AW: Oracle code wrapping
From: Michael D O'Shea/Woodward Informatics Ltd <woodwardinformatics_at_strychnine.co.uk>
Date: Mon, 25 Jul 2022 17:31:42 +0200
Message-Id: <55D30FC9-F82B-422A-96CE-F6D75ACB2E17_at_strychnine.co.uk>
>> On 25 Jul 2022, at 15:59, Michael D O'Shea/Woodward Informatics Ltd <woodwardinformatics_at_strychnine.co.uk> wrote:
>>
>> I just had a discussion with the development manager/tech lead of a large organisation. He manages a team of around 15 developers and QA staff for a single financial product. Client-side code is ASP.NET <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fasp.net%2F&data=05%7C01%7C%7C2ec567a522c543500c0e08da6e4e3c83%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637943579565757165%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xj1Xz%2BGWbC8sH1ko9OPa245R4qMHlOPA1JOvsAFvg28%3D&reserved=0> and a desktop thin client, and server-side it is Oracle 19c with a web service in-between in a few places.
>>
>> Deployments are done weekly after UAT signoff of the prior development sprint the week before.
>>
>> This chap was expressing his concerns about PSM’s, specifically database packages, procedures, and functions, being constantly tampered with by DBA’s and sysops, and not marrying up with the authorative version of the codebase under source control. His argument was that the version of the code deployed, using automation tools, should be bit for bit compatible with the code retrieved from source control. It seems hard to argue with this perspective.
>>
>> Then he mentioned that they, recently, have got around the issue of this third-party „tampering“ rather than by enforcing business controls and process, but by „wrapping" the code during deployment.
>>
>> I did not know how to reply.
>>
>> Does anyone have any views on this approach? The only tangible information I can pull out from the docs is that wrapped code may not be version upgrade compatible, meaning possible upgrade issues. I know so little about „wrapping“ to know the drawbacks, specifically performance or stack traces and errors thrown.
>>
>> All/any feedback, no matter how qualitative, would be helpful,
>>
>> Mike
>> http://www.strychnine.co.uk <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.strychnine.co.uk%2F&data=05%7C01%7C%7C2ec567a522c543500c0e08da6e4e3c83%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637943579565913400%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7FVyzw6xksI5No6vY55cYdEKVSosbz%2FWXqUbP59R1Qs%3D&reserved=0>
>> Woodward Informatics Ltd
>>
Date: Mon, 25 Jul 2022 17:31:42 +0200
Message-Id: <55D30FC9-F82B-422A-96CE-F6D75ACB2E17_at_strychnine.co.uk>
I think too that wrapping code used as a substitute to governance and control is a questionable approach, but this their approach. To me wrapping is more about protecting source code from prying eyes, but other than that throw away statement, I have no other knowledge and am having to resort to the docs that, to be honest are pretty scant on detail.
> Am 25/07/2022 um 17:26 schrieb Dominic Brooks <dombrooks_at_hotmail.com>: > > Wrapping sounds like the wrong tool. > Er why are they letting their DBAs and Ops people change the code!?! > Of course a version control system should be the golden source of the code. > Lack of controls and oversight. > > Sent from my iPhone >
>> On 25 Jul 2022, at 15:59, Michael D O'Shea/Woodward Informatics Ltd <woodwardinformatics_at_strychnine.co.uk> wrote:
>>
>> I just had a discussion with the development manager/tech lead of a large organisation. He manages a team of around 15 developers and QA staff for a single financial product. Client-side code is ASP.NET <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fasp.net%2F&data=05%7C01%7C%7C2ec567a522c543500c0e08da6e4e3c83%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637943579565757165%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xj1Xz%2BGWbC8sH1ko9OPa245R4qMHlOPA1JOvsAFvg28%3D&reserved=0> and a desktop thin client, and server-side it is Oracle 19c with a web service in-between in a few places.
>>
>> Deployments are done weekly after UAT signoff of the prior development sprint the week before.
>>
>> This chap was expressing his concerns about PSM’s, specifically database packages, procedures, and functions, being constantly tampered with by DBA’s and sysops, and not marrying up with the authorative version of the codebase under source control. His argument was that the version of the code deployed, using automation tools, should be bit for bit compatible with the code retrieved from source control. It seems hard to argue with this perspective.
>>
>> Then he mentioned that they, recently, have got around the issue of this third-party „tampering“ rather than by enforcing business controls and process, but by „wrapping" the code during deployment.
>>
>> I did not know how to reply.
>>
>> Does anyone have any views on this approach? The only tangible information I can pull out from the docs is that wrapped code may not be version upgrade compatible, meaning possible upgrade issues. I know so little about „wrapping“ to know the drawbacks, specifically performance or stack traces and errors thrown.
>>
>> All/any feedback, no matter how qualitative, would be helpful,
>>
>> Mike
>> http://www.strychnine.co.uk <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.strychnine.co.uk%2F&data=05%7C01%7C%7C2ec567a522c543500c0e08da6e4e3c83%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637943579565913400%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7FVyzw6xksI5No6vY55cYdEKVSosbz%2FWXqUbP59R1Qs%3D&reserved=0>
>> Woodward Informatics Ltd
>>
-- http://www.freelists.org/webpage/oracle-lReceived on Mon Jul 25 2022 - 17:31:42 CEST