On Mon, Jan 11, 2016 at 07:27:30PM +0100, Moritz Mühlenhoff wrote: > *Sigh*. And that is exactly the problem (and we've already pointed this > out at DebConf half a year ago) > > We should really go ahead and move forward, the freeze isn't terribly far away. I don't think it's reasonable to use a security question raised by MariaDB as an excuse to kick out MySQL. Because whether you do so or not, your situation with getting information about CVEs in relation to MariaDB will not change. Let's treat the situation with each on their own merits and be constructive about this. If you have a problem with Oracle's disclosure of security vulnerabilities then please frame that in terms of the MySQL packaging. That *is* something that might be able to be addressed directly by Oracle, and if it does get addressed then MariaDB's situation could improve too, and Debian wins. So please: the security team needs to engage directly with Oracle by responding to Norvald's email and enumerating exactly what is wrong. Otherwise nobody can reasonably claim about what Oracle is not doing in relation to security, because the security team refuses to say what the problem is.
Attachment:
signature.asc
Description: Digital signature