[debian-mysql] [Summary] Request for release team decision on MySQL and MariaDB

Tue Jan 26 07:10:16 UTC 2016

Excerpts from Steven Chamberlain's message of 2016-01-25 16:48:23 -0800:
> Hi,
> 
> As a mere user (systems administrator), I'll share some questions /
> criticisms from my perspective that might help shed some light on the
> underlying issues.
> 
> I was wondering why after the 2016-01-19 announcement, there is still no
> patched mysql-5.5 in jessie or wheezy;  and also why mariadb was only
> just patched today.  Debian is typically much faster than this at
> getting out patches.  Is it to do with complexity, available manpower,
> or other things?
> 
> Another concern I have is that when I check Debian's Security Tracker, I
> although I can see which CVEs apply to my (still unpatched) systems, the
> only descriptions I have are for example:
> "[...] allows remote authenticated users to affect integrity via unknown
> vectors related to encryption"
> 
> That is definitely not okay in a free, open-source software project.  I
> want to be able to evaluate how/whether my specific configuration is
> vulnerable and assess the risk for myself, while I wait for patches to
> come, and decide if I even want to apply them at all.
> 
> Why is it that way?  It reflects badly on Oracle that they don't or
> can't do better, and it reduces my personal trust in them.
> (It's in the Debian Social Contract, "we will not hide problems").
> 
> In contrast, for something as complex as the Linux kernel, I'm usually
> pointed to a specific Git commit showing how and where the bug was
> fixed, and there's often public discussion of the vulnerability in Red
> Hat's bug tracker or other sources.
> 
> Assuming MariaDB is affected by the same issues, I may not be in a
> technically better situation if I switched to using that.  (Although, it
> seems one of the recent CVEs did not affect MariaDB?).  But I look at
> their public bug dashboard as a model of how open I want development to
> happen, and it makes me _feel_ more comfortable and optimistic in that
> project already.
> 

Hi Steven. Thanks very much for your participation in this discussion.

One of the nuances that gets missed in these undisclosed, vague
vulnerability messages, is that most of these CVE's would remain fully
undisclosed and unfixed in both MySQL and MariaDB if the MySQL engineering
team or customers had not found them.

Does this excuse Oracle for their misguided policy of non-disclosure?
Absolutely not. But I want to make it clear that we wouldn't even know
about these vulnerabilities were it not for them. So which is worse:
knowing that you might be broken, or not knowing at all.

Regarding the speed of patching: MySQL is massive. It takes several
hours to build and fully test on a good quality machine. Because the
patched version came out before the CVE's and CPU's attached to it, some
of this was already done. But a final set of binaries must be prepared,
tested, and uploaded. I think it is understandable that this might take
more than 5 days. But it should be completed soon.