Hi Niels, Thank you for your considered response. On Tue, Jan 26, 2016 at 11:50:08PM +0000, Niels Thykier wrote: > I do not feel the listed options accurately reflect the issues / > concerns in play. As *I see it*, these are the options: > > 1) Default to MySQL with MariaDB also available /!\ > > 2) Default to MariaDB with MySQL also available > > 3) Only MySQL available, MariaDB removed from testing /!\ > > 4) Only MariaDB available, MySQL removed from testing. > > 5) Further discussion / delayed decision I'm fine with a decision that chooses from one of these instead. One question though. What does "default" mean? Right now there is no default. If you ask for mysql-server you get that, and likewise for mariadb-server. Maintainers of dependent packages choose which one they prefer (something like Depends: mysql-server-5.6 | virtual-mysql-server). So if the release team were to decide to change the "default", what would that mean technically, and what requirements would be placed on dependent package maintainers? > The options marked with /!\ are de facto *no-go* for me if/given the > security team is unwilling to provide security support for MySQL[2]. I agree, but I'm focusing on the "if/given" part of your statement here. I appreciate that you pointed it out explicitly. I see a couple of issues here: 1) I was pleased to hear from the Debian security team that we may be able to make some progress on the security disclosure issue soon. If this happens and the matter gets resolved, then presumably your /!\ options will no longer be a no-go? 2) My understanding of the situation, given Otto's recent enquiries about CVEs, is that the underlying problem will not go away for Debian if MySQL is removed from testing, since MariaDB will still be affected. So the security team would presumably have to publish the same caveat for MariaDB in the release notes. Therefore by your logic MariaDB would have to be *no-go* as well. Clearly we can't drop both, so I think we will better serve Debian by taking the opportunity we have to resolve the situation by getting Oracle to give Debian what it needs, for the sake of both MySQL and MariaDB. So I ask that you stick with the status quo for now. If however the security disclosure is not resolved after giving Oracle a reasonable opportunity, then I will have no reason to object further. > * This is a transition I want early rather than rushed earlier. > - It can trivially end up taking 6 months of calender time before it > is complete. This is uncomfortably close to the transition > deadline I fully appreciate the difficulty in timing we have here. From the dates in my summary I hope you can understand why I feel that this matter has been blocked on you, and not the maintainers, for quite a few months now. So it doesn't seem right that MySQL gets dropped or disadvantaged because of this. Thanks, Robie
Attachment:
signature.asc
Description: Digital signature