Re: Future of MariaDB in stretch-lts (was: Re: CVE-2020-15180: MariaDB)

To: Holger Levsen <holger@layer-acht.org>
Cc: "Adam D. Barratt" <adam@adam-barratt.org.uk>, Debian LTS <debian-lts@lists.debian.org>, Salvatore Bonaccorso <carnil@debian.org>, Emilio Pozuelo Monfort <pochu@debian.org>, Faustin Lammler <faustin@mariadb.org>
Subject: Re: Future of MariaDB in stretch-lts (was: Re: CVE-2020-15180: MariaDB)
From: Otto Kekäläinen <otto@debian.org>
Date: Thu, 5 Nov 2020 14:34:04 +0200
Message-id: <[🔎] CAHj_TLD+HZ-wxvwJf0LvhK4Hk2hENoO_k1dwqOy9294HfT6pXA@mail.gmail.com>
In-reply-to: <[🔎] 20201103190233.GA18822@layer-acht.org>
References: <CAHj_TLAgUB_a9C4+8ipcssvVAbg75SK1MAx8PsKfMg5RGLPzBg@mail.gmail.com> <CAHj_TLCurUjWBT=uQ5QdmGiFVPoUMn0Z3iPTd2N-kf=ixvJtcg@mail.gmail.com> <[🔎] 0f6e35e8461ac4b7775279669906c2d56dc671a1.camel@adam-barratt.org.uk> <[🔎] CAHj_TLDBpgJMq57qD5kOGsBcKppTSk8HKHtJ5md2iqZjYyDjxA@mail.gmail.com> <[🔎] 20201103190233.GA18822@layer-acht.org>

On Tue, 3 Nov 2020 at 21:02, Holger Levsen <holger@layer-acht.org> wrote:
..
> > What options do we have anyway? Does the LTS team think they should be
> > responsible for providing security updates beyond what upstreams do?
>
> yes, that's what we often do.

Not even MariaDB devs always manage to correctly take patches from
MySQL X and apply them on MariaDB Y, so I think hand-picking the
security fixes from a newer upstream and applying them on MariaDB 10.1
is probably too hard to do well in practice.

> > Or are you thinking about providing backports?
>
> or we do this ;)

This could be a feasible solution, but needs work.

> > During the 10.5 packaging cycle I have tested building backports for
> > every commit (see e.g.
> > https://salsa.debian.org/mariadb-team/mariadb-10.5/-/pipelines/191851).
> > The galera-4 dependency is already available in
> > stretch-backports-sloppy. If you are interested in backports, that
> > could be a viable option.
>
> how compatible are 10.1 and 10.5?

There is no simple answer. MariaDB in general is pretty well backwards
compatible, but the jump from 10.1 to 10.5 is several years of
progress.

As part of the pipeline that builds MariaDB 10.5 for stretch-backports
there is also a job that automatically upgrades from Stretch MariaDB
10.1 to Sid MariaDB 10.5 and that works well. We are however missing a
Stretch 10.1 -> Stretch-backports 10.5 test job. I'll do one now to
get that tested. Thus I started testing in
https://salsa.debian.org/mariadb-team/mariadb-10.5/-/jobs/1137667

This thing would need a lot of careful planning and testing.
Unfortunately I don't have bandwidth for that right now, I've already
spent way too much time with 10.5 packaging in Sid (and yet have not
managed to get it into Testing due to https://bugs.debian.org/972564)
and there were also a lot of work with 5.5-10.5 security updates last
month, and have now a new 10.5.7 release is up next - all on top of my
actual day job - so I can't promise any relevant progress right now,
sorry.

Reply to:

References:
- Future of MariaDB in stretch-lts (was: Re: CVE-2020-15180: MariaDB)
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Re: Future of MariaDB in stretch-lts (was: Re: CVE-2020-15180: MariaDB)
  - From: Otto Kekäläinen <otto@debian.org>
- Re: Future of MariaDB in stretch-lts (was: Re: CVE-2020-15180: MariaDB)
  - From: Holger Levsen <holger@layer-acht.org>

Prev by Date: Re: Future of MariaDB in stretch-lts (was: Re: CVE-2020-15180: MariaDB)
Next by Date: Time to remove cacti from dla-needed?
Previous by thread: Re: Future of MariaDB in stretch-lts (was: Re: CVE-2020-15180: MariaDB)
Next by thread: LTS report for October 2020 - Abhijith PA
Index(es):
- Date
- Thread