One-in-four organisations have exposed MySQL databases, according to new research, prompting calls for more robust developer security practices.

Intruder’s 2026 Attack Surface Management Index warned these databases are becoming an increasingly attractive target for threat actors, particularly ransomware groups.

Indeed, the study noted that 16% of Postgres databases are also dangerously exposed, alongside remote desktop (RDP) services, API documentation, and WordPress admin panels.

Attack surface exposures were categorized by HTTP panels, ports, services, databases, files and information facing the internet.

While exposed databases ranked as the leading attack surface issue, more than one-in-seven organizations reported exposed API documentation, ahead of RDP services - a common entry point for ransomware attacks.

Nearly half of organizations were found to have risky exposed ports and services, with RDP being the most commonly exposed. WordPress Admin (15%) and phpMyAdmin (8%) are also frequently left internet-facing, despite being intended for internal use only.

Notably, legacy services like SNMP (9%) and UPnP (8%) persist on the public internet, again despite being intended for internal networks.

Chris Wallis, CEO and founder of Intruder, said the findings should serve as a wake-up call for organizations engaging in risk data management security practices.

"Many of the exposures we examined don't even need a CVE to be exploited. For example, an exposed database or admin panel can be compromised through brute force or credential stuffing alone,” he said.

Database security in the spotlight

Intruder noted that lackluster data security practices come amid a perilous time for enterprises.

The study warned that the rise of autonomous AI models has slashed the time between vulnerability discovery and exploitation – and many organizations are struggling to keep up.

Midmarket organizations face the longest remediation times, averaging 56 days to close security gaps, making them nearly four-times slower than smaller enterprises.

There are stark differences between sectors, with banks remediating exposures in just 11 days and retail just ten, while insurance and pharmaceutical firms average more than 40 days.

With vulnerability exploitation expected to skyrocket due to the use of powerful new frontier AI models, Wallis said remediation windows are “open far too long”.

Security experts globally have issued repeated warnings on this front, particularly since the launch of Anthropic’s Claude Mythos model.

The company announced a gated release of the model to select industry partners in April amid fears the model could be used for nefarious purposes.

Wallis said the launch of Mythos has “fundamentally shifted” the cybersecurity landscape, meaning enterprises must now move faster than ever to curtail security risks.

“The security industry is seeing a major compression in the time between vulnerability discovery and exploitation,” he said.

“In this high-speed era, leaving a MySQL database or private API documentation exposed to the internet is an open invitation for automated, high-speed extortion.

FOLLOW US ON SOCIAL MEDIA

A quarter of a million databases stolen from tens of thousands of breached MySQL servers are being offered for sale on the dark web, according to security researchers from Guardicore Labs.

Hackers are believed to have obtained 7TB of stolen data using the PLEASE_READ_ME ransomware campaign, successfully targeting around 83,000 MySQL database servers.

PLEASE_READ_ME has reportedly been active since January 2020, attacking weak credentials on internet-facing MySQL servers.

Since then, Guardicore Global Sensors Network (GGSN) reported 92 attacks, with numbers rising sharply in October. According to Guardicore researchers, the ransomware attacks originated from 11 different IP addresses, most of which were found to be located in the UK and Ireland.

The ransomware campaign is untargeted, meaning that it attempts to infect any of the five million MySQL servers which are internet-facing. Hackers exploit weak credentials and are able to re-access the network by leaving a backdoor user on the database for persistence.

Guardicore Labs researchers managed to discover two different variants during the lifetime of this campaign. The first, which lasted from January to the end of November, saw attackers leaving their victims a ransom note with their wallet address, the amount of Bitcoin to pay, as well as an email address for technical support, with 10 days being given to make the payment.

The second variant, which began on 3 October and also lasted until late November, got rid of the Bitcoin wallet payments and email communications. Instead, hackers opted for a website in the Tor network to receive payments and used unique alphanumeric tokens, outlined in the ransom notes, to identify the victims.

In a blog post detailing the discovery, security researchers Ophir Harpaz and Omri Marom said that the “PLEASE_READ_ME operators are trying to up their game by using double extortion in scale”.

“Factoring their operation will render the campaign more scalable and profitable. Guardicore Labs provides an IOCs repository and will keep monitoring this campaign to help organizations protect against it,” they added.

Databases are the cornerstone of any business; they're used to track purchase orders, catalogue customers and manage employee payrolls. On top of that, basically every web technology is built on a back-end database.

