RE: OCM's Razor (WAS: Metalink Fiasco)
Date: Wed, 11 Nov 2009 13:33:44 -0500
None of my large customers are running OCM, and (according to them) they've made it clear to Oracle that they never will (I went around and polled them to see if we needed to add support to manage OCM to our automation product). The reasons supplied include:
- They don't allow database servers to talk to the outside world under any circumstances
- They don't trust Oracle that they're not accidentally going to upload something sensitive - one customer threw out the example that if OCM auto-uploaded a trace file at some point, that could have sensitive information about a query or schema
- They are concerned that Oracle is going to use the information for license enforcement, and their licensing scenarios are sufficiently complicated that they just don't want to tell Oracle anything they don't have to
- They don't see enough of a value to warrant configuring OCM
It's worth noting that many of these organizations have storage arrays from EMC, NetApp, Hitachi, etc. that all have "dial-home" functionality and regularly upload configuration information to their vendor motherships. However, every one of those vendors has a document available somewhere that specifically explains exactly what information is uploaded. This gives the customer a lot more comfort, and they can then make an informed decision about whether to enable it or not.
I expect over time, if Oracle does the same thing, more and more people will allow OCM to be enabled.
> -----Original Message-----
> From: oracle-l-bounce_at_freelists.org
> On Behalf Of Rich Jesse
> Sent: Wednesday, November 11, 2009 12:16 PM
> To: oracle-l_at_freelists.org
> Subject: OCM's Razor (WAS: Metalink Fiasco)
> Hey Jared,
> > As for connecting to the internet, someone will have to explain
> > to me why this is such an issue. The data sent is innocuous AFAIK.
> Do you need to prove that to an auditor? I don't yet, but I'm
> > How is is different that databases that email you an alert when
> > an alert log error is found? Or using UTL_SMTP to send email
> > from the database?
> Our email is internal. The security is setup to mitigate risk of
> emails being sent should there be a breach. We're not (easily?) able
> that for outgoing http/ftp/rsync/etc. protocols.
> Bandwidth is another concern, albeit probably not much of one.
> that one to "unknown/untested".
> My main concern that there didn't seem to be much in the way of
> documentation on OCM's internals. It's a trust issue for me. And,
> given my experience with Oracle Corp's tools, that trust has not yet
> earned. (they're trying real hard though with APEX, IMHO!)
> I also have not been shown any value for what seems to be a
> amount of investigation and work on my end. We don't have many Oracle
> It just doesn't make good fiscal sense to me.