[debian-mysql] Bug#971005: mariadb-10.5: unregistered vendor copy of readline
Helmut Grohne
helmut at subdivi.de
Sat Sep 26 07:26:29 BST 2020
Source: mariadb-10.5
Version: 1:10.3.24-2
Severity: important
Hi Otto,
I'm a bit disappointed. You told me that mariadb would stop using
libreadline-gplv2-dev in >= 10.4. While that's technically correct, it's
not the whole truth. In 10.5, mariadb has a vendor copy of it. Instead
of actually moving to a recent version, mariadb just added an embedded
code copy. The Debian policy discourages such copies. I don't think it
makes sense to reiterate the reasons.
Please figure out whether you can unembed readline. This may be
difficult to do and you may come to the conclusion that doing so is
infeasible. In that case, please register your copy with the security
tracker to enable the security team supporting mariadb. Refer to
https://wiki.debian.org/EmbeddedCopies for details.
Helmut
More information about the pkg-mysql-maint
mailing list