never attribute to malice that which is adequately explained by stupidity. And closing down all test cases and arguing that it improves security - this certainly fit the description.
But I'm asking myself what is worse for an Open Source project, a smart and cunning steward that only cares for a short-term profit, or a stupid one.
And, by the way - shhh - don't tell Oracle Security Team that exploits for security bugs can be easily created, by looking at the source code changes.
Also for me this is not the
Also for me this is not the first time this explanation was suggested, but lacking a public statement from Oracle I chose not to believe it. Oracle is a relatively smart and rational company, so if I have to make a guess without facts, I would have guessed at some more rational explanation than this. (I actually can understand the security policy, but not the policy about not making a public statement - it has only harmed Oracle itself.)
But I consider this anonymous source of Simon as good as an official Oracle statement, so I'm choosing to believe it now. Apparently no large corporation is immune to this sort of thing,
Add new comment