Hi, On Dienstag, 26. Januar 2016, Clint Byrum wrote: > However, I have confidence that our friends in the MySQL engineering > team can frame the loss of the last foothold for MySQL in Linux distros > as a direct path toward _less_ money for Oracle. why do you think so? I mean, doesn't less Mysql mean more OracleDB, thus *more* money for Oracle? ;) (I'm not saying that's the case either, I was merely explaining why I'm surprised abour your confidence.) > So if we can just be > patient with them, and actually facilitate their participation in this > grand community of Debian, it's possible that a compromise can be found. Oracle bought Sun in 2010, so personally I don't see how we should be more patient, especially because… the following aint anything new nor special… > Meanwhile, I'd like to challenge someone to point to the exact requirement > from any official source affiliated with Debian as to what constitutes > an acceptable level of disclosure for a package to remain in the archive. sigh. go to https://security-tracker.debian.org/tracker/source-package/mysql-5.5 and count occurances of the string "Unspecified vulnerability", if you do this with iceweasel it will not even tell you the exact number of matches, just "over 100". Now go to https://security-tracker.debian.org/tracker/source-package/mysql-5.6 and do the same. The count is at 66 here, but the counter only started 2015. So, once again: the exact requirement to be considered is: publish specific information about specific vulnerabilities. Provide meaningful patches for each specific issue. Don't release updates with 23 or 42 fixes bundled together with basically no explainations whatsoever. And/but this is nothing new and it's very very tiring having to explain this, again and again and still in 2016. It's not like we havent discussed this in 2014, 2013, 2012 and probably also 2011 and 2010. cheers, Holger
Attachment:
signature.asc
Description: This is a digitally signed message part.