Re: Refreshing mysql-connector-java

To: Debian LTS <debian-lts@lists.debian.org>, Debian Security Team <team@security.debian.org>
Subject: Re: Refreshing mysql-connector-java
From: Sylvain Beucler <beuc@beuc.net>
Date: Mon, 25 May 2020 10:22:50 +0200
Message-id: <[🔎] ce985c59-822e-7f65-9ef4-eedaa7085db2@beuc.net>
In-reply-to: <[🔎] 41ce7538-97fe-6cd2-acee-bc812df48e63@beuc.net>
References: <[🔎] a7c8207c-16ad-e327-d7a5-863864bfb5ef@beuc.net> <[🔎] 2aabc7e9-bbf7-48ec-9f4f-9678d6a718a7@www.fastmail.com> <[🔎] 41ce7538-97fe-6cd2-acee-bc812df48e63@beuc.net>

Hi Security Team,

What is your view on updating mysql-connector-java 5.1.42->5.1.49 for
Stretch?

Would you need a complete debdiff specifically for Stretch to make a
decision, or do you already have feedback on this proposal?

Cheers!
Sylvain

On 11/05/2020 13:51, Sylvain Beucler wrote:
> On 08/05/2020 11:39, Chris Lamb wrote:
>>> The 3 recent vulnerabilities are an opportunity to refresh the package,
>>> so as not to have too big of a diff should a more critical vulnerability
>>> happen in the future.
>>
>> No objections in theory but I am finding it difficult to gauge the
>> risk of introducing problems by refreshing this package without
>> knowing much about it.
>>
>> (Do we have an idea of how big the debdiff would be for this initial
>> upload?
> 
> I had published the wheezy debdiff at:
> https://www.beuc.net/tmp/debian-lts/mysql-connector-java/
> 
> It's big (700kB), but it will keep growing bigger.
> 
>> Have we had issues in the past?
> 
> Maybe Markus (as last uploader) or Emmanuel (former maintainer) have
> feedback on upgrading libmysql-connector-java to the latest stable
> dot-release 5.1.42->5.1.49?
> 
>> Is there another metric we can use?)
> 
> The test suite is a good indicator of whether regressions occurred:
> https://wiki.debian.org/LTS/TestSuites/mysql-connector-java
> 
> So far I didn't see regressions, there are still some failing tests (in
> current and proposed versions) that requires some classpath fiddling,
> which I'll tackle if we follow this path.
> 
> 
> More generally, the "not updating the package" alternative also has
> consequences, namely not fixing 3 opaque vulnerabilities of varying
> severity, and reduced ability to fix a severe issue in the future.
> 
> The "backporting the patches" alternative seems unpractical since even
> with the changelog, I'm not able to distinguish what is a bug fix and
> what is vulnerability fix, neither in this upload nor in the last.
> 
> The "drop security support" alternative can be considered as well,
> though given that we do have a stable branch from upstream, this sounds
> a bit harsh.
> 
> The "replace with a mariadb-connector-java backport" alternative is
> likely to introduce more issues, starting with having a different Java
> package name.
> 
> 
> So do we refresh mysql-connector-java in all affected suites? :)

On 11/05/2020 18:42, Emmanuel Bourg wrote:
> Le 11/05/2020 à 13:51, Sylvain Beucler a écrit :
>> Maybe Markus (as last uploader) or Emmanuel (former maintainer) have
>> feedback on upgrading libmysql-connector-java to the latest stable
>> dot-release 5.1.42->5.1.49?
>
> The MySQL connector is rather stable and upgrading it is usually a safe
> operation, because applications are coded for the JDBC API (provided by
> the JDK) and don't use internal classes from the connector. In 15 years
> I've personally never seen any regression with my applications after
> upgrading the MySQL connector.
>
> Emmanuel Bourg

Reply to:

Follow-Ups:
- Re: Refreshing mysql-connector-java
  - From: Moritz Mühlenhoff <jmm@inutil.org>

References:
- Refreshing mysql-connector-java
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: Refreshing mysql-connector-java
  - From: "Chris Lamb" <lamby@debian.org>
- Re: Refreshing mysql-connector-java
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Re: security upload imposing load on other parts of Debian
Next by Date: Re: TODO List
Previous by thread: Re: Refreshing mysql-connector-java
Next by thread: Re: Refreshing mysql-connector-java
Index(es):
- Date
- Thread