Re: [Maria-discuss] MySQL's future in Debian and Ubuntu
On 02/13/2012 01:20 AM, Eddie Bachle wrote:
I would like to say we would still switch, or still heavily consider it for the grains that could be made by using Ubuntu, however realistically, the lack of native MySQL in any OS would be a huge mark against it.
FTR, we would not *drop* MySQL support. Worst case scenario, we'd place them in partner, much like we did with sun-java. The change would be that our default/recommended DB would be MariaDB.
Also that being said, if the technical concerns are answered adequately for a vast majority of applications and hardware/OS setups, then I would be totally behind switching to a more open source friendly and compatible database software as there would be little love lost between me and MySQL.
One thing to note, the primary motivator for this proposal isn't about moving to a more "open source friendly" application. We have genuine security concerns/issues with how MySQL handles and publishes their security updates. We can't simply update supported prior Ubuntu releases to newer MySQL versions, so we have to backport patches. Their lack of information and access to the bugs addressed makes it *very* time consuming and difficult for our security and SRU teams to do this. If we can resolve these issues, then MySQL's future in main looks much brighter. -Robbie -- Robbie Williamson <robbie@ubuntu.com> robbiew[irc.freenode.net] "Don't make me angry...you wouldn't like me when I'm angry." -Bruce Banner
On Mon, 2012-02-13 at 10:11 -0600, Robbie Williamson wrote:
On 02/13/2012 01:20 AM, Eddie Bachle wrote:
I would like to say we would still switch, or still heavily consider it for the grains that could be made by using Ubuntu, however realistically, the lack of native MySQL in any OS would be a huge mark against it.
FTR, we would not *drop* MySQL support. Worst case scenario, we'd place them in partner, much like we did with sun-java. The change would be that our default/recommended DB would be MariaDB.
Also that being said, if the technical concerns are answered adequately for a vast majority of applications and hardware/OS setups, then I would be totally behind switching to a more open source friendly and compatible database software as there would be little love lost between me and MySQL.
One thing to note, the primary motivator for this proposal isn't about moving to a more "open source friendly" application. We have genuine security concerns/issues with how MySQL handles and publishes their security updates. We can't simply update supported prior Ubuntu releases to newer MySQL versions, so we have to backport patches. Their lack of information and access to the bugs addressed makes it *very* time consuming and difficult for our security and SRU teams to do this. If we can resolve these issues, then MySQL's future in main looks much brighter.
We are unable to determine what the recent MySQL security fixes are due to lack of details, and unclear commit messages. The only thing we can do to keep our users secure right now is to push MySQL 5.5.20 and 5.1.61 to our stable releases, which is less than ideal for various reasons. Marc.
Hi! On 15 Feb 2012, at 00:49, Marc Deslauriers wrote:
We are unable to determine what the recent MySQL security fixes are due to lack of details, and unclear commit messages.
Based on our analysis of commits and bugs, we believe the CPU (critical patch update) that Oracle released was actually for a lot of bugs that have already been fixed in past versions of MySQL. They just seemed to have decided to "bulk it up" and place it in one update. Of course Oracle has not come up with an official statement and don't seem to be interested to do so. What is clear is that these bugs are not "new", and were not found from October 2011 - January 2012. Of course we cannot be sure, but it would seem irresponsible of Oracle to state that the bugs referenced current community releases of MySQL (5.5.21, 5.1.61 - eg. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0492). In fact the current GA is 5.5.20, and that advisory is listed as "high" in the CPU From a blog post by an Oracle employee that is now not online, the reference to fixed bugs were: 1. Bug #11759688 2. Bug #52020 3. Bug #13358468 4. Bug #54082 5. Bug #11761576 6. Bug #51252 7. Bug #11758979 8. Bug #48726 9. Bug #11756764 10. Bug #42784 11. Bug #11751793 12. Bug #45546 13. Bug #11754011 14. Bug #13427949 15. Bug #11745230 16. Bug #12133 17. Bug #13116225 18. Bug #11759688 19. Bug #13358468 20. Bug #63020 21. Bug #13344643 Sadly, even in his reference, there are lots of bugs that are only kept in a closed bug system that Oracle has (basically anything with more than 5 digits in the bug number reference the closed bug system) -- Colin Charles, http://bytebot.net/blog/ | twitter: @bytebot | skype: colincharles MariaDB: Community developed. Feature enhanced. Backward compatible. Download it at: http://www.mariadb.org/ Open MariaDB/MySQL documentation at the Knowledgebase: http://kb.askmonty.org/
Hi! On 14 Feb 2012, at 00:11, Robbie Williamson wrote:
One thing to note, the primary motivator for this proposal isn't about moving to a more "open source friendly" application. We have genuine security concerns/issues with how MySQL handles and publishes their security updates. We can't simply update supported prior Ubuntu releases to newer MySQL versions, so we have to backport patches. Their lack of information and access to the bugs addressed makes it *very* time consuming and difficult for our security and SRU teams to do this. If we can resolve these issues, then MySQL's future in main looks much brighter.
As an addition to the lack of transparent security bugs, it should be noted that MySQL has an interesting release policy that may be incompatible with LTS-styled distributions. MySQL policy only aims to support 2 active GA releases at any one time. In today's world, that is MySQL 5.1 and MySQL 5.5. If MySQL 5.6 becomes GA by April/June/October 2012 (as we suspect -- there is no roadmap/milestone), support will only exist for MySQL 5.5 and MySQL 5.6. With an average of 12-18 months in a release cycle for MySQL, this puts active support for MySQL 5.5 out by sometime in 2014. Ubuntu's next LTS release needs support for security till 2017 Today, only MariaDB is giving you 5 years of community support for every GA release out there (from the date of the GA). i.e. if a bug is reported, and it is security related, it will be backported into older releases as long as they remain in active support. There is no trigger to have a paying customer have a bug, as long as the bug is currently in one of the many supported GA releases and reported on the very public Launchpad bug tracker :-) cheers, -c -- Colin Charles, http://bytebot.net/blog/ | twitter: @bytebot | skype: colincharles MariaDB: Community developed. Feature enhanced. Backward compatible. Download it at: http://www.mariadb.org/ Open MariaDB/MySQL documentation at the Knowledgebase: http://kb.askmonty.org/
participants (3)
-
Colin Charles -
Marc Deslauriers -
Robbie Williamson