[debian-mysql] Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: Bug#793316: transition: mysql-5.6]

Moritz Mühlenhoff jmm at inutil.org
Thu Jan 14 21:11:22 UTC 2016 

On Mon, Jan 11, 2016 at 08:14:06PM +0000, Robie Basak wrote:
> On Mon, Jan 11, 2016 at 07:27:30PM +0100, Moritz Mühlenhoff wrote:
> > *Sigh*. And that is exactly the problem (and we've already pointed this
> > out at DebConf half a year ago)
> > 
> > We should really go ahead and move forward, the freeze isn't terribly far away.
> 
> I don't think it's reasonable to use a security question raised by
> MariaDB as an excuse to kick out MySQL. Because whether you do so or
> not, your situation with getting information about CVEs in relation to
> MariaDB will not change.
>
> Let's treat the situation with each on their own merits and be
> constructive about this.

This policy equally hurts us for mysql alone. Debian LTS had go through
a messy 5.1-5.5 transition because of Oracle's policies.
 
> That *is* something that might be able to be addressed directly by
> Oracle, and if it does get addressed then MariaDB's situation could
> improve too, and Debian wins.

We've already raised this at DebConf with Norvald from Oracle half a year
ago and nothing happened. Several other parties didn't get these infos
from Oracle in the past (not even Red Hat). The VirtualBox developers
were equally shut down by Oracle (after being cooperative for a while).

I see no chance that this will really happen. We'll definitely not
wait for it and we need to make a move ASAP. The freeze is only like
eight months away and a transition from mysql to mariadb takes it's
time.

> So please: the security team needs to engage directly with Oracle by
> responding to Norvald's email and enumerating exactly what is wrong.
> Otherwise nobody can reasonably claim about what Oracle is not doing in
> relation to security, because the security team refuses to say what the
> problem is.

*sigh* That as already been raised multiple times and it was all reported
to Oracle at DebConf. Information about specific security issues and
their mapping to fixes (just like raised by Otto, which explains the
need very well) need to be publicly available (we're unable and unwilling
to sign an NDA).

This is EOD from my side. This has all been discussed to death and
I won't spend further time on this.

Cheers,
        Moritz

More information about the pkg-mysql-maint mailing list