[debian-mysql] Fwd: osmalchemy is marked for autoremoval from testing
Kristian Nielsen
knielsen at knielsen-hq.org
Thu Jan 12 21:38:19 UTC 2017
"Norvald H. Ryeng" <norvald.ryeng at oracle.com> writes:
> On Thu, 12 Jan 2017 13:16:32 +0100
> Dominik George <nik at naturalnet.de> wrote:
>> This package does not require Oracle's MySQL, it requires a root user
>> that can authenticate to the database and use it in its entirety, a
>> feature which was deliberately broken in mariadb.
> The MySQL maintainers have never claimed that MariaDB is a drop-in
> replacement for MySQL. We have argued that it isn't.
If I understand the issue here, this is nothing to do with MariaDB being or
not being a drop-in for MySQL. The problem seems to be this patch in the
Debian packaging:
https://github.com/ottok/mariadb-10.1/blob/master/debian/patches/mdev-8375-passwordless-root-via-socket-auth.patch
The idea is to make the default install of package mariadb-server-10.1 use
socket authentication for the root user, which seems fine. But the patch
seems completely wrong. Rather than adding needed functionality to enable
postinst to setup socket auth, instead it hardcodes this decision into
mysql_install_db, which breaks other users.
So it has nothing to do with MySQL vs. MariaDB, such patch could just as
well have been made against MySQL packaging, with same bad consequences. It
is simply a bug / unintended consequence of an addition to debian/patches/,
and simply needs to be fixed. Feel free to correct me if I'm wrong?
Suggestion for fixing: Add options --auth-root-socket and
--auth-root-nopasswd to mysql_install_db. Echo a corresponding
"SET @auth_root_socket=1" or "SET @auth_root_nopasswd=1" down the
mysqld_install_cmd_line pipe. Then in mysql_system_tables_data.sql choose
one or the other contents for the user table like this:
REPLACE INTO tmp_user_nopasswd ...
INSERT INTO tmp_user_socket ...
INSERT INTO user SELECT * FROM tmp_user_nopasswd WHERE @had_user_table=0 and @auth_root_nopasswd=1;
INSERT INTO user SELECT * FROM tmp_user_socket WHERE @had_user_table=0 and @auth_root_socket=1;
This way, mariadb-server-10.1 postinst can use
mysql_install_db --auth-root-socket. And ruby-mysql2 can use
mysql_install_db --auth-root-nopasswd. And if --auth-root-nopasswd is made
the default, then existing users can work fine without any changes.
Sounds reasonable?
> The transition is being executed by the release team and the MariaDB
> maintainers. Please keep the MySQL maintainers out of it. Our packages
> are being removed from stretch against our will, and despite our
> huge effort to make MySQL and MariaDB coexist and our efforts to
> fulfill all demands from the release and security teams.
That's ridiculous. MySQL upstream has for years been deliberately forging
the git repo, removing information about security fixes. The mysql test
suite is an integrated part of the source, and stripping part of it in
source releases is completely anti-free software. Knowing Debian's strong
position on Free Software, no-one can possibly be surprised that this is met
with strong resistance, and a search for alternatives.
It can be discussed whether this practice crosses the line between free or
non-free, or not. But pretending that nothing is wrong from the MySQL side
and that the release/security teams are just being unreasonable, it just
makes you look untrustworthy.
Hope this helps,
- Kristian.
More information about the pkg-mysql-maint
mailing list