On Thu, Jan 14, 2016 at 10:11:22PM +0100, Moritz Mühlenhoff wrote: > This is EOD from my side. This has all been discussed to death and > I won't spend further time on this. I agree that this has come up many times, but no, this has not been discussed to death. Every time it comes up, all we ever get is "*sigh*", "this has been discussed before" and similar sentiments but nobody has yet been able to point to a publicly archived discussion where you have actually raised specific addressable points. I think what you recall is probably the number of times it has been brought up, as opposed to any time when you have publicly enumerated in detail exactly what is wrong, because to my knowledge that has not happened. > [reordered] > *sigh* That as already been raised multiple times and it was all reported > to Oracle at DebConf. Information about specific security issues and > their mapping to fixes (just like raised by Otto, which explains the > need very well) need to be publicly available (we're unable and unwilling > to sign an NDA). "Information about specific security issues and their mapping to fixes...need to be publicly available" Can you expand on this please? If not, can we assume that this is all that is required, and if Oracle follow this to the letter than you and the release team will have no further reason to object on "security" grounds and so MySQL will be able to remain in testing? "Make it happen first and we'll consider it" is not acceptable. Tell us exactly what you want, in detail. If you don't then I don't think your position is reasonable. You also have not explained why this situation makes MySQL unacceptable, but MariaDB (which appears to have the same lack of CVE mappings because MySQL is at least in part its upstream, as shown in the other thread) is somehow immune. Thanks, Robie
Attachment:
signature.asc
Description: Digital signature