[debian-mysql] [Summary] Request for release team decision on MySQL and MariaDB

Tue Jan 26 07:00:27 UTC 2016

Excerpts from Holger Levsen's message of 2016-01-25 17:04:57 -0800:
> Hi,
> 
> On Dienstag, 26. Januar 2016, Steven Chamberlain wrote:
> [...other valid points not quoted here…]
> > Assuming MariaDB is affected by the same issues, I may not be in a
> > technically better situation if I switched to using that.  (Although, it
> > seems one of the recent CVEs did not affect MariaDB?).  But I look at
> > their public bug dashboard as a model of how open I want development to
> > happen, and it makes me _feel_ more comfortable and optimistic in that
> > project already.
> 
> Steven, thanks for wording this (all of it, also the non quoted parts) much 
> better than I care to do. As I said on IRC on #debian-release:
> 
> * | h01ger is tempted to reply "tl;dr; - mysql is the db with the NDA from 
> oracle, mariadb is the free fork shipped everywhere - without NDAs and without 
> a history of screwing free software, so let's EOT here" to the recent mail in 
> that thread…
> 
> - I know this is somewhat too simplefied, eg I do acknowledge and hope that 
> Oracle can do better than "screwing free software", but… *they* need to show 
> this *by themselves*. 
> Yet when I read this in Robie's mail: "It is not reasonable for S to expect
> U[MySQL] to change their policy in order to meet a goal if S refuse to
> tell U[MySQL] how success against that goal will be measured." I have little 
> hope + motivation to explain this better - CVE is a public database.
> 
> So, another summary: there's a software from a company with NDAs (which have 
> been applied to the question at hand, no less) and "a history of screwing free 
> software" and there's a project to reuse the same codebase (and then build on 
> it) to not do that.
> 
> Also, I wonder why https://en.wikipedia.org/wiki/MariaDB#Prominent_users … ;-)
> 

Holger, I understand this frustration entirely. But let's be completely
honest here. Nobody has told Oracle exactly what Debian wants. I know,
it seems like it should be obvious, but for Oracle, they speak money
_first_, and then software. I know, also, that this is anathema to many
users, and this alone is enough to drive some to want to have nothing
to do with MySQL. _I get that_. MariaDB is right over here, and I invite
those of you who feel this way to switch to that fine fork of MySQL.

However, I have confidence that our friends in the MySQL engineering
team can frame the loss of the last foothold for MySQL in Linux distros
as a direct path toward _less_ money for Oracle. So if we can just be
patient with them, and actually facilitate their participation in this
grand community of Debian, it's possible that a compromise can be found.

Meanwhile, I'd like to challenge someone to point to the exact requirement
from any official source affiliated with Debian as to what constitutes
an acceptable level of disclosure for a package to remain in the archive.