The most common form of database within IT is the relational database. These are coded using SQL (pronounced 'sequel') which stands for Structured Query Language. These databases require specialised software to manage, examples of which include Oracle Database, Microsoft's SQL Server family, and PostgreSQL.

Relational databases were first developed in order to standardise the way that databases were constructed and maintained. Prior to this, the way databases were structured and navigated often differed from one to the other, making them hard to develop applications for without being deeply familiar with the database in question.

In order to make this task - and the general process of working with databases - more efficient, relational models were developed to provide a universal, standardised format for databases. These were easier to maintain, more versatile and quicker to learn how to work with.

How do relational databases work?

Relational databases are comprised of multiple interconnected tables which are linked by a shared value. These shared values are identified by 'keys' - the column or columns within a table which contain values which are shared between multiple tables. These keys help the database understand which row of values to pull from each table when handling queries. The primary key is usually the first column within a table, although a table can contain multiple subsidiary keys, or 'composite keys' comprised of multiple combined columns.

Let's look at an example, from a fictional restaurant delivery company that wants to offer UK customers who have been premium subscribers for over a year a voucher for their favourite food as a reward. Their database contains two relevant tables - one with customers' personal details, and one with their subscriber information, as shown below.

Personal details

Subscription details

In order to establish which customers are eligible and to send them the offer, the company needs to establish their name, email address, country, membership tier, the length of their membership and their favourite food. They can do this by using the database's key - which in this case is the email address - to cross-reference the two tables with one another.

This allows the database to establish that, because he has been a premium member for a year and a half and lives in the UK, John Smith is eligible for the reward, as well as allowing it to automatically send a personalised email to him containing a voucher for his favourite burger restaurant.

Relational database schemas

Relational databases are organised according to specific schemas - predefined rules governing how tables are laid out, including what data is contained in each column and the order they come in, as well as which columns are used as keys.

Schemas can be coded in SQL or laid out in charts and graphics. The schema's specifics will differ from database to database, but the format is standardised enough that it's easy to go from working with one schema to another, making them simpler to develop applications for.

Advantages of relational databases

The primary advantage of relational databases over earlier non-standardised methods of database architecture is the high degree of consistency they offer. Relational databases are both internally consistent - ensuring that data is easy to find, because it's formatted and laid out in a uniform way - as well as being much more interoperable with each other due to their use of pre-set schemas.

Relational databases are also rules-based, meaning that you can manage and edit large databases by creating global parameters and applying them to every record and table within a database. Additionally, because the databases themselves are independent of the physical storage on which they reside, database architects can alter the infrastructure the database runs on without affecting its logical integrity.

These databases also have certain advantages over newer database architectures such as NoSQL (which we'll discuss further in a moment). Relational databases tend to be more stable and consistent than their non-relational counterparts, and they're often better-suited to complex queries. The relational model also benefits from a much greater wealth of support resources, information and skilled professionals, due to its longer history.

Relational database alternatives

In recent years, the dominance of the relational model has been challenged by the emergence of non-relational 'NoSQL' databases, typified by providers like Couchbase and MongoDB. NoSQL databases (predictably) do not use SQL, and are instead built using object-oriented programming languages like Python, Ruby, Java and C++.

These databases are predominantly built to handle massive scale, and have found particular popularity as a tool for big data storage and analysis. The main advantages NoSQL offers over relational databases are that NoSQL databases can be expanded horizontally by adding more nodes of commodity hardware, and that they are designed to allow unstructured data, whereas relational databases demand rigid formatting.

Oracle today released patches for 78 flaws in its software, covering the majority of its products.

A total of 16 are categorised as critical, meaning they could be exploited for remote code execution.

"Most of their products, including the acquisitioned PeopleSoft, JD Edwards, Weblogic and the recent Sun/MySQL lines, are affected by this update," advised Wolfgang Kandek, CTO of security company Qualys.

"Only PeopleSoft and the virtualisation products are not affected by this critical rating - everybody else should pay close attention to the release.

"One notable exception is the Java programming language as it is updated on a separate schedule and had its last release in December 2011."

You can find the full list of affected products here.

Oracle's list of patches makes for a busy January for IT departments, following Adobe and Microsoft announcements from earlier this month.

Microsoft, which usually keeps January quiet for patching, issued seven security bulletins covering eight vulnerabilities. One of those covered the BEAST SSL flaw highlighted by researchers last year.

Researchers found a way to exploit a long-known flaw in TLS (Transport Layer Security) that could have undermined the security credentials of the SSL cryptographic protocol and affected millions of sites. However, little emerged from the discovery and the Redmond giant now has Windows users' backs covered.

