[debian-mysql] Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: Bug#793316: transition: mysql-5.6]

Norvald H. Ryeng norvald.ryeng at oracle.com
Wed Dec 23 14:39:04 UTC 2015 

On Fri, 18 Dec 2015 22:31:05 +0100, Robie Basak <robie.basak at ubuntu.com>  
wrote:

> (removing Jonathan specifically; the debian-release ML should be
> sufficient as this is for the release team generally now)
>
> On Mon, Dec 14, 2015 at 05:45:24PM +0000, Robie Basak wrote:
>> Can I ask that this request (for the release team to make a decision
>> between the choices I outlined[1]) be tabled again at the IRC meeting I
>> understand will be taking place this Wednesday? Please let me know if
>> there's anything I can do to help you make a decision on this.
>
> Following up, here's a summary of the outcome from the meeting
> yesterday. There is also a full log[1] and the previous meeting[2] from
> 23 September is also relevant.

Thanks for attending the meeting and for the summary, Robie! Like you, I'm  
on vacation and have little opportunity to handle this until January. But  
I thought I'd throw in a request for a bit more information on one of the  
points:

> 20:12:56 <pochu> 2- no disclosure of security issues w/ patches

I know we are a bit tight with info about security issues upstream, but  
all security bugfixes are available at  
https://github.com/mysql/mysql-server as individual commits, and a list of  
CVEs fixed is reported quarterly according to a published schedule.  
Apparently that's not enough.

I fix the occasional security bug myself, but in the day to day work, I'm  
not involved in handling CVEs etc., so I need some more details about what  
Debian thinks is missing. It's hard for me to start a good discussion  
upstream without fully understanding the issue. Can someone (e.g., the  
security team?) please explain to me exactly what's requested and how  
you're expecting to use the information? Can Debian handle information  
given under NDA, or must all security bug info be public? When I  
understand the problem, I can pull together the right people upstream and  
see what we can do to fix it.

Merry Christmas,

Norvald H. Ryeng

More information about the pkg-mysql-maint mailing list