[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb

Colin Guthrie mageia at colin.guthr.ie
Fri Apr 13 17:57:26 CEST 2012 

'Twas brillig, and David Walser at 13/04/12 15:31 did gyre and gimble:
> The objections to this have been quite unwarranted.  It sounds like some people
> want to institute a new policy that MySQL security bugs won't be fixed.
> Upgrading to newer versions of things isn't ideal, but sometimes it's what has
> to be done, because there's no other way, and we already do it sometimes in
> other cases.  There's no reason this should be any more controversial.

The proposal here was not just to ship a new version, but to ship a
totally different fork -> mysql -> maridadb (it's even in the subject!).

This is why there have been objections. It's not (primarily at least) to
do with shipping a newer version.

> For us, upgrading to MariaDB instead of MySQL 5.5.22 isn't any different than
> what those other distros have done.  MariaDB is as much a newer version of what
> we have now as MySQL 5.5.22 is.  They are both derived from the same code base.
> Furthermore, the other distros have been able to upgrade it apparently without
> even having to rebuild anything else, so the potential for damage seems to not
> be so great after all.

I disagree. It's a totally different package. There are also bugs
relating to how a service package is enabled/disabled on upgrade which
might lead to people having the service enabled when they have
previously specifically disabled it.

Should we then patch and upgrade rpm-helper too to deal with this issue?
We've not even addressed it in Cauldron yet, but then I think it may be
something that users could live with in a distro upgrade, but they
certainly would not expect it from a security update.


This idea just seems wrong for a stable update. Would we have shipped LO
rather than OOo as an update? I don't think so. Would we have shipped
Xorg rather than the old X as an update? I don't think so either. Why
make a special exception for MariaDB?

I would far rather ship a newer MySQL package than (to use a cliche)
change horses in midstream[1]

Col

1. http://www.phrases.org.uk/meanings/115400.html


-- 

Colin Guthrie
colin(at)mageia.org
http://colin.guthr.ie/

Day Job:
  Tribalogic Limited http://www.tribalogic.net/
Open Source:
  Mageia Contributor http://www.mageia.org/
  PulseAudio Hacker http://www.pulseaudio.org/
  Trac Hacker http://trac.edgewall.org/

More information about the Mageia-dev mailing list