Adobe, meanwhile, addressed critical flaws in Reader and Acrobat on the same day (10 January).

Oracle has chosen not to comment on an alleged hack of MySQL.com the site that has been smashed by cyber criminals on two occasions already this year.

A hacker going by the pseudonym D35M0ND142 posted information on Pastebin, claiming it came from, somewhat ironically, a MySQL.com database.

D35M0ND142 suggested the website owners had not fixed the site following two serious hack attacks this year. Oracle told IT Pro it had no comment on the matter.

The main problem is that unlike Microsoft or Google, many companies are not doing a good job in protecting those services.

Data included in the Pastebin post appeared to feature usernames, emails and passwords of various MySQL.com users. This purportedly included login details of Robin Schumacher, MySQL's director of product management.

Luis Corrons, technical director of PandaLabs, said it looked like the information could be real.

"This is one of the biggest problems we are facing nowadays: there are a number of online services we use, we have to register to get access to them and most of the users have the bad habit to reuse the password everywhere," Corrons told IT Pro.

"What is worse, in most of these services you have to give an email address, so if someone gets access to the database where all this information is stored you could have your email account hacked.

"The main problem is that unlike Microsoft or Google, many companies are not doing a good job in protecting those services."

In September, MySQL.com was found serving malware after security firm Amorize found some highly obfuscated JavaScript on the website.

In March, the website was compromised as a result of an SQL injection attack.

In that case, hackers posted a host of usernames and password hashes some of which had reportedly been decrypted onto Pastebin.

For the second time in a year, MySQL.com has been hacked and is serving malware.

Security firm Amorize found some highly obfuscated injected JavaScript on the website, noting that visitors would be hit by the BlackHole exploit kit.

"It exploits the visitor's browsing platform ... and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge," the company's co-founder Wayne Huang said in a blog post.

"The visitor doesn't need to click or agree to anything - simply visiting MySQL.com with a vulnerable browsing platform will result in an infection."

Huang said he was unsure who was behind the attack. Amorize was attempting to contact MySQL.com yesterday, but had not confirmed if the site had responded.

On the KrebsonSecurity blog, Brian Krebs claimed he had found evidence administrative access to MySQL.com was being sold in an "exclusive Russian hacker forum." The seller went by the name of sourcec0de.'

Worryingly for IT departments, using test site Virus Total, Huang showed only six out of 43 anti-virus engines could detect the malware being served by MySQL.com. When the company first blogged, only four were able to do so.

The video below shows how MySQL.com was serving malware:

MySQL.com was hacked in March 2011, ironically by an SQL injection attack.

In a somewhat ironic hack, MySQL.com has been compromised as a result of an SQL injection attack, leading to usernames and password hashes being published online.

The exploited flaws did not lie within MySQL business database management software, but in the implementation of the Oracle-owned website.

The hackers posted a host of usernames and password hashes some of which have reportedly been decrypted already onto Pastebin.com.

Hackers Ne0h and TinKode claimed responsibility for the compromises. The latter said they were behind an SQL injection attack on the Royal Navy website last year.

A number of the employee passwords leaked by the MySQL.com hackers appeared to be fairly weak, according to Chester Wisniewski, senior security advisor at Sophos Canada.

"Most embarrassingly, the director of product management's WordPress password was set to a four digit number... his ATM PIN perhaps?" Wisniewski said in a blog.

"The irony is that they weren't compromised by means of their ridiculously simple passwords, but rather flaws in the implementation of their site."

MySQL owner Sun Microsystems now an Oracle subsidiary was also targeted by the two hackers, as tables and emails were dumped on Pastebin, but no passwords.

"It was noted on Twitter that MySQL.com is also subject to an XSS (cross-site scripting) vulnerability that was reported in January 2011 and has not been remedied," Wisniewski added.

The campaign to stop the acquisition of Sun Microsystems by Oracle is moving on from the EU to China and Russia.

The founder and creator of MySQL, Michael "Monty" Widenius, started a campaign website at the end of last year to stop Oracle getting hold of his creation as well keeping its own database.

More than 30,000 people signed up to the "Help MySQL" campaign but it is still widely thought that the EU will approve the acquisition.

In a bid to keep the fight alive Widenius is moving the campaign to China and Russia hoping they will be able to put a halt to the deal.

"The EC showed courage and competence during most of the investigation but looked very weak in the end," said Widenius in a statement.

"Mislabeling Oracle's statements related to MySQL as a solution is a dishonest attempt to save face because if an Oracle press release with uselessly vague promises should be all that came out of this effort, it was a waste of time and money."

