On Mon, Jan 11, 2016 at 08:13:56PM +0100, Salvatore Bonaccorso wrote: > > MySQL is maintained in jessie. What makes you think it's not? > > My gut feeling is that this is not true, I'm sorry. All recent updates > were prepared by the security team itself due to this. And most of > the recent updates were neither fixed in unstable. Instead then the > jessie-security version migrated up to stretch after the point > release. I know though there was a migration planned from mysql-5.5 to > mysql-5.6. This is at least my subjective impression on what happened. > > Cf. e.g. who-uploads -M 25 --date mysql-5.5 I think Norvald's point is fair though. We have had one opportunity since "maintenance of jessie" was called out, and we did try to engage at that time by preparing the required update. > > MySQL in jessie was upgraded to 5.5.46 after the last Critical Patch > > Update from upstream. There have been no CVE announcements since > > then, and hence no upgrades. > > > > At the release team meeting on September 23, the release team asked > > the Debian MySQL team to do more to prepare security updates. There > > has been only one CVE announcement since then. The MySQL team did > > prepare that upgrade, but the security team NMUed before the MySQL > > team finished [1]. > > 5.5.46 was again updated by me via security.d.o. I filled bug #802564. > But apparently the discussion happened on the pkg-mysql-maint list > without CC to the bug, so I missed there were people working on it and > I did it again on behalf of the security team. It seems that the bug should have continued to be copied in, and that can easily be fixed next time. But why have you excluded "All work has already been done on git" which *was* copied in to the bug? If you missed this then that's fair enough but please do not use it to claim that we haven't been helping in the one opportunity we've had since you asked. > So there will be a new Oracle CPU soon. Will an update be prepared and > the security team contacted for the coordination -- possibly even in > advance (debdiffs, upload > ack, ... cf. > https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#s5.6.4 > https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security > https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security-building > ) so that we can timely release an update if all wents fine? I had a discussion with Oracle engineers on this point last Friday (the 8th). They brought up the matter themselves. They are keen to help us get this right, so I advised that they (wearing their Debian hats) both prepare the packaging now and file the bug as soon as any announcement is made. I can vouch that this conversation happened and I hope that it demonstrates their intent. Robie
Attachment:
signature.asc
Description: Digital signature