[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
Colin Guthrie
mageia at colin.guthr.ie
Fri Apr 13 17:57:26 CEST 2012
'Twas brillig, and David Walser at 13/04/12 15:31 did gyre and gimble:
> The objections to this have been quite unwarranted. It sounds like some people
> want to institute a new policy that MySQL security bugs won't be fixed.
> Upgrading to newer versions of things isn't ideal, but sometimes it's what has
> to be done, because there's no other way, and we already do it sometimes in
> other cases. There's no reason this should be any more controversial.
The proposal here was not just to ship a new version, but to ship a
totally different fork -> mysql -> maridadb (it's even in the subject!).
This is why there have been objections. It's not (primarily at least) to
do with shipping a newer version.
> For us, upgrading to MariaDB instead of MySQL 5.5.22 isn't any different than
> what those other distros have done. MariaDB is as much a newer version of what
> we have now as MySQL 5.5.22 is. They are both derived from the same code base.
> Furthermore, the other distros have been able to upgrade it apparently without
> even having to rebuild anything else, so the potential for damage seems to not
> be so great after all.
I disagree. It's a totally different package. There are also bugs
relating to how a service package is enabled/disabled on upgrade which
might lead to people having the service enabled when they have
previously specifically disabled it.
Should we then patch and upgrade rpm-helper too to deal with this issue?
We've not even addressed it in Cauldron yet, but then I think it may be
something that users could live with in a distro upgrade, but they
certainly would not expect it from a security update.
This idea just seems wrong for a stable update. Would we have shipped LO
rather than OOo as an update? I don't think so. Would we have shipped
Xorg rather than the old X as an update? I don't think so either. Why
make a special exception for MariaDB?
I would far rather ship a newer MySQL package than (to use a cliche)
change horses in midstream[1]
Col
1. http://www.phrases.org.uk/meanings/115400.html
--
Colin Guthrie
colin(at)mageia.org
http://colin.guthr.ie/
Day Job:
Tribalogic Limited http://www.tribalogic.net/
Open Source:
Mageia Contributor http://www.mageia.org/
PulseAudio Hacker http://www.pulseaudio.org/
Trac Hacker http://trac.edgewall.org/
More information about the Mageia-dev
mailing list