He has yet to give up hope though saying: "China and Russia can still say No unless there's a real solution in place. They are powerful, self-confident and open-source-friendly countries and they have every right and opportunity to do a better job on this than the EU."

A decision on the acquisition is expected in the next few weeks from the EU, following an antitrust investigation, and Oracle has told IT PRO it will comment until then.

The creator of MySQL has launched a petition as part of his continued battle to stop Oracle's acquisition of Sun Microsystems.

Michael "Monty" Widenius initially posted a blog calling for those against the deal that would see Oracle owning both its own database and MySQL to write to the European Commission.

He claimed the blog received over 60,000 hits and generated approximately 10,000 emails but he has taken this a step further with an online petition called Save MySQL!

In a blog post explaining the move, Widenius said: "It's not in the internet users interest that one key piece of the net would be owned by an entity that has more to gain by severely limiting and in the long run even killing it as an open source product than by keeping it alive."

He added: "If Oracle were allowed to acquire MySQL, we would be looking at less competition among databases, which will mean higher licence and support prices. In the end it's always the consumers and the small businesses that have to pay the bills, in this case to Oracle."

The controversial acquisition has been less than straightforward for the two companies involved since it was announced in April last year.

Although August saw approval being granted by US courts, the EU rejected the deal in November and launched an investigation into whether it would be competitive for Oracle to own both databases.

The results of the investigation are expected at the end of this month so Widenius is giving his first batch of signatures to the European Commission today with more to follow.

"I have two main objects in my business life. Save the product, that I worked on for 27 years, from getting killed as an open source project [and] ensure that the core developers of MySQL, who I have worked with for many years, get a good 'home' where they can continue to develop MySQL," he said.

"I am hoping for the EC and other regulators to ensure the first of the above. Monty Program Ab [Widenius' developer company] was created to ensure the second."

IT PRO contacted Oracle for its reaction to the petition but the company declined to comment.

Sun Microsystems is bringing high-performance flash storage arrays to market this week.

The Sun Storage F5100 Flash Array has integrated flash-based storage and optimised software to speed up database processes for MySQL and Oracle.

Offering up to 2TB of solid state flash capacity, Sun claims the array has green credentials, saying it can perform 1.6 million read and 1.2 million write IOPS in a single rack for just 300 watts.

The device is a single rack but can be connected to up to 16 separate hosts to run multiple applications.

It also comes with management and monitoring software and is compatible with a wide range of operating systems.

Sun is pushing ahead with new products alongside prospective parent company Oracle while questions still hang over whether the acquisition offer will get the go ahead.

Oracle first made a bid of $7.4 billion for the company back in April, which Sun soon accepted.

Even though US officials gave the deal the go ahead in August, the European Commission is conducting an antitrust probe into the transaction to decide whether it is fair for Oracle to own both its own database and MySQL.

A decision on the acquisition is expected on 19 January 2010.

The UK is lagging behind the rest of Europe when it comes to open source adoption for small and medium-sized businesses.

That's the finding of research conducted by TNS Gallup on behalf of TNS Gallup, on behalf of Sun Microsystems' MySQL division.

It found that adoption of open source in the UK is only at 34 per cent, considerably behind the 72 per cent of France or 68 per cent of Germany. The only country surveyed that came in with less was Sweden with 33 per cent.

There were also negative findings for the future of open source as 48 per cent of companies in the UK didn't expect to use open source in the next two years.

At a recent discussion about the use of open source within government, Laurent Lachal, Ovum's open source research director, claimed the UK was also behind the rest of Europe in adoption within the public sector but needed to get on board with it before it gets left too far behind.

Read our comment piece about jumping on the open source train here.

A open source database initiative has been announced today aiming to bring together all MySQL products and services into one unbiased location.

That's the claim by the creators of the "Open Database Alliance", database engineering company Monty Program Ab and MySQL services and support group Percona, who plan to open the site up to all companies and individuals looking to help contribute to the group.

Monty Widenius, founder of Monty Program Ab and quoted as the "the father of the MySQL database" is one of the founding members.

He said in a statement: "Our goal with the Open Database Alliance is to provide a central clearinghouse for MySQL development, to encourage a true open development environment with community participation, and to ensure that MySQL code remains extremely high quality."

"Participating members at this stage in the "Alliance" will have a strong voice in how the organisation is structured, and we look forward to collaborating with anyone in the industry that provides or depends on MySQL."

