[debian-mysql] [Summary] Request for release team decision on MySQL and MariaDB

Wed Jan 27 18:13:20 UTC 2016

Hi Niels,

Thank you for your considered response.

On Tue, Jan 26, 2016 at 11:50:08PM +0000, Niels Thykier wrote:
> I do not feel the listed options accurately reflect the issues /
> concerns in play.  As *I see it*, these are the options:
> 
>   1) Default to MySQL with MariaDB also available /!\
> 
>   2) Default to MariaDB with MySQL also available
> 
>   3) Only MySQL available, MariaDB removed from testing /!\
> 
>   4) Only MariaDB available, MySQL removed from testing.
> 
>   5) Further discussion / delayed decision

I'm fine with a decision that chooses from one of these instead. One
question though. What does "default" mean? Right now there is no
default. If you ask for mysql-server you get that, and likewise for
mariadb-server. Maintainers of dependent packages choose which one they
prefer (something like Depends: mysql-server-5.6 |
virtual-mysql-server). So if the release team were to decide to change
the "default", what would that mean technically, and what requirements
would be placed on dependent package maintainers?

> The options marked with /!\ are de facto *no-go* for me if/given the
> security team is unwilling to provide security support for MySQL[2].

I agree, but I'm focusing on the "if/given" part of your statement here.
I appreciate that you pointed it out explicitly. I see a couple of
issues here:

1) I was pleased to hear from the Debian security team that we may be
able to make some progress on the security disclosure issue soon. If
this happens and the matter gets resolved, then presumably your /!\
options will no longer be a no-go?

2) My understanding of the situation, given Otto's recent enquiries
about CVEs, is that the underlying problem will not go away for Debian
if MySQL is removed from testing, since MariaDB will still be affected.
So the security team would presumably have to publish the same caveat
for MariaDB in the release notes. Therefore by your logic MariaDB would
have to be *no-go* as well. Clearly we can't drop both, so I think we
will better serve Debian by taking the opportunity we have to resolve
the situation by getting Oracle to give Debian what it needs, for the
sake of both MySQL and MariaDB.

So I ask that you stick with the status quo for now. If however the
security disclosure is not resolved after giving Oracle a reasonable
opportunity, then I will have no reason to object further.

>  * This is a transition I want early rather than rushed earlier.
>    - It can trivially end up taking 6 months of calender time before it
>      is complete.  This is uncomfortably close to the transition
>      deadline

I fully appreciate the difficulty in timing we have here. From the dates
in my summary I hope you can understand why I feel that this matter has
been blocked on you, and not the maintainers, for quite a few months
now. So it doesn't seem right that MySQL gets dropped or disadvantaged
because of this.

Thanks,

Robie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/attachments/20160127/3dedda7d/attachment.sig>