From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-dev/2012-April/014231.html | 162 ++++++++++++++++++++++++++++++ 1 file changed, 162 insertions(+) create mode 100644 zarb-ml/mageia-dev/2012-April/014231.html (limited to 'zarb-ml/mageia-dev/2012-April/014231.html') diff --git a/zarb-ml/mageia-dev/2012-April/014231.html b/zarb-ml/mageia-dev/2012-April/014231.html new file mode 100644 index 000000000..8b228c7ff --- /dev/null +++ b/zarb-ml/mageia-dev/2012-April/014231.html @@ -0,0 +1,162 @@ + + + + [Mageia-dev] mysql CVE's in mga1 => have it update to mariadb + + + + + + + + + +

[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb

+ AL13N + alien at rmail.be +
+ Fri Apr 13 13:12:08 CEST 2012 +

+
+ +
> Le 13/04/2012 12:45, Colin Guthrie a écrit :
+>> 'Twas brillig, and Maarten Vanraes at 13/04/12 07:28 did gyre and
+>> gimble:
+>>> after talking with mariadb people and some others, i'm proposing to
+>>> update
+>>> mysql 5.5.10 to mariadb-5.5.23 in mga1.
+>>
+>> I would be pretty strongly against this.
+>>
+>> I think it's fine we're using mariadb in mga2, but I really don't fancy
+>> making this switch on a stable distro.
+>>
+>> It just seems like a really, really bad idea. Not necessarily
+>> technically, but in pretty much all other aspects - you have to consider
+>> how this would be viewed as well - changing something like this for a
+>> stable distro puts a big question mark over future stability and updates
+>> etc. too.
+> Same for me.
+>
+> Basically, you're proposing to break the assumption than current policy
+> ensures end user than a package update from 'updates' repository for
+> package 'foo' is just a bugfix for 'foo' package. You may have perfectly
+> valid technical reasons, but you're *silently* changing the rule upon
+> which people may have established their own policies, which is a very,
+> very bad idea.
+
+tbh, iinm the rule is that we like to provide only bugfix/security fix
+patches, but there are exceptions when that isn't possible to update to
+the full versions fixing this issue.
+
+
+Well, initially i was against this, but the options to actually fix this
+security bug are quite limited:
+
+1. find all the responsible patches and add them manually
+==> this is my preferred option, but seems not doable, and apparently
+no-one steps in and mysql isn't maintained (officially)
+
+2. do like other distros and fix to higher mysql 5.5.22 which fixes this
+issue
+==> this is totally not preferred for me;
+  A) a big change between mysql 5.5.10 and mysql 5.5.22, which means huge
+QA load
+  B) this also means that the mga1 -> mga2 upgrade will have to be
+extensively retested
+
+3. go to the cauldron version that fixes these issues which is mariadb-5.5.23
+==> this is less preferred for me:
+  A) a big change between mysql 5.5.10 and mysql 5.5.22, which means huge
+QA load
+  B) however the mga1 -> mga2 upgrade has been tested already, so the
+chance of serious issues arising for this is alot less than normallY.
+  C) since mariadb-5.5.23 is based on mysql-5.5.23, the changes are quite
+less than would normally be.
+
+4. don't fix this security issue
+==> this is also less preferred for me, for obvious reasons.
+
+5. someone has a better idea?
+
+
+considering the response i got, now i'll default to letting someone else
+handle it, which might mean it never gets fixed. that would also mean for
+me that mageia1 would be a bad version to get LTS on.
+
+
+I'm open to suggestions...
+
+
+PS: as some people might think it's just a stupid political reason, but
+it's not. my reasons are detailed above.
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

+ +
+More information about the Mageia-dev +mailing list
+ -- cgit v1.2.1