[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb

AL13N alien at rmail.be
Fri Apr 13 13:12:08 CEST 2012 

> Le 13/04/2012 12:45, Colin Guthrie a écrit :
>> 'Twas brillig, and Maarten Vanraes at 13/04/12 07:28 did gyre and
>> gimble:
>>> after talking with mariadb people and some others, i'm proposing to
>>> update
>>> mysql 5.5.10 to mariadb-5.5.23 in mga1.
>>
>> I would be pretty strongly against this.
>>
>> I think it's fine we're using mariadb in mga2, but I really don't fancy
>> making this switch on a stable distro.
>>
>> It just seems like a really, really bad idea. Not necessarily
>> technically, but in pretty much all other aspects - you have to consider
>> how this would be viewed as well - changing something like this for a
>> stable distro puts a big question mark over future stability and updates
>> etc. too.
> Same for me.
>
> Basically, you're proposing to break the assumption than current policy
> ensures end user than a package update from 'updates' repository for
> package 'foo' is just a bugfix for 'foo' package. You may have perfectly
> valid technical reasons, but you're *silently* changing the rule upon
> which people may have established their own policies, which is a very,
> very bad idea.

tbh, iinm the rule is that we like to provide only bugfix/security fix
patches, but there are exceptions when that isn't possible to update to
the full versions fixing this issue.


Well, initially i was against this, but the options to actually fix this
security bug are quite limited:

1. find all the responsible patches and add them manually
==> this is my preferred option, but seems not doable, and apparently
no-one steps in and mysql isn't maintained (officially)

2. do like other distros and fix to higher mysql 5.5.22 which fixes this
issue
==> this is totally not preferred for me;
  A) a big change between mysql 5.5.10 and mysql 5.5.22, which means huge
QA load
  B) this also means that the mga1 -> mga2 upgrade will have to be
extensively retested

3. go to the cauldron version that fixes these issues which is mariadb-5.5.23
==> this is less preferred for me:
  A) a big change between mysql 5.5.10 and mysql 5.5.22, which means huge
QA load
  B) however the mga1 -> mga2 upgrade has been tested already, so the
chance of serious issues arising for this is alot less than normallY.
  C) since mariadb-5.5.23 is based on mysql-5.5.23, the changes are quite
less than would normally be.

4. don't fix this security issue
==> this is also less preferred for me, for obvious reasons.

5. someone has a better idea?


considering the response i got, now i'll default to letting someone else
handle it, which might mean it never gets fixed. that would also mean for
me that mageia1 would be a bad version to get LTS on.


I'm open to suggestions...


PS: as some people might think it's just a stupid political reason, but
it's not. my reasons are detailed above.

More information about the Mageia-dev mailing list