[debian-mysql] Fwd: osmalchemy is marked for autoremoval from testing

Kristian Nielsen knielsen at knielsen-hq.org
Fri Jan 13 11:11:20 UTC 2017


"Norvald H. Ryeng" <norvald.ryeng at oracle.com> writes:

> On Thu, 12 Jan 2017 22:38:19 +0100
> Kristian Nielsen <knielsen at knielsen-hq.org> wrote:

>> That's ridiculous. MySQL upstream has for years been deliberately
>> forging the git repo, removing information about security fixes. The

> That has not been brought up as a reason for kicking MySQL out of
> stretch. The only reason given by the security team is that there is
> no public mapping between CVE IDs and patches/commits. All other
> requirements have been met.

Seems the same thing to me, deliberately removing security fix information
from publicly available sources?

> The security team claims this is a requirement for all software in
> Debian. It's not hard to find other examples of software in Debian that
> doesn't fulfill this requirement. However, MySQL is the only package
> removed because of it.
>
> Other software where I can't find a public mapping between CVE IDs and
> patches/commits include projects such as Firefox and MariaDB.

Ehm, what? Firefox was removed for years from Debian in favour of Iceweasel.
And patches are explicitly mapped to MariaDB CVE's on a security@
mailinglist where distros get advanced notice - except for those secret CVEs
that are inherited from MySQL (and even those are reverse-engineered by
MariaDB engineers, when possible).

Do you really not see the problem? This is how things look to someone
following the discussion from the side: You were basically saying to
Debian/the release team: "Hi, we noticed that a few projects are screwing
you over. We would like to screw you over at least as badly, can you please
advice us on how best to do that?". That really is not a good way to
approach Open Source participation, neither in Debian nor elsewhere.

If you dissagree with the removal of MySQL, then what is your recommendation
for the release and security team to better ensure availability of proper
information about security holes and fixes?

 - Kristian.




More information about the pkg-mysql-maint mailing list