[Maria-developers] release day of week for security releases
Hi, Thanks for the latest releases with security fixes. While I appreciate that all of the development of these security fixes was in public (without mentioning it was a security fix - well at least the remote code exec), I'm wondering if security releases could occur on a weekday where sysadmins need not forsake part of their weekend to correct a public vulnerability. Just my thoughts and preferences. I appreciate others may consider things different. It also appears that the fedora 17 mariadb galera updates are only partially pushed. Maybe its just my setup after switching from non-galera repo. $ sudo yum update [sudo] password for dan: Loaded plugins: langpacks, presto, priorities, refresh-packagekit, security 38 packages excluded due to repository priority protections Resolving Dependencies --> Running transaction check ---> Package MariaDB-client.x86_64 0:5.5.25-1 will be updated ---> Package MariaDB-client.x86_64 0:5.5.27-1 will be an update ---> Package MariaDB-common.x86_64 0:5.5.25-1 will be updated ---> Package MariaDB-common.x86_64 0:5.5.27-1 will be an update ---> Package MariaDB-server.x86_64 0:5.5.25-1 will be updated ---> Package MariaDB-server.x86_64 0:5.5.27-1 will be obsoleting ---> Package mysql.x86_64 0:5.5.28-1.fc17 will be obsoleted --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================== Package Arch Version Repository Size ============================================================================================================================================================== Installing: MariaDB-server x86_64 5.5.27-1 mariadb 33 M replacing mysql.x86_64 5.5.28-1.fc17 Updating: MariaDB-client x86_64 5.5.27-1 mariadb 8.6 M MariaDB-common x86_64 5.5.27-1 mariadb 23 k Transaction Summary ============================================================================================================================================================== Install 1 Package Upgrade 2 Packages Total size: 42 M Total download size: 8.6 M Is this ok [y/N]: y Downloading Packages: Setting up and reading Presto delta metadata MariaDB-5.5.27-fedora17-x86_64 FAILED HTTP Error 404 - Not Found : http://yum.mariadb.org/5.5-galera/fedora17-amd64/rpms/MariaDB-5.5.27-fedora1... http://yum.mariadb.org/5.5-galera/fedora17-amd64/rpms/MariaDB-5.5.27-fedora1...: [Errno 14] HTTP Error 404 - Not Found : http://yum.mariadb.org/5.5-galera/fedora17-amd64/rpms/MariaDB-5.5.27-fedora1... /etc/yum.repos.d/mariadb.repo : [mariadb] name = MariaDB baseurl = http://yum.mariadb.org/5.5-galera/fedora17-amd64 gpgcheck=1 enabled=1 -- Daniel Black, Engineer @ Open Query (http://openquery.com) Remote expertise & maintenance for MySQL/MariaDB server environments.
Hi, Daniel! On Dec 02, Daniel Black wrote:
Thanks for the latest releases with security fixes.
While I appreciate that all of the development of these security fixes was in public (without mentioning it was a security fix - well at least the remote code exec), I'm wondering if security releases could occur on a weekday where sysadmins need not forsake part of their weekend to correct a public vulnerability. Just my thoughts and preferences. I appreciate others may consider things different.
Yes, I agree. And I'm sorry for this. The release was delayed, because it was our first "a" release (with a letter in the version), and neither packaging nor publishing system wasn't quite ready for that. Normally we try to release early in the week. On the other hand, after we released fixed binaries, there was a public disclosure of this vulnerability on the various security mailing lists, accompanied with an exploit. Apparently, it was found independently, and almost at the same time. Had we waited with our release till Monday, our users wouldn't have a fixed version, when the exploit went public.
It also appears that the fedora 17 mariadb galera updates are only partially pushed. Maybe its just my setup after switching from non-galera repo.
Probably, yes. Next week we're going to do the next MariaDB-Galera release, and then we remove "galera repo". We will have one repository both with galera and non-galera packages. Regards, Sergei
Sergei,
Thanks for the detailed situation report. I appreciate your preferences are the same as mine. I sympathise with being caught in the bind and needing to compromise on release timings. I would of done the same thing.
Glad so see things improving as they always are.
Perhaps reviewing having publicly available crash reports? The coincidence of timing seems a little close. Its a tough choice and I see you've got other urgent stuff to do so please don't let me keep you waiting.
Thanks for the explanation and releases.
----- Original Message -----
From: "Sergei Golubchik"
Thanks for the latest releases with security fixes.
While I appreciate that all of the development of these security fixes was in public (without mentioning it was a security fix - well at least the remote code exec), I'm wondering if security releases could occur on a weekday where sysadmins need not forsake part of their weekend to correct a public vulnerability. Just my thoughts and preferences. I appreciate others may consider things different.
Yes, I agree. And I'm sorry for this. The release was delayed, because it was our first "a" release (with a letter in the version), and neither packaging nor publishing system wasn't quite ready for that. Normally we try to release early in the week. On the other hand, after we released fixed binaries, there was a public disclosure of this vulnerability on the various security mailing lists, accompanied with an exploit. Apparently, it was found independently, and almost at the same time. Had we waited with our release till Monday, our users wouldn't have a fixed version, when the exploit went public.
It also appears that the fedora 17 mariadb galera updates are only partially pushed. Maybe its just my setup after switching from non-galera repo.
Probably, yes. Next week we're going to do the next MariaDB-Galera release, and then we remove "galera repo". We will have one repository both with galera and non-galera packages. Regards, Sergei -- -- Daniel Black, Engineer @ Open Query (http://openquery.com) Remote expertise & maintenance for MySQL/MariaDB server environments.
participants (2)
-
Daniel Black -
Sergei Golubchik