[debian-mysql] Fwd: osmalchemy is marked for autoremoval from testing

Wed Jan 25 09:33:47 UTC 2017

Excerpts from Kristian Nielsen's message of 2017-01-13 12:11:20 +0100:
> "Norvald H. Ryeng" <norvald.ryeng at oracle.com> writes:
> 
> > On Thu, 12 Jan 2017 22:38:19 +0100
> > Kristian Nielsen <knielsen at knielsen-hq.org> wrote:
> 
> >> That's ridiculous. MySQL upstream has for years been deliberately
> >> forging the git repo, removing information about security fixes. The
> 
> > That has not been brought up as a reason for kicking MySQL out of
> > stretch. The only reason given by the security team is that there is
> > no public mapping between CVE IDs and patches/commits. All other
> > requirements have been met.
> 
> Seems the same thing to me, deliberately removing security fix information
> from publicly available sources?
> 

I don't think this is productive. What matters is what exists in the
open source MySQL and how that impacts Debian, not how it got that way.

> > The security team claims this is a requirement for all software in
> > Debian. It's not hard to find other examples of software in Debian that
> > doesn't fulfill this requirement. However, MySQL is the only package
> > removed because of it.
> >
> > Other software where I can't find a public mapping between CVE IDs and
> > patches/commits include projects such as Firefox and MariaDB.
> 
> Ehm, what? Firefox was removed for years from Debian in favour of Iceweasel.
> And patches are explicitly mapped to MariaDB CVE's on a security@
> mailinglist where distros get advanced notice - except for those secret CVEs
> that are inherited from MySQL (and even those are reverse-engineered by
> MariaDB engineers, when possible).
> 

When possible. Sometimes it's not, which means sometimes MariaDB users
are in the same boat of just trusting MariaDB developers word, which is
transitive with Oracle developers word. It's great that this happens
less often for MariaDB users, but if its not 100%, I'm not sure why they
can't both co-exist in Debian's stable release.

> Do you really not see the problem? This is how things look to someone
> following the discussion from the side: You were basically saying to
> Debian/the release team: "Hi, we noticed that a few projects are screwing
> you over. We would like to screw you over at least as badly, can you please
> advice us on how best to do that?". That really is not a good way to
> approach Open Source participation, neither in Debian nor elsewhere.
> 

How rude. You say screwing over, I say handing you a copylefted
database with extremely high quality. Would I prefer them to be more
open? Absolutely. But don't say they're screwing people over. They've
shown up, and done the hard work of maintaining a _very_ large package
in Debian. For that I think they deserve a bit more respect than they've
been given.

> If you dissagree with the removal of MySQL, then what is your recommendation
> for the release and security team to better ensure availability of proper
> information about security holes and fixes?
> 

I'd love for them to keep doing what they were doing, which was
facilitating Oracle developers pushing out regular point releases to
Debian users. But they don't want to do that, and I respect that they're
the doers, and thus, they hold the power here. You see, I can be unhappy
about it, and still respect their decision. I think you could do the
same for Oracle's developers.