The other founding member, chief executive of Percona Peter Zaitsev, is also known for his expertise in the MySQL format.

Widenius quoted another member of the "Alliance" Arjen Lentz from Open Query, on his blog, saying: "This alliance is an excellent step, showing the maturity, breadth and depth of expertise for MySQL related services."

Earlier this week the chief executive of Data Core storage told IT PRO that open is the only way forward and both Widenius and Zaitsev seem to share this opinion.

Marten Mickos, the chief executive of MySQL, is leaving Sun Microsystems.

A Sun spokeswoman confirmed his departure late on Friday, only months after Mickos became senior vice president of Sun's database group when the company bought MySQL last year.

The database's creator, Michael Widenius, said in a blog post that Mickos had resigned because he was dissatisfied with Sun's development of MySQL.

Mickos' departure follows that of MySQL co-founder David Axmark who left just after the acquisition, citing the rigid corporate life as contributing to his decision.

Sun executive Karen Tegan Padir will now take over Mickos' duties. She is also vice president of the newly formed MySQL and Software Infrastructure group. Padir's responsibilities also include the Glassfish application server, identity management, service oriented architecture (SOA) and the Java Enterprise System.

Sun said in a statement that the corporate shakeup "puts MySQL into the mainstream of software at Sun" and will help the company form "even tighter linkages between all software properties".

Mickos' biography has been updated to say he will work as an "open source strategist" until the end of Sun's current quarter.

He had not added any further comment on his reasons for leaving at the time of writing.

Back in the day, when Scott McNealy was still the "chairman, president, founder, chief cook and bottle washer" of Sun, the company made a virtue of simultaneously loving and loathing GNU/Linux and the GPL.

On the one hand, giving love and sustenance to the developer communities that work around OpenOffice, Gnome and Firefox, and on the other, deploying or disparaging GNU/Linux in equal measure at every conflicting opportunity.

There were good reasons for Sun's ambivalence. Linux and other free software had stolen much of Sun's thunder in the server space and the data centre, but had also proved useful in other parts of the business, providing GNU tools for the power user, Samba to provide interoperability with Windows, a desktop for Solaris, and a platform for Looking Glass and the Java Desktop.

More importantly, Linux on commodity hardware has made severe inroads into Sun's chip business, and the company hasn't always known how to react.

It could even be argued that Sun has roots in open source. Bill Joy, who led the open source Berkeley Software Distribution (BSD) project in its early years, and contributed TCP/IP, vi, the classic in-line programming editor, NFS, and the csh shell, went on to become a founder of Sun. He became Sun's resident in-house technology guru, the master of Solaris and chief architect of Sun's technology strategy, before losing his religion and dedicating himself to other ventures. In 2000 he wrote a coruscating piece called "Why the future doesn't need us" about how "our most powerful 21st-century technologies - robotics, genetic engineering, and nanotech - are threatening to make humans an endangered species", and finally disappeared from Sun's orbit in 2003. But that's another story...

Smell the coffee

Although it has never fully embraced free software, Sun has always worked well with its developer communities. Nonetheless, Sun's announcement late in 2006 that it would release Java under the GPL came as something of a surprise, and was seen as a triumph for the GPL and a lifeline for Java. Marc Fleury, the founder of JBoss, the free software J2EE middleware platform, expressed a common sentiment when he said that he believed that the GPL would "extend the life of Java by at least fifteen years."

Sun's apparent conversion to the GPL and the world of free software may have been unexpected, but Fleury's take was that "the GPL is the best of both worlds, because [it] creates a very strong notion of intellectual property," and allows Sun "to monetise the Java ME environment." Not so long ago it would have been controversial to suggest that the GPL might be the most suitable open source licence for business applications. These days the idea is commonplace.

The Java announcement is already seen as a success. Sun has new leadership, and is no longer quite so ambivalent in its assessment of the value of the free software community. Possessed of a new vision of Sun's role in the brave new world of free and open source software, Sun followed up the Java declaration by hiring Ian Murdock, the founder of the Debian GNU/Linux community, as its chief operating systems officer, and hinted that it might release not only Solaris but also "the core intellectual property behind our multi-threaded Niagara systems", under the GPLv3, the free software community's latest and greatest licence, (and more recently, by purchasing MySQL, the open source database company).

The GPL was the original creation of Richard Stallman, the founder of GNU and the Free Software Foundation. GPLv3 was the result of months of argument, consultation and compromise among free software developers and corporate lawyers, but not everybody likes the GPLv3, and its most vocal opponent has been Linus Torvalds, who wants the Linux kernel to retain v2 of the licence. Stallman and Torvalds represent different wings of the free software movement. Torvalds is a pragmatist. Stallman sees himself as "an activist in the free software movement." Torvalds tends to the view that the anti-DRM clause in the licence is an unwarranted restriction. Stallman believes it to be a necessity.

The great leap forwards

The GPL has been a large part of the success of GNU/Linux. The current criticisms of the GPLv3 echo the criticisms that were made about the GPLv2 in the early 90s, that it was business unfriendly, and that GNU/Linux would never be taken up by industry. In fact, the GPL has proven to be the best guarantee of the integrity of GNU/Linux and its usefulness to industry, a factor that has influenced Sun's decision to license Java under the GPL, and to consider releasing Solaris under the GPLv3.

If this were to happen, it would represent a revolution for the computer industry. For the first time there would be two GNU operating systems going head to head in the enterprise, GNU/linux, licensed under the GPLv2, (as Linux Torvalds threatens), and GNU/Solaris, licensed under the GPLv3, (as Sun Microsystems promises). This scenario woudnt't be hurt at all by Sun's recent purchase of MySQL.

Sun may anticipate that releasing Solaris under the GPL will give it access to Linux developers and device drivers (as Torvalds suspects), but Linux has a long lead in the open source marketplace and the developer community. You don't gain the loyalties of the wider open source user and developer community merely by declaring yourself open source. That comes later.

Sun already has a community around the current version of OpenSolaris, which is released under the CDDL, Sun's own "open source" licence. For obvious reasons, the existing community isn't too keen on Solaris becoming available under the GPL, but if Sun really means to fulfill its mission of making Solaris "a better Linux than Linux", the GPL is the only option. It appears that most of Murdock's initial efforts are to replicate the "userland" features of Linux, from installation to package handling, but that won't come easy without the GPL and the participation of the wider community, and the CDDL is incompatible with the GPL, and doesn't fit the bill.

A third option is that Sun hedges its bets and releases Solaris under a dual license, retaining some of its more valuable features under the CDDL. This would be superficially attractive to Sun, but would ultimately defeat its purpose in releasing the OS under the GPL.

Vendors are willing to contribute their proprietary file systems and features to Linux under the GPL, because they benefit from a two-way traffic in the form of contributions from other vendors. If Sun wants Solaris to be "a better Linux than Linux", it has to play like Linux.

The fun begins

Solaris has some attributes, such as ZFS and dTrace, that make it desirable to the developer community, and Jonathan Schwartz, Sun's chief executive, keeps making the right noises. When storage company NetApp claimed that ZFS violated some of it's patents, both Schwartz and Bill Hilf of NetApp, quickly made statements reaching out for support from the open source community. "The rise of the open source community cannot be stifled by proprietary vendors," wrote Schwartz. "I guess not everyone's learned that lesson." ZFS is currently available under the CDDL, which inhibits it's direct inclusion in the Linux kernel. If Sun were to release Solaris and all its parts under the GPL, that's when the fun begins...

Intriguingly, Torvalds took the stance, before there were any hints of legal shenanigans between Sun and NetApp, that "we'd be better off talking to NetApp, and seeing if they are interested in releasing WAFL for Linux." WAFL, the Write Anywhere File Layout, is the NetApp equivalent of ZFS.

"And don't get me wrong:," he wrote on the Linux kernel mailing lists, "I think a truly open-source GPLv3 Solaris would be a really good thing, even if it does end up being a one-way street as far as code is concerned!"

Nobody is under any illusions that Sun wants to surrender its hold on Solaris, or the place that Solaris holds in the market. Paradoxically, Sun may be more unlikely to achieve these aims unless it is uncompromising, and releases the software under the GPL. Schwartz has thrown the ball in the air. He may run off it with it and refuse to play, but we can hope that this isn't true.

Torvalds says that Linux should be permissive, and should not carry DRM and patent restrictions, and should remain under the GPL v2. Stallman says that GNU/Linux should remain true to the ideals that allowed it to come into being, and move to the GPL v3. History has shown that the two positions are not as contradictory as they might at first appear.

The same arguments may be heard again in several years time when the Free Software Foundation announces the imminent release of GPLv4, and the GNU/Solaris developers argue about the wisdom of adopting a new, more radical, license, which tackles the issues of changing times and new impediments to the continuing freedom of software that we have not yet foreseen. By that time, a certain company in Redmond may be rushing to release the latest version of GNU/Windows under the GPLv4. Or maybe not.