[debian-mysql] [Summary] Request for release team decision on MySQL and MariaDB

Niels Thykier niels at thykier.net
Tue Jan 26 23:50:08 UTC 2016 

Pedretti Fabio:
>> * Summary of options and selection status
>>

Hi Robie,

I appreciate your intention.  However, I felt it was way too long for a
summary and at this point it still TL;DR for me and I fear I won't have
time to read and digest it all.

However, I can certainly understand that you wanted to include all of
that.  Personally, I can see several points for improvements on the
Debian release team's side.

>> My original request for a decision proposed one of the following
>> options, which I think we all agree are the only options available:
>>
> [...]
> 

I do not feel the listed options accurately reflect the issues /
concerns in play.  As *I see it*, these are the options:

  1) Default to MySQL with MariaDB also available /!\

  2) Default to MariaDB with MySQL also available

  3) Only MySQL available, MariaDB removed from testing /!\

  4) Only MariaDB available, MySQL removed from testing.

  5) Further discussion / delayed decision

The options marked with /!\ are de facto *no-go* for me if/given the
security team is unwilling to provide security support for MySQL[2].

In summary (again, *from my PoV*):

 * None of the currently available "reasonable options" include status
   quo (excl. 5).
   - Ergo, I see it as a transition of the default.

 * This is a transition I want early rather than rushed earlier.
   - It can trivially end up taking 6 months of calender time before it
     is complete.  This is uncomfortably close to the transition
     deadline

 * For me, 1, 3 and 5 seems too unreliable / too unlikely that I am
   convinced we should accept the risks involved in it.
   - While I consider 2 unlikely, it has lower "risk" for me.  Notably
     going from "2" to "4" (and vice versa) is vastly easier than from
     "1" to "2".

Beyond this, I can certainly appreciate your desire to resolve the
situation between the security team and MySQL upstream on CVE
disclosures etc.

Thanks,
~Niels

PS: Re: 3)+4) I think it is largely irrelevant for the release team and
the security team whether the removal *also* includes unstable. At the
very least, it is a secondary concern, so I have decided to omit this
distinction.

[1]
https://www.debian.org/releases/jessie/amd64/release-notes/ch-information.en.html#limited-security-support

[2] Rationale: Missing security support would certainly have to go in
the Stretch variant of [1]. That makes for a very bad release to have a
default implementation being *without* official security support.
Whether the MySQL team can deliver something comparable is a separate
debate.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/attachments/20160126/ad0fd731/attachment.sig>

More information about the pkg-mysql-maint mailing list