[debian-mysql] [Summary] Request for release team decision on MySQL and MariaDB

Steven Chamberlain steven at pyro.eu.org
Wed Jan 27 20:30:09 UTC 2016


I'll try to make this my last intervention in this thread.  Because
it's not my decision, or area of responsibility, and I likely won't be
one of the people having to do the work when a decision is made, but...

Clint Byrum wrote:
> most of these CVE's would remain fully undisclosed and unfixed in both
> MySQL and MariaDB if the MySQL engineering team or customers had not
> found them.

Sorry, this is not compelling.  As long as Oracle sells MySQL to
enterprise, it *must* do these things, and release source code to
satisfy legal obligations of what is a GPL codebase.  It is really only
doing the bare minimum in that regard.  It was also a condition of
Oracle's acquisition of MySQL AB:

"As part of the negotiations with the European Commission, Oracle
committed that MySQL server will continue until at least 2015 to use the
dual-licensing strategy long used by MySQL AB, with proprietary and GPL
versions available"
according to https://en.wikipedia.org/wiki/MySQL#Legal_disputes_and_acquisitions

Oracle may still drop MySQL support like a hat due to market conditions,
regardless of whether Debian has already shipped it by then.

And apart from sponsoring Debian packaging work, Oracle seems
conspicuously missing from:
http://debconf16.debconf.org/sponsors.html
http://debconf15.debconf.org/
https://www.debian.org/mirror/sponsors
https://www.freexian.com/en/services/debian-lts.html

Clint Byrum wrote:
> [...] if it were written down somewhere as an actual policy. [...]

Norvald H. Ryeng wrote:
> Tell us exactly what you want, in detail. If you don't then I don't
> think your position is reasonable.

Robie Basak wrote:
> So please: the security team needs to engage directly with Oracle by
> responding to Norvald's email and enumerating exactly what is wrong.

I don't see that Debian has to do that, at all.  Other upstream projects
seem to 'just get it', so Oracle management is really expecting special
treatment.  IMHO I respond to bad dealings with a company by shopping
elsewhere, not helping them improve their business practices.

This is perhaps more significant than a mere decision over what goes
into the next release.  I see a really fantastic, rare opportunity for
Debian to take a moral stand against Oracle for shameful mistreatment
of free software to date.  rock on \m/

Niels Thykier wrote:
> I appreciate that the release team failed on action item several
> months back and have not been very proactive in the communication.
> And I am sorry that it has (and probably will) inconvenience you and
> MySQL upstream.

I do have personal sympathy for Debian contributors who became entwined,
by their career choices, with the business preferences of Oracle and
Canonical.  And the team of MySQL developers who must work under
Oracle's non-disclosure policies.  But I don't think it should get in
the way of doing whatever seems right for Debian's users and by its
own principles.

Thanks,
Regards,
-- 
Steven Chamberlain
steven at pyro.eu.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/attachments/20160127/7e513cc6/attachment-0001.sig>


More information about the pkg-mysql-maint mailing list