Re: [debian-mysql] [Summary] Request for release team decision on MySQL and MariaDB
Excerpts from Holger Levsen's message of 2016-01-26 02:45:32 -0800:
> Hi,
>
> On Dienstag, 26. Januar 2016, Clint Byrum wrote:
> > However, I have confidence that our friends in the MySQL engineering
> > team can frame the loss of the last foothold for MySQL in Linux distros
> > as a direct path toward _less_ money for Oracle.
>
> why do you think so? I mean, doesn't less Mysql mean more OracleDB, thus
> *more* money for Oracle? ;)
>
> (I'm not saying that's the case either, I was merely explaining why I'm
> surprised abour your confidence.)
>
I'm not so confident it will be _enough_ money to change the security
policy. However, I am confident that a decision has already been made
to support Debian and Ubuntu continuing to ship MySQL. There is direct
evidence of it in the form of Oracle engineers directly contributing to
the packaging effort.
I won't speculate too much on why they believe this, but I imagine one
reason is simple: If Ubuntu and Debian don't have them, it will make
them harder to find, and might push people to select PostgreSQL, or
"anything else that isn't in the distro" when making choices.
> > So if we can just be
> > patient with them, and actually facilitate their participation in this
> > grand community of Debian, it's possible that a compromise can be found.
>
> Oracle bought Sun in 2010, so personally I don't see how we should be more
> patient, especially because… the following aint anything new nor special…
>
Have you ever seen how slowly things change in large corporations?
I know it's hard to believe this, but even _Debian_ moves slowly
sometimes.
https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2012-February/013196.html
That is the first we talked about removing MySQL for these problems.
Oracle responded directly and has remained engaged since then. That they
haven't changed everything is largely a function of us not being
extremely focused in what we're asking for.
> > Meanwhile, I'd like to challenge someone to point to the exact requirement
> > from any official source affiliated with Debian as to what constitutes
> > an acceptable level of disclosure for a package to remain in the archive.
>
> sigh.
>
> go to https://security-tracker.debian.org/tracker/source-package/mysql-5.5 and
> count occurances of the string "Unspecified vulnerability", if you do this
> with iceweasel it will not even tell you the exact number of matches, just
> "over 100".
>
> Now go to https://security-tracker.debian.org/tracker/source-package/mysql-5.6
> and do the same. The count is at 66 here, but the counter only started 2015.
>
> So, once again: the exact requirement to be considered is: publish specific
> information about specific vulnerabilities. Provide meaningful patches for
> each specific issue.
>
> Don't release updates with 23 or 42 fixes bundled together with basically no
> explainations whatsoever.
>
> And/but this is nothing new and it's very very tiring having to explain this,
> again and again and still in 2016. It's not like we havent discussed this in
> 2014, 2013, 2012 and probably also 2011 and 2010.
>
Holger, I very much value your opinions, and I _hope_ for the same things
from any open source software project. However, you wouldn't have to
explain it if it were written down somewhere as an actual policy. If it
is, please point us to that, so we can point Oracle to it, and provide
them with an ultimatum.
Reply to: