Re: Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: [debian-mysql] Bug#793316: transition: mysql-5.6]

To: debian-release@lists.debian.org, pkg-mysql-maint <pkg-mysql-maint@lists.alioth.debian.org>, "Robie Basak" <robie.basak@ubuntu.com>
Cc: Otto Kekäläinen <otto@seravo.fi>, team@security.debian.org
Subject: Re: Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: [debian-mysql] Bug#793316: transition: mysql-5.6]
From: "Norvald H. Ryeng" <norvald.ryeng@oracle.com>
Date: Thu, 07 Jan 2016 15:49:15 +0100
Message-id: <[🔎] op.yavh4dfxfswwb0@atum22.no.oracle.com>
In-reply-to: <20151218213105.GT28475@mal.justgohome.co.uk>
References: <55AFEE09.3000907@debian.org> <55B0ACE3.3050308@debian.org> <20150723101527.GM3443@mal.justgohome.co.uk> <CAHj_TLDUHV-fBWV7Q1_iT9AHvaOXst7sYfwjKSObgoZbmkYVyA@mail.gmail.com> <20150908220328.GG3691@lupin.home.powdarrmonkey.net> <20150914101112.GP19198@mal.justgohome.co.uk> <20150916210938.GB6248@lupin.home.powdarrmonkey.net> <20151214174524.GB28475@mal.justgohome.co.uk> <20151218213105.GT28475@mal.justgohome.co.uk>

On Fri, 18 Dec 2015 22:31:05 +0100, Robie Basak <robie.basak@ubuntu.com>wrote:

Here are the enumerated concerns of the release team for MySQL in
Debian given to us in yesterday's meeting:


I'll address each concern separately. Since I'm both on the Debian
MySQL team and an upstream developer, and these four concerns are a
mix of upstream and packaging team issues, I'll try to be explicit
about which viewpoint I represent: upstream or member of the Debian
MySQL team. Please ask me if it's unclear.

20:12:37 <pochu> 1- mysql isn't maintained in jessie


This is not really an upstream problem, but I can respond on behalf of
the Debian MySQL team:

MySQL is maintained in jessie. What makes you think it's not?

MySQL in jessie was upgraded to 5.5.46 after the last Critical Patch
Update from upstream. There have been no CVE announcements since
then, and hence no upgrades.

At the release team meeting on September 23, the release team asked
the Debian MySQL team to do more to prepare security updates. There
has been only one CVE announcement since then. The MySQL team did
prepare that upgrade, but the security team NMUed before the MySQL
team finished [1].

Upstream would be very happy if every point release could go into
jessie immediately, without waiting for a CVE announcement, if Debian
would allow it.

20:12:56 <pochu> 2- no disclosure of security issues w/ patches


This has been mentioned a few times, but nobody has been able to
explain what's missing. A member of the release team, jmw, was tasked
with this in the release team meeting on September 23, but the Debian
MySQL team hasn't heard anything since then. I also requested more
details in this thread on December 23.

It's not possible for upstream to respond when nobody will tell
upstream what the problem is.

20:13:13 <pochu> 3- we have two forks of the same codebase


That's not something upstream can do anything about. And if having
forks is a problem, why wasn't that issue raised when MariaDB was
accepted into Debian?

Debian carries other forks, e.g.:

 - GNU Emacs and XEmacs
 - djbdns and dbndns
 - FreeMind and Freeplane
 - Nagios and Icinga

I don't see any reason why MySQL and MariaDB should be any different
from other software.

20:13:39 <pochu> 4- point releases can contain anything


I assume the complaint is that point releases contain more than
security bugfixes. That is correct, but the point releases don't
contain very much. What upstream includes in each release depends on
many factors: user demand for a particular bugfix, risk of regression,
impact, etc. One of the most important factors we consider is how it
will affect Linux distros.

Upstream is more than happy to engage in discussions about which
changes are acceptable and not in point releases.

MySQL point releases are released roughly every two months. By looking
at the commit history (https://github.com/mysql/mysql-server), we can
find the number of commits in each point release of MySQL 5.5 [2]:

5.5.47: 31 commits
5.5.46: 46 commits
5.5.45: 24 commits
5.5.44: 51 commits
5.5.43: 20 commits
5.5.42: 23 commits
5.5.41: 36 commits
5.5.40: 34 commits
5.5.39: 55 commits
5.5.38: 28 commits
5.5.37: 41 commits

Compare that to e.g. Postgres:

9.4.5: 181 commits
9.4.4: 10 commits
9.4.3: 15 commits
9.4.2: 123 commits
9.4.1: 103 commits

and MariaDB:

10.0.23: 170 commits
10.0.22: 162 commits
10.0.21: 117 commits
10.0.20: 212 commits
10.0.19: 10 commits
10.0.18: 6407 commits
10.0.17: 73947 commits
10.0.16: 227 commits
10.0.15: 371 commits
10.0.14: 432 commits
10.0.13: 314 commits
10.0.12: 119 commits
10.0.11: 77682 commits
10.0.10: first stable release of 10.0

So Postgres and MariaDB include as least as much as MySQL in each
point release, but I haven't seen any complaints about MariaDB and
Postgres including too much in their point releases.

Both MariaDB and Postgres packages are upgraded to the latest point
release instead of cherry-picking security bugfixes, without
complaints from the security or release team.

Regards,

Norvald H. Ryeng

[1] Thread starting athttp://lists.alioth.debian.org/pipermail/pkg-mysql-maint/2015-October/008296.html

[2] git log --oneline tag1..tag2 | wc -l

Reply to:

Follow-Ups:
- Re: [debian-mysql] Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: Bug#793316: transition: mysql-5.6]
  - From: Pedretti Fabio <pedretti.fabio@gmail.com>
- Re: Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: [debian-mysql] Bug#793316: transition: mysql-5.6]
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Processed: block 650601 with 662334
Next by Date: Bug#650601: marked as done (transition: libpng 1.6)
Previous by thread: Processed: block 650601 with 662334
Next by thread: Re: [debian-mysql] Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: Bug#793316: transition: mysql-5.6]
Index(es):
- Date
- Thread