[debian-mysql] Bug#660206: Bug#660206: This is a regression

micah anderson micah at riseup.net
Tue Apr 10 15:59:57 UTC 2012

On Mon, 09 Apr 2012 10:21:08 -0700, Clint Byrum <clint at fewbar.com> wrote:
> Excerpts from micah anderson's message of Sun Apr 08 10:13:40 -0700 2012:
> > severity 660206 serious
> > thanks
> > 
> > This is actually a regression, the only way to get things to work again
> > is to downgrade package like such:
> > 
> > apt-get install mysql-server-5.1=5.1.49-3 mysql-client-5.1=5.1.49-3
> > mysql-common=5.1.49-3 mysql-server-core-5.1=5.1.49-3
> > libmysqlclient16=5.1.49-3
> > 
> > micah
> > 
> So, I'm not sure I agree that this is such a serious
> regression. 

I would agree that this is not a *very* serious regression, but its a
regression nonetheless. In my opinon an un intenteded regression is not
suitable for release as a security upload and should be replaced as soon
as a fix becomes available.

>*lenny* shipped with rails 2.1.0. 1.2.6 was released in 2007, and is
>not supported in Debian at all. The referenced upstream bug talks about
>using client versions older than 4.1, which is basically ancient.

I agree. However, the reality is that the security upgrade brought in
unrelated changes to the security upgrade and caused unrelated software
to break.

> I'm not disputing that this is a regression introduced by the upstream
> jump to 5.1.61, but I don't know that its worth downgrading and losing
> security updates for. Perhaps the client libraries should be updated to
> something that is still supported by upstream and/or Debian.

The two choices here are to either downgrade mysql, or to upgrade client
libraries. While it seems sensible to upgrade client libraries to a
newer supported version, one should not have to do that because of a
security upgrade of another package. That option takes you from the
realm of routine security maintainence into the much more serious realm
of migrating completely other software to new client libraries that
would require a significant architecture overhaul (I dont know how much
you know about rails, but the difference between 2.1 and 2.2 is not a
trivial minor release, but typically involves almost a complete
rewrite). During a maintainence window, when you are expecting to only
do an isolated security upgrade of a package, the last thing the
sysadmin who is performing the upgrade is going to do is to re-write
some other code to deal with a surprise regression in the security

So while I do agree with you that the 'right' thing to do is to get the
software updated to newer client libraries, rather than to have exposed
security holes, the reality is that until that can happen (and in one
case that I am dealing with, that re-write is in progress, but is 6
months out) I would hope that stable-security or a stable update would
include a fix to this regression, when it comes available. 



More information about the pkg-mysql-maint mailing list