[debian-mysql] Fwd: osmalchemy is marked for autoremoval from testing

[Otto Kekäläinen]

2017-01-16 11:20 GMT+02:00 Norvald H. Ryeng <norvald.ryeng at oracle.com>:
> For other projects, e.g., Firefox and MariaDB, it seems to be enough to
> publish a mapping between CVE IDs and software versions. Oracle does
> the same for MySQL, so why is it good enough for other software, but
> not for MySQL?

The point is that Oracle follows a security by obscurity policy and
does not publish what the security issues are. All the CVE's just
contain "undiscolsed security vulnerability" without any details, and
the git history is also void of any details, so everybody else need to
resort to reverse engineering to find out the issues and their fixes.

The MySQL maint team did agree on how to keep the variants packaged so
they can co-exists in Debian and Ubuntu and the team did agree on how
to implement the mysql-defaults package. To my understanding
everything is all good now, and there are no urgent issues we need to
address or resolve.

The case of MySQL 5.7 dropping backwards compatibility and sideways
compatibility was Oracle's choice made on purpose, and Ubuntu users
might hurt a bit, until we engineer a smarter /var/lib/mysql/*.flag
system than the current legacy one used since MySQL 3.x or something..
In Debian stable/testing there is no MySQL 5.7, so the downsides of
5.7 does not affect Debian that much.

- Otto