[debian-mysql] Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: Bug#793316: transition: mysql-5.6]

Robie Basak robie.basak at ubuntu.com
Mon Jan 11 20:34:05 UTC 2016


On Mon, Jan 11, 2016 at 08:13:56PM +0100, Salvatore Bonaccorso wrote:
> > MySQL is maintained in jessie. What makes you think it's not?
> 
> My gut feeling is that this is not true, I'm sorry. All recent updates
> were prepared by the security team itself due to this.  And most of
> the recent updates were neither fixed in unstable. Instead then the
> jessie-security version migrated up to stretch after the point
> release. I know though there was a migration planned from mysql-5.5 to
> mysql-5.6. This is at least my subjective impression on what happened.
> 
> Cf. e.g. who-uploads -M 25 --date mysql-5.5

I think Norvald's point is fair though. We have had one opportunity
since "maintenance of jessie" was called out, and we did try to engage
at that time by preparing the required update.

> > MySQL in jessie was upgraded to 5.5.46 after the last Critical Patch
> > Update from upstream. There have been no CVE announcements since
> > then, and hence no upgrades.
> > 
> > At the release team meeting on September 23, the release team asked
> > the Debian MySQL team to do more to prepare security updates. There
> > has been only one CVE announcement since then. The MySQL team did
> > prepare that upgrade, but the security team NMUed before the MySQL
> > team finished [1].
> 
> 5.5.46 was again updated by me via security.d.o. I filled bug #802564.
> But apparently the discussion happened on the pkg-mysql-maint list
> without CC to the bug, so I missed there were people working on it and
> I did it again on behalf of the security team.

It seems that the bug should have continued to be copied in, and that
can easily be fixed next time. But why have you excluded "All work has
already been done on git" which *was* copied in to the bug? If you
missed this then that's fair enough but please do not use it to claim
that we haven't been helping in the one opportunity we've had since you
asked.

> So there will be a new Oracle CPU soon. Will an update be prepared and
> the security team contacted for the coordination -- possibly even in
> advance (debdiffs, upload
> ack, ... cf. 
> https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#s5.6.4
> https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security
> https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security-building
> ) so that we can timely release an update if all wents fine?

I had a discussion with Oracle engineers on this point last Friday (the
8th). They brought up the matter themselves. They are keen to help us
get this right, so I advised that they (wearing their Debian hats) both
prepare the packaging now and file the bug as soon as any announcement
is made. I can vouch that this conversation happened and I hope that it
demonstrates their intent.

Robie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/attachments/20160111/f84618ab/attachment.sig>


More information about the pkg-mysql-maint mailing list