[debian-mysql] Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: Bug#793316: transition: mysql-5.6]

Thu Jan 14 22:30:53 UTC 2016

Excerpts from Moritz Mühlenhoff's message of 2016-01-14 13:11:22 -0800:
> On Mon, Jan 11, 2016 at 08:14:06PM +0000, Robie Basak wrote:
> > On Mon, Jan 11, 2016 at 07:27:30PM +0100, Moritz Mühlenhoff wrote:
> > > *Sigh*. And that is exactly the problem (and we've already pointed this
> > > out at DebConf half a year ago)
> > > 
> > > We should really go ahead and move forward, the freeze isn't terribly far away.
> > 
> > I don't think it's reasonable to use a security question raised by
> > MariaDB as an excuse to kick out MySQL. Because whether you do so or
> > not, your situation with getting information about CVEs in relation to
> > MariaDB will not change.
> >
> > Let's treat the situation with each on their own merits and be
> > constructive about this.
> 
> This policy equally hurts us for mysql alone. Debian LTS had go through
> a messy 5.1-5.5 transition because of Oracle's policies.
>  

That's a real shame. That said, I think that is a one-time fallout from
the fact that 5.5 was _really_ late getting into Debian, and basically
missed a release because nobody was working on MySQL for a while.

Still, it's worth noting that the ridiculous "no disclosure" policy puts
users in the awkward position of either being forced down the path to
newer releases, or accepting that they just know _that there is a
problem_, and not _what the problem is_.

> > That *is* something that might be able to be addressed directly by
> > Oracle, and if it does get addressed then MariaDB's situation could
> > improve too, and Debian wins.
> 
> We've already raised this at DebConf with Norvald from Oracle half a year
> ago and nothing happened. Several other parties didn't get these infos
> from Oracle in the past (not even Red Hat). The VirtualBox developers
> were equally shut down by Oracle (after being cooperative for a while).
> 
> I see no chance that this will really happen. We'll definitely not
> wait for it and we need to make a move ASAP. The freeze is only like
> eight months away and a transition from mysql to mariadb takes it's
> time.
>

To be clear, it is not a transition from mysql to mariadb. MariaDB is
there, and available, and users may use it as they please. The
suggestion is that because it is there, we can discontinue inclusion of
MySQL.

> > So please: the security team needs to engage directly with Oracle by
> > responding to Norvald's email and enumerating exactly what is wrong.
> > Otherwise nobody can reasonably claim about what Oracle is not doing in
> > relation to security, because the security team refuses to say what the
> > problem is.
> 
> *sigh* That as already been raised multiple times and it was all reported
> to Oracle at DebConf. Information about specific security issues and
> their mapping to fixes (just like raised by Otto, which explains the
> need very well) need to be publicly available (we're unable and unwilling
> to sign an NDA).
>

Full disclosure will not happen, and we shouldn't expect it to. If that
is actually a requirement for inclusion in Debian, then MySQL should be
dropped immediately and a transition to using MariaDB for libmysqlclient
should be started in place of the 5.6 transition. But, my understanding
was that it was _not_ required, and that the point release shipping has
gone relatively well, aside from the fact that the security team has been
uploading the updates (we need to fix the communication channel there,
but I think that's under way).