[debian-mysql] Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: Bug#793316: transition: mysql-5.6]
Salvatore Bonaccorso
carnil at debian.org
Mon Jan 11 19:13:56 UTC 2016
Hi,
On Thu, Jan 07, 2016 at 03:49:15PM +0100, Norvald H. Ryeng wrote:
> On Fri, 18 Dec 2015 22:31:05 +0100, Robie Basak <robie.basak at ubuntu.com>
> wrote:
>
> >Here are the enumerated concerns of the release team for MySQL in
> >Debian given to us in yesterday's meeting:
>
> I'll address each concern separately. Since I'm both on the Debian
> MySQL team and an upstream developer, and these four concerns are a
> mix of upstream and packaging team issues, I'll try to be explicit
> about which viewpoint I represent: upstream or member of the Debian
> MySQL team. Please ask me if it's unclear.
>
> >20:12:37 <pochu> 1- mysql isn't maintained in jessie
>
> This is not really an upstream problem, but I can respond on behalf of
> the Debian MySQL team:
>
> MySQL is maintained in jessie. What makes you think it's not?
My gut feeling is that this is not true, I'm sorry. All recent updates
were prepared by the security team itself due to this. And most of
the recent updates were neither fixed in unstable. Instead then the
jessie-security version migrated up to stretch after the point
release. I know though there was a migration planned from mysql-5.5 to
mysql-5.6. This is at least my subjective impression on what happened.
Cf. e.g. who-uploads -M 25 --date mysql-5.5
> MySQL in jessie was upgraded to 5.5.46 after the last Critical Patch
> Update from upstream. There have been no CVE announcements since
> then, and hence no upgrades.
>
> At the release team meeting on September 23, the release team asked
> the Debian MySQL team to do more to prepare security updates. There
> has been only one CVE announcement since then. The MySQL team did
> prepare that upgrade, but the security team NMUed before the MySQL
> team finished [1].
5.5.46 was again updated by me via security.d.o. I filled bug #802564.
But apparently the discussion happened on the pkg-mysql-maint list
without CC to the bug, so I missed there were people working on it and
I did it again on behalf of the security team.
So there will be a new Oracle CPU soon. Will an update be prepared and
the security team contacted for the coordination -- possibly even in
advance (debdiffs, upload
ack, ... cf.
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#s5.6.4
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security-building
) so that we can timely release an update if all wents fine?
Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/attachments/20160111/4f011851/attachment.sig>
More information about the pkg-mysql-maint
mailing list