1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20mysql%20CVE%27s%20in%20mga1%20%3D%3E%20have%20it%20update%20to%20mariadb&In-Reply-To=%3C9b03516f4a3e8f10c70c36622124f321.squirrel%40mail.rmail.be%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="014228.html">
<LINK REL="Next" HREF="014233.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb</H1>
<B>AL13N</B>
<A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20mysql%20CVE%27s%20in%20mga1%20%3D%3E%20have%20it%20update%20to%20mariadb&In-Reply-To=%3C9b03516f4a3e8f10c70c36622124f321.squirrel%40mail.rmail.be%3E"
TITLE="[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb">alien at rmail.be
</A><BR>
<I>Fri Apr 13 13:12:08 CEST 2012</I>
<P><UL>
<LI>Previous message: <A HREF="014228.html">[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
</A></li>
<LI>Next message: <A HREF="014233.html">[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#14231">[ date ]</a>
<a href="thread.html#14231">[ thread ]</a>
<a href="subject.html#14231">[ subject ]</a>
<a href="author.html#14231">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>><i> Le 13/04/2012 12:45, Colin Guthrie a écrit :
</I>>><i> 'Twas brillig, and Maarten Vanraes at 13/04/12 07:28 did gyre and
</I>>><i> gimble:
</I>>>><i> after talking with mariadb people and some others, i'm proposing to
</I>>>><i> update
</I>>>><i> mysql 5.5.10 to mariadb-5.5.23 in mga1.
</I>>><i>
</I>>><i> I would be pretty strongly against this.
</I>>><i>
</I>>><i> I think it's fine we're using mariadb in mga2, but I really don't fancy
</I>>><i> making this switch on a stable distro.
</I>>><i>
</I>>><i> It just seems like a really, really bad idea. Not necessarily
</I>>><i> technically, but in pretty much all other aspects - you have to consider
</I>>><i> how this would be viewed as well - changing something like this for a
</I>>><i> stable distro puts a big question mark over future stability and updates
</I>>><i> etc. too.
</I>><i> Same for me.
</I>><i>
</I>><i> Basically, you're proposing to break the assumption than current policy
</I>><i> ensures end user than a package update from 'updates' repository for
</I>><i> package 'foo' is just a bugfix for 'foo' package. You may have perfectly
</I>><i> valid technical reasons, but you're *silently* changing the rule upon
</I>><i> which people may have established their own policies, which is a very,
</I>><i> very bad idea.
</I>
tbh, iinm the rule is that we like to provide only bugfix/security fix
patches, but there are exceptions when that isn't possible to update to
the full versions fixing this issue.
Well, initially i was against this, but the options to actually fix this
security bug are quite limited:
1. find all the responsible patches and add them manually
==> this is my preferred option, but seems not doable, and apparently
no-one steps in and mysql isn't maintained (officially)
2. do like other distros and fix to higher mysql 5.5.22 which fixes this
issue
==> this is totally not preferred for me;
A) a big change between mysql 5.5.10 and mysql 5.5.22, which means huge
QA load
B) this also means that the mga1 -> mga2 upgrade will have to be
extensively retested
3. go to the cauldron version that fixes these issues which is mariadb-5.5.23
==> this is less preferred for me:
A) a big change between mysql 5.5.10 and mysql 5.5.22, which means huge
QA load
B) however the mga1 -> mga2 upgrade has been tested already, so the
chance of serious issues arising for this is alot less than normallY.
C) since mariadb-5.5.23 is based on mysql-5.5.23, the changes are quite
less than would normally be.
4. don't fix this security issue
==> this is also less preferred for me, for obvious reasons.
5. someone has a better idea?
considering the response i got, now i'll default to letting someone else
handle it, which might mean it never gets fixed. that would also mean for
me that mageia1 would be a bad version to get LTS on.
I'm open to suggestions...
PS: as some people might think it's just a stupid political reason, but
it's not. my reasons are detailed above.
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="014228.html">[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
</A></li>
<LI>Next message: <A HREF="014233.html">[Mageia-dev] mysql CVE's in mga1 => have it update to mariadb
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#14231">[ date ]</a>
<a href="thread.html#14231">[ thread ]</a>
<a href="subject.html#14231">[ subject ]</a>
<a href="author.html#14231">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>
|
