Oracle has announced a statement today making commitments concerning MySQL that may (or may not) address some of these concerns -- of both Widenius and the EU.

http://www.marketwire.com/press-release/Oracle-Corporation-NASDAQ-ORCL-1090000.html

These include:

* Continued Availability of Storage Engine APIs
* Commitment to enhance MySQL in the future under the GPL
* Support not mandatory
* Increase spending on MySQL research and development
* Continuing to maintain the MySQL Reference Manual
* Preserve Customer Choice for Support

And some other things about preserving the conditions of licenses currently held by storage vendors.

Healthy skepticism is of course always a good idea. On first reading, I can't tell how binding these commitments are (the statement says "Oracle hereby publicly commits to the following", and that's about it), and it doesn't exactly make Widenius' commitment to the timeliness of new releases and patches, except for the commitment to increase spending, which Oracle presumably would like to have result in new revenue.

But Oracle is evidently trying to address the EU's concerns in an effort to get the deal approved, and the EU might get them to make these commitments binding. The EU's initial reaction appears to be positive:

http://www.bloomberg.com/apps/news?pid=20601087&sid=a4SRxTHKHzTA&pos=7

The European Commission said Oracle’s proposal addresses concerns about the acquisition of Sun’s MySQL database product, signaling the EU will approve the acquisition next month. European Competition Commissioner Neelie Kroes said in a statement that she’s “optimistic that the case will have a satisfactory outcome.”

“Neelie Kroes has switched on the green traffic light,” Charles van Sasse van Ysselt, a competition lawyer at NautaDutilh in Brussels, said in a telephone interview today. “She is optimistic and this is a step in the right direction.”

So we had a race condition on database transactions using two-phase commit, your usual mind-fucking WTF situation, drove us up the walls for days, you all know what I mean. We knew it was a race condition because if we put a sleep() statement at the end of one of the transactions, everything ran fine. sleep(10) was always long enough, and since all of this ran asynchronously in the back end, an end user would never notice the difference.

So we went to the customer. We told them that we could continue to bust our brains trying to find a "real" fix, and didn't know how long that would take, or we could just leave the sleep() in. And we could even make the length of the sleep interval configurable, so they could try to make it shorter than 10 seconds, if they really felt like fiddling around with it.

The customer went for the configurable sleep().

Years ago we had one of those bugs that was driving us around the bend, you all know how those are, so once when we were trying a fix, I started chanting "Praise Allah", for no other reason except for sheer desperation. And I kid you not, the fix worked on that very run.

Ever since then, we always remembered to praise Allah whenever we were struggling with a sticky problem. I live in Germany, so what we were actually saying was "lobet Allah", but over time we found that "Allahu Akhbar" works much better, especially when accompanied by gestures of supplication.

Occasionally we found that a difficult problem persisted for a while, until we realized that we had forgotten to praise Allah. After that, the issue was quickly resolved.

Don't try to give me some kind of egg-headed explanation for all this, this was just simply supernatural forces at work, that's all there is to it.

Touché. So in addition to the narrowly-targeted phishing, they took advantage of a slight lead in the "arms race" between virus checkers and attackers. And that was enough to get a helluva job done.

Is there any realistic way to prevent something like this in the future? I'm afraid I don't see anything obvious.

As near as I can tell from the Markoff article, the infiltration was made possible by run-of-the-mill phishing attacks. (Markoff says it's called "whaling" when it's directed at specific high-level targets. I've never heard of that, and don't really see any substantive difference.)

If so, then technically speaking there's probably nothing really new here. What seems interesting to me is:

- Obviously, the vast scale, the sensitivity of the targets, and the potential political impact.

- The operation has not been publicly revealed by government agencies (FBI sez "no comment"), but rather by Nart Villeneuve et al. at the University of Toronto.

- Phishing is evidently effective enough to make widespread infiltration like this possible. Sure, there are more sophisticated things that attackers could do, and of course most users should know better than to blindly click links in their email. But here we are, phished to death all over the world. Why should an attacker go to any more trouble?

I wonder how much security improvement would be gained if Thunderbird & Outlook disabled the automatic opening of a browser when you click on a link in email, and made us go back to the old days of copying & pasting links. Would users be more careful if they could more easily see what they're doing?

... and so development is slow.

My friend, you may be a champion in the Understatement of the Century Contest.

Sure, there are many entirely respectable reasons why Hurd never got finished.

But, ah, erm ... ... you see, I feel an acute sense of embarassment when I'm about to point out something that is obvious. So blindingly obvious that it feels preposterous to have to say it at all. But, here goes.

It's time to give up!

The Hurd project has failed! Blue blazes, tarnation and a monkey, it's been seventeen fucking years!

There are software projects for which a delay of seventeen days is intolerable, although that is usually salvageable. A project that is seventeen weeks too late, on the other hand, is universally recognized as a failure.

And we all know about projects that come in seventeen months too late. We all know that someone, somewhere in a project like that was thoroughly incompetent.

There are simply no words, no satire, no amount of acid-tongued vituperation that could do justice to a software development project that still isn't finished after seventeen years.