Red Hat Inc. claims that Oracle Corp.'s bid to clone Red Hat's market-leading version of the Linux operating system will result in broken software, nonworking hardware and security holes for corporations seduced by Oracle's offer of discount support.
Third-party experts tend to agree -- despite Oracle CEO Larry Ellison's vow to the contrary -- that the source code for Oracle's "Unbreakable Linux" will likely fork significantly from Red Hat Enterprise Linux over time.
"Effectively, Oracle is creating a separate Linux distribution by assuming responsibility for Red Hat software after it has reached end of life," said Paul Henry, vice president of technology evangelism at Secure Computing Corp., a San Jose-based vendor of security software.
And while some experts think Oracle would have done better by creating an entirely new version of Linux -- as was rumored -- most believe Red Hat's assessment of potential problems is exaggerated.
"I honestly don't see it creating a huge security problem," said Aaron Newman, chief technology officer at Application Security Inc., a New York-based security consulting firm. "Oracle may have issues with their database patches. But I don't see a lot of serious security holes in Linux: It's open-source, so everyone sees the code."
"If Oracle decides to be a team player, I see nothing but good coming from this," said Phil Cox, a principal consultant at System Experts Corp., a security consultancy in Sudbury, Mass. "But if they decide to port everything and keep patches to themselves, meaning the only way you could get them is through an Oracle support contract, it could cause a significant problem."
There are already several clones of Red Hat Enterprise Linux (RHEL), the most popular being CentOS . But all are small, open-source projects that lack the backing of a multibillion-dollar software company with a reputation of being aggressive.
In a Web rebuttal posted the day after Ellison announced Oracle's incursion into Red Hat's core support business last week, Red Hat was adamant that Oracle will deviate strongly from Red Hat and customers will suffer.
"Simply put, this derivative will not be Red Hat Enterprise Linux and customers will not have the assurance of compatibility with the Red Hat Enterprise Linux hardware and application ecosystem," the statement said. Hardware and software certified for RHEL will become "invalidated" with Oracle's flavor, according to Red Hat, and Oracle support customers will experience a delay in getting the latest updates from Red Hat, especially security patches, the company said.
"In the case where the update corrects critical security flaws, Oracle customers may be exposed to additional risk," Red Hat said.
Oracle officials did not return a request for comment.
Newman disagrees with Red Hat's argument. "If something gets fixed in Red Hat, it should get fixed in Oracle," he said. He reasoned that Oracle is likely to maintain Unbreakable Linux as close to RHEL as possible so Red Hat continues to do all of the research and development "heavy lifting," allowing Oracle to benefit "for free."
Cox said that customers switching to Oracle may benefit from improved support, though for opposite reasons. He argued that Oracle is likely to throw significant resources into optimizing the RHEL kernel to boost the performance of its flagship Oracle Database.
"Even if these tweaks give MySQL or DB2 the same performance boost, I still think Oracle would find it to their advantage," Cox said. Within six to nine months, Unbreakable Linux will effectively "become a new distro" that should prove very attractive to users, especially those running mission-critical Oracle applications, he said.
Richard Zack, president of Pantek Inc., a Cleveland-based provider of Linux technical support, warned that customers should wait a year and let Oracle "work out all the kinks" before they consider switching. But he believes that "security will ultimately be improved through Oracle's new offerings."
"Since Oracle is now providing patches and actively looking for ways to improve security in Linux, because of the GPL [General Public License] all these improvements will go back to the community," Zack said. "Additionally, their activities should encourage competition with Red Hat to step up their security improvements and patch cycles."
But Henry said that Oracle's strategy of cloning RHEL, first released in 2000, adds little for users. "One has to question the performance and security implications of running a seven-or-more-year-old OS if one decides to move to Oracle," he said. "Oracle could have perhaps made a better business decision to simply switch their OS to either of the Asian Linux distributions" it is involved in.
Oracle, through a Japanese subsidiary, owns a majority stake in Miracle Linux, which is based on RHEL source code. Oracle also backs Asianux, a Linux distribution that combines Miracle Linux and Red Flag Linux, a popular variant in China.
Newman warned that with Unbreakable Linux, Oracle won't be able to get by releasing patches just once a quarter as it does with its database. He and Cox both also said that Oracle needs to improve its process for ensuring fixes and patches don't inadvertently break something else or create another vulnerability.
"Oracle will have to improve its regression testing," said Cox. "They can't just throw out patches."