[debian-mysql] [Summary] Request for release team decision on MySQL and MariaDB

Clint Byrum spamaps at debian.org
Wed Jan 27 22:56:17 UTC 2016 

Excerpts from Steven Chamberlain's message of 2016-01-27 12:30:09 -0800:
> I'll try to make this my last intervention in this thread.  Because
> it's not my decision, or area of responsibility, and I likely won't be
> one of the people having to do the work when a decision is made, but...
> 

I appreciate your words very much Steven.

> Clint Byrum wrote:
> > most of these CVE's would remain fully undisclosed and unfixed in both
> > MySQL and MariaDB if the MySQL engineering team or customers had not
> > found them.
> 
> Sorry, this is not compelling.  As long as Oracle sells MySQL to
> enterprise, it *must* do these things, and release source code to
> satisfy legal obligations of what is a GPL codebase.  It is really only
> doing the bare minimum in that regard.  It was also a condition of
> Oracle's acquisition of MySQL AB:
> 
> "As part of the negotiations with the European Commission, Oracle
> committed that MySQL server will continue until at least 2015 to use the
> dual-licensing strategy long used by MySQL AB, with proprietary and GPL
> versions available"
> according to https://en.wikipedia.org/wiki/MySQL#Legal_disputes_and_acquisitions
> 
> Oracle may still drop MySQL support like a hat due to market conditions,
> regardless of whether Debian has already shipped it by then.
> 

The code dump is definitely a condition, but it turns out that's also
prevented an actual fork of their work from forming. MariaDB does pull
things in, but it's forked so far now that there's still enough compelling
reason to run Oracle's code-dumped version that people choose to do it
every day.

> And apart from sponsoring Debian packaging work, Oracle seems
> conspicuously missing from:
> http://debconf16.debconf.org/sponsors.html
> http://debconf15.debconf.org/
> https://www.debian.org/mirror/sponsors
> https://www.freexian.com/en/services/debian-lts.html
> 

I think this unfairly characterizes them as free riders when the point
we've been trying to make is that they're not free riding, but just
choosing to contribute with engineering time.

> Clint Byrum wrote:
> > [...] if it were written down somewhere as an actual policy. [...]
> 
> Norvald H. Ryeng wrote:
> > Tell us exactly what you want, in detail. If you don't then I don't
> > think your position is reasonable.
> 
> Robie Basak wrote:
> > So please: the security team needs to engage directly with Oracle by
> > responding to Norvald's email and enumerating exactly what is wrong.
> 
> I don't see that Debian has to do that, at all.  Other upstream projects
> seem to 'just get it', so Oracle management is really expecting special
> treatment.  IMHO I respond to bad dealings with a company by shopping
> elsewhere, not helping them improve their business practices.
> 

Of course Debian doesn't have to do it. However, here you have a
corporate citizen who _wants_ to contribute, and they're being told to
buzz off. When asking why, they're getting derisive "if you have to ask
you'll never know" type of treatment.

Just because we don't like them, doesn't mean we can kick them out of
our club.

> This is perhaps more significant than a mere decision over what goes
> into the next release.  I see a really fantastic, rare opportunity for
> Debian to take a moral stand against Oracle for shameful mistreatment
> of free software to date.  rock on \m/
> 

So basically "they're bad people by my own conjecture, so let's stick
it to them". I am sorry, but I thought Debian would welcome those who
follow our rules.

> Niels Thykier wrote:
> > I appreciate that the release team failed on action item several
> > months back and have not been very proactive in the communication.
> > And I am sorry that it has (and probably will) inconvenience you and
> > MySQL upstream.
> 
> I do have personal sympathy for Debian contributors who became entwined,
> by their career choices, with the business preferences of Oracle and
> Canonical.  And the team of MySQL developers who must work under
> Oracle's non-disclosure policies.  But I don't think it should get in
> the way of doing whatever seems right for Debian's users and by its
> own principles.
> 

This is a very broad statement, and I suggest you add _specifics_ to
any accusations that somehow having MySQL in the archive is bad for
Debian's principles. Which principles are not being upheld? The users
are getting well maintained Free software. The fact that it's being
done a way that we all think is silly (and make no mistake, I think it
is one of the silliest things I've ever seen in open source software)
isn't a valid reason to reject it. It just feels good to say.

If you want to kick them out, by all means, do it. But have an actual
reason please.

More information about the pkg-mysql-maint mailing list