Re: Refreshing mysql-connector-java

To: debian-lts@lists.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Refreshing mysql-connector-java
From: Sylvain Beucler <beuc@beuc.net>
Date: Tue, 9 Jun 2020 11:56:05 +0200
Message-id: <[🔎] 12792264-942e-711a-d9a1-045496c19e65@beuc.net>
In-reply-to: <[🔎] 20200607084852.GA1947601@eldamar.local>
References: <a7c8207c-16ad-e327-d7a5-863864bfb5ef@beuc.net> <2aabc7e9-bbf7-48ec-9f4f-9678d6a718a7@www.fastmail.com> <41ce7538-97fe-6cd2-acee-bc812df48e63@beuc.net> <ce985c59-822e-7f65-9ef4-eedaa7085db2@beuc.net> <20200525174756.GA10198@pisco.westfalen.local> <[🔎] 20200604184132.GC1454453@eldamar.local> <[🔎] ae72d913-fbcf-9784-c1d8-b13dc130bfa3@beuc.net> <[🔎] 20200607084852.GA1947601@eldamar.local>

Hi,

On 07/06/2020 10:48, Salvatore Bonaccorso wrote:
> On Fri, Jun 05, 2020 at 09:23:12AM +0200, Sylvain Beucler wrote:
> [...]
>> Hi Salvatore,
>>
>> On 04/06/2020 20:41, Salvatore Bonaccorso wrote:
>>> On Mon, May 25, 2020 at 07:47:56PM +0200, Moritz Mühlenhoff wrote:
>>>> On Mon, May 25, 2020 at 10:22:50AM +0200, Sylvain Beucler wrote:
>>>>> Hi Security Team,
>>>>>
>>>>> What is your view on updating mysql-connector-java 5.1.42->5.1.49 for
>>>>> Stretch?
>>>>
>>>> We can update to 5.1.49, yes. We've had to update it to new 5.1.x
>>>> releases in the past and I don't remember any issues. The fact
>>>> that there's zero information totally sucks, but there's nothing
>>>> we can do either (apart from removing it as we did a year ago).
>>>>
>>>> Looking at the debdiff from https://www.beuc.net/tmp/debian-lts/mysql-connector-java/
>>>> the remaining change would be to change the version number to
>>>> 5.1.49-1~deb9u1 and the targets distro to stretch-security.
>>>
>>> I'm a bit late to the party, but just want to give my 2 cents on the
>>> versioning scheme. Agreed here to not use the really-something
>>> variant. usually I think this is usefull when you have rebased
>>> soemthing to a *higher* version, but need to rollback. Example:
>>>
>>> graphicsmagick/1.4+really1.3.35+hg16296-1
>>>
>>> or
>>>
>>> lxc/1:3.1.0+really3.0.4-3
>>>
>>> (other examples exists)
>>
>> OK. I had used +really for the ELTS package to test what I should do in
>> the event that there would be objections or major delays in bumping to
>> 5.1.49 in other suites, like e.g.:
>> https://security-tracker.debian.org/tracker/source-package/tomcat7
>> 7.0.56-3+really7.0.100-1+deb8u1 < 7.0.75-1
> 
> You are right, this indeed can be a use case as well for the +really
> syntax (this case did not come to my mind). Though I think this should
> only be done (within Debian for the respective ssupported security
> wise suites) if the later suite version contains all the fixes (and
> not so introducing a regression).

In that regard, let's note that tomcat7 is a tricky example, because the
version in stretch is trimmed-down and only provides libservlet, hence
does not need to have the same level of fixes.

Cheers!
Sylvain

Reply to:

References:
- Re: Refreshing mysql-connector-java
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: Refreshing mysql-connector-java
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: Refreshing mysql-connector-java
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: unbound not supported
Next by Date: Re: Refreshing mysql-connector-java
Previous by thread: Re: Refreshing mysql-connector-java
Next by thread: Re: Bug#931376: debian-security-support: mention nodejs is not for untrusted content
Index(es):
- Date
- Thread