Re: Refreshing mysql-connector-java
Hi,
On 08/05/2020 11:39, Chris Lamb wrote:
>> The 3 recent vulnerabilities are an opportunity to refresh the package,
>> so as not to have too big of a diff should a more critical vulnerability
>> happen in the future.
>
> No objections in theory but I am finding it difficult to gauge the
> risk of introducing problems by refreshing this package without
> knowing much about it.
>
> (Do we have an idea of how big the debdiff would be for this initial
> upload?
I had published the wheezy debdiff at:
https://www.beuc.net/tmp/debian-lts/mysql-connector-java/
It's big (700kB), but it will keep growing bigger.
> Have we had issues in the past?
Maybe Markus (as last uploader) or Emmanuel (former maintainer) have
feedback on upgrading libmysql-connector-java to the latest stable
dot-release 5.1.42->5.1.49?
> Is there another metric we can use?)
The test suite is a good indicator of whether regressions occurred:
https://wiki.debian.org/LTS/TestSuites/mysql-connector-java
So far I didn't see regressions, there are still some failing tests (in
current and proposed versions) that requires some classpath fiddling,
which I'll tackle if we follow this path.
More generally, the "not updating the package" alternative also has
consequences, namely not fixing 3 opaque vulnerabilities of varying
severity, and reduced ability to fix a severe issue in the future.
The "backporting the patches" alternative seems unpractical since even
with the changelog, I'm not able to distinguish what is a bug fix and
what is vulnerability fix, neither in this upload nor in the last.
The "drop security support" alternative can be considered as well,
though given that we do have a stable branch from upstream, this sounds
a bit harsh.
The "replace with a mariadb-connector-java backport" alternative is
likely to introduce more issues, starting with having a different Java
package name.
So do we refresh mysql-connector-java in all affected suites? :)
Cheers!
Sylvain
Reply to: