I'll try to make this my last intervention in this thread. Because it's not my decision, or area of responsibility, and I likely won't be one of the people having to do the work when a decision is made, but... Clint Byrum wrote: > most of these CVE's would remain fully undisclosed and unfixed in both > MySQL and MariaDB if the MySQL engineering team or customers had not > found them. Sorry, this is not compelling. As long as Oracle sells MySQL to enterprise, it *must* do these things, and release source code to satisfy legal obligations of what is a GPL codebase. It is really only doing the bare minimum in that regard. It was also a condition of Oracle's acquisition of MySQL AB: "As part of the negotiations with the European Commission, Oracle committed that MySQL server will continue until at least 2015 to use the dual-licensing strategy long used by MySQL AB, with proprietary and GPL versions available" according to https://en.wikipedia.org/wiki/MySQL#Legal_disputes_and_acquisitions Oracle may still drop MySQL support like a hat due to market conditions, regardless of whether Debian has already shipped it by then. And apart from sponsoring Debian packaging work, Oracle seems conspicuously missing from: http://debconf16.debconf.org/sponsors.html http://debconf15.debconf.org/ https://www.debian.org/mirror/sponsors https://www.freexian.com/en/services/debian-lts.html Clint Byrum wrote: > [...] if it were written down somewhere as an actual policy. [...] Norvald H. Ryeng wrote: > Tell us exactly what you want, in detail. If you don't then I don't > think your position is reasonable. Robie Basak wrote: > So please: the security team needs to engage directly with Oracle by > responding to Norvald's email and enumerating exactly what is wrong. I don't see that Debian has to do that, at all. Other upstream projects seem to 'just get it', so Oracle management is really expecting special treatment. IMHO I respond to bad dealings with a company by shopping elsewhere, not helping them improve their business practices. This is perhaps more significant than a mere decision over what goes into the next release. I see a really fantastic, rare opportunity for Debian to take a moral stand against Oracle for shameful mistreatment of free software to date. rock on \m/ Niels Thykier wrote: > I appreciate that the release team failed on action item several > months back and have not been very proactive in the communication. > And I am sorry that it has (and probably will) inconvenience you and > MySQL upstream. I do have personal sympathy for Debian contributors who became entwined, by their career choices, with the business preferences of Oracle and Canonical. And the team of MySQL developers who must work under Oracle's non-disclosure policies. But I don't think it should get in the way of doing whatever seems right for Debian's users and by its own principles. Thanks, Regards, -- Steven Chamberlain steven@pyro.eu.org
Attachment:
signature.asc
Description: Digital signature