[debian-mysql] [Summary] Request for release team decision on MySQL and MariaDB

Steven Chamberlain steven at pyro.eu.org
Tue Jan 26 00:48:23 UTC 2016 

Hi,

As a mere user (systems administrator), I'll share some questions /
criticisms from my perspective that might help shed some light on the
underlying issues.

I was wondering why after the 2016-01-19 announcement, there is still no
patched mysql-5.5 in jessie or wheezy;  and also why mariadb was only
just patched today.  Debian is typically much faster than this at
getting out patches.  Is it to do with complexity, available manpower,
or other things?

Another concern I have is that when I check Debian's Security Tracker, I
although I can see which CVEs apply to my (still unpatched) systems, the
only descriptions I have are for example:
"[...] allows remote authenticated users to affect integrity via unknown
vectors related to encryption"

That is definitely not okay in a free, open-source software project.  I
want to be able to evaluate how/whether my specific configuration is
vulnerable and assess the risk for myself, while I wait for patches to
come, and decide if I even want to apply them at all.

Why is it that way?  It reflects badly on Oracle that they don't or
can't do better, and it reduces my personal trust in them.
(It's in the Debian Social Contract, "we will not hide problems").

In contrast, for something as complex as the Linux kernel, I'm usually
pointed to a specific Git commit showing how and where the bug was
fixed, and there's often public discussion of the vulnerability in Red
Hat's bug tracker or other sources.

Assuming MariaDB is affected by the same issues, I may not be in a
technically better situation if I switched to using that.  (Although, it
seems one of the recent CVEs did not affect MariaDB?).  But I look at
their public bug dashboard as a model of how open I want development to
happen, and it makes me _feel_ more comfortable and optimistic in that
project already.

Regards,
-- 
Steven Chamberlain
steven at pyro.eu.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/attachments/20160126/13b918d7/attachment.sig>

More information about the pkg-mysql-maint mailing list