RE: OCM's Razor (WAS: Metalink Fiasco)

 None of my large customers are running OCM, and (according to them)
they've made it clear to Oracle that they never will (I went around and
polled them to see if we needed to add support to manage OCM to our
automation product).  The reasons supplied include:

- They don't allow database servers to talk to the outside world under
any circumstances
- They don't trust Oracle that they're not accidentally going to upload
something sensitive - one customer threw out the example that if OCM
auto-uploaded a trace file at some point, that could have sensitive
information about a query or schema
- They are concerned that Oracle is going to use the information for
license enforcement, and their licensing scenarios are sufficiently
complicated that they just don't want to tell Oracle anything they don't
have to
- They don't see enough of a value to warrant configuring OCM

It's worth noting that many of these organizations have storage arrays
from EMC, NetApp, Hitachi, etc. that all have "dial-home" functionality
and regularly upload configuration information to their vendor
motherships.  However, every one of those vendors has a document
available somewhere that specifically explains exactly what information
is uploaded.  This gives the customer a lot more comfort, and they can
then make an informed decision about whether to enable it or not.

I expect over time, if Oracle does the same thing, more and more people
will allow OCM to be enabled.

Matt

> -----Original Message-----
> From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx]
> On Behalf Of Rich Jesse
> Sent: Wednesday, November 11, 2009 12:16 PM
> To: oracle-l@xxxxxxxxxxxxx
> Subject: OCM's Razor (WAS: Metalink Fiasco)
> 
> Hey Jared,
> 
> > As for connecting to the internet, someone will have to explain
> > to me why this is such an issue.  The data sent is innocuous AFAIK.
> 
> Do you need to prove that to an auditor?  I don't yet, but I'm
curious...
> 
> > How is is different that databases that email you an alert when
> > an alert log error is found?  Or using UTL_SMTP to send email
> > from the database?
> 
> Our email is internal.  The security is setup to mitigate risk of
external
> emails being sent should there be a breach.  We're not (easily?) able
to
> do
> that for outgoing http/ftp/rsync/etc. protocols.
> 
> Bandwidth is another concern, albeit probably not much of one.
Downgrade
> that one to "unknown/untested".
> 
> My main concern that there didn't seem to be much in the way of
detailed
> documentation on OCM's internals.  It's a trust issue for me.  And,
> frankly,
> given my experience with Oracle Corp's tools, that trust has not yet
been
> earned.  (they're trying real hard though with APEX, IMHO!)
> 
> I also have not been shown any value for what seems to be a
substantial
> amount of investigation and work on my end.  We don't have many Oracle
> DBs.
> It just doesn't make good fiscal sense to me.
> 
> Thoughts?
> 
> Rich
> 
> --
> http://www.freelists.org/webpage/oracle-l
> 

--
http://www.freelists.org/webpage/oracle-l

Other related posts: