8/11/2015No, You Really Can’t (Mary Ann Davidson Blog)https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t3/11
request for each alleged issue (not just hand us a report) and provide a proof of concept (which some tools can generate).If we determine as part of our analysis that scan results could
only
have come from reverse engineering (in at least one case, because thereport said, cleverly enough, “static analysis of Oracle XXXXXX”), we send a letter to the sinning customer, and a different letter to thesinning consultant-acting-on-customer’s behalf – reminding them of the terms of the Oracle license agreement that preclude reverseengineering, So Please Stop It Already. (In legalese, of course. The Oracle license agreement has a provision such as: "Customer may notreverse engineer, disassemble, decompile, or otherwise attempt to derive the source code of the Programs..." which we quote in our missiveto the customer.) Oh, and we require customers/consultants to destroy the results of such reverse engineering and confirm they have done so.Why am I bringing this up? The main reason is that, when I see a spike in X, I try to get ahead of it. I don’t want more rounds of “you brokethe license agreement,” “no, we didn’t,” yes, you did,” “no, we didn’t.” I’d rather spend my time, and my team’s time, working on helpingdevelopment improve our code than argue with people about where the license agreement lines are. Now is a good time to reiterate that I’m not beating people up over this merely because of the license agreement. More like, “I do not needyou to analyze the code since we already do that, it’s our job to do that, we are pretty good at it, we can – unlike a third party or a tool – actually analyze the code to determine what’s happening and at any rate most of these tools have a close to 100% false positive rate so please do not waste our time on reporting little green men in our code.” I am not running away from our responsibilities to customers,merely trying to avoid a painful, annoying, and mutually-time wasting exercise.For this reason, I want to explain what Oracle’s purpose is in enforcing our license agreement (as it pertains to reverse engineering) and, in areasonably precise yet hand-wavy way, explain “where the line is you can’t cross or you will get a strongly-worded letter from us.” Caveat:I am not a lawyer, even if I can use words like
stare decisis
in random conversations. (Except with my dog, because he only understandsHawaiian, not Latin.) Ergo, when in doubt, refer to your Oracle license agreement, which trumps anything I say herein!With that in mind, a few FAQ-ish explanations:Q. What is reverse engineering?