[Maria-discuss] MySQL's future in Debian and Ubuntu
Many of us in the Free and Open Source software community have seen a trend regarding Oracle's stewardship of Open source software that it inherited when it purchased Sun. In particular there were two fairly large public project blow ups that resulted in OpenOffice splintering, and the Hudson community (almost?) completely moving to an independent fork called Jenkins. It has been brought to my attention that MySQL may have gone this way as well, but in a much more subtle way. This started about a year ago, and has only recently really become obvious. A few notable fellows from the MySQL ecosystem have commented: Mark Callaghan http://mysqlha.blogspot.com/2011/02/where-have-bugs-gone.html (read the comments on this one, very informative, and most of the commenters are extremely important non-Oracle members of the MySQL community) http://mysqlha.blogspot.com/2011/11/great-work-bug-12704861-was-fixed.html Stewart Smith: http://www.mysqlperformanceblog.com/2011/11/20/bug12704861/ And the CVE's are extremely vague: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0119 "Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors" Links to here: http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Which links to here: http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1390289.1 Which requires an account (which I created). I did try to login but got some kind of failure.. "Failure of server APACHE bridge:". The bzr commits for the latest MySQL releases also reference log bug#'s that are thought to belong to the private oracle support system, not accessible to non-paying customers. This is all very troubling, as in a Linux distribution, we must be able to support our users and track upstream development. So what should we, the Debian and Ubuntu MySQL maintainers and users, do about this? Well there is a Jenkins to MySQL's Hudson, a LibreOffice to their OpenOffice. MariaDB 5.3, in release-candidate now, is 100% backward compatible with MySQL 5.1. It also includes a few speedups and features that can be found in MySQL 5.5 and Percona Server. It is developed 100% in the open, on launchpad.net, including a public bug tracker and up to date bzr trees of the code. http://mariadb.org https://launchpad.net/maria I'm writing to the greater Debian and Ubuntu community to ask for your thoughts on a proposal to drop MySQL in favor of MariaDB. Its clear to me that Oracle is not going to do work in the open, and this will become a huge support burden for Linux distributions. The recent CVE's had to be hunted down and investigated at great difficulty to several people, since the KB articles referenced and the internal Oracle bug numbers referenced were not available. This will only get harder as the community bug tracker gets further out of sync with the private one. There is some need to consider acting quickly: Ubuntu precise, the next LTS release of Ubuntu will be hitting feature freeze on Feb. 16. The release, due in April, will be supported with security updates for 5 years. That may be 5 long years of support if MySQL continues to obscure things. Debian wheezy is still quite far off, but it is critical that this be done and decided by the time the release freeze begins. So, here is a suggested plan, given the facts above: * Upload mariadb 5.3 to Debian experimental, with it providing mysql-server, mysql-client, and libmysqlclient-dev. * For Ubuntu users, upload these packages to a PPA for testing applications for compatibility, and rebuild testing. * If testing goes well, replace mysql-5.5 with mariadb in both Debian unstable and Ubuntu precise. If there are reservations about switching this late in precise's cycle, ship mysql-5.5 in precise, and push off Ubuntu's transition until the next cycle. Before I strike out on this path alone, which, I understand, may sound a bit radical, I want to hear what you all think. Thank you for your time and consideration.
On Tue, Feb 7, 2012 at 09:50, Clint Byrum <clint@ubuntu.com> wrote:
Well there is a Jenkins to MySQL's Hudson, a LibreOffice to their OpenOffice.
Gee, really?! You promise? Like, really honest?! Man i could've sworn i had never joined a mailing list called maria-discuss! Got anything new and interesting to say? </sarcasm> Debian will integrate it whenever they feel like it. I'm happy with maria's repos for the moment. Cheers, Nuno -- "On the internet, nobody knows you're a dog."
I don't know if this will post but I was working on RHEL approving MariaDB. I had long discussion with what seemed to be smart folk with RPM packaging on IRC, I'd need to present it on a mailing list and really find what they wanted. Not too hard of a path. In my honest opinion having MariaDB and friends use separate ports (Network) and have a package that makes them take over MySQL and make the system appear it has MySQL they can choose that, or run both side by side. This is what RHEL said would have to be done pretty much, even some said these forks are nice but it's just easier to go this route then everyones happier. So then just make a package that changes mariadb port # to 3306, remove mysql, install package that is provides mysql and it's friends so mysql appears installed, and move from mariadb db directory and move (backup) mysql's and copy/symlink mariadb's default. This would leave a simple package manager, managed stuff. I'm currently really late on delivering RHEL6 RPM's, I hoped to deliver them for our internal needs and deliver a variety and a spec file to fix the buildbot but things been slow. If you guys do it like I eventually figured out for RHEL approval it's a easy route which is why we may as well go that way. Sure you can be on other repo's but we were talking about near main, and debian/ubuntu shouldn't have a complaint if theirs a package dedicated to disabling mysql if the person specifically wants that, but if people go to install "mysql" and it does mariadb, or install mariadb and it replaces mysql that could cause confusion is the general... I'm a BSD fan tbh but all our systems run Linux =/ William C. Manns www.XenServ.com Owner & Senior Executive Director 2012/2/7 Nuno Magalhães <nunomagalhaes@eu.ipp.pt>
On Tue, Feb 7, 2012 at 09:50, Clint Byrum <clint@ubuntu.com> wrote:
Well there is a Jenkins to MySQL's Hudson, a LibreOffice to their OpenOffice.
Gee, really?! You promise? Like, really honest?! Man i could've sworn i had never joined a mailing list called maria-discuss!
Got anything new and interesting to say?
</sarcasm>
Debian will integrate it whenever they feel like it. I'm happy with maria's repos for the moment.
Cheers, Nuno
-- "On the internet, nobody knows you're a dog."
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
Hi! On 7 Feb 2012, at 18:26, Chris Manns wrote:
I don't know if this will post but I was working on RHEL approving MariaDB. I had long discussion with what seemed to be smart folk with RPM packaging on IRC, I'd need to present it on a mailing list and really find what they wanted. Not too hard of a path.
A good way to get it into RHEL is: http://fedoraproject.org/wiki/Packaging:Alternatives
In my honest opinion having MariaDB and friends use separate ports (Network) and have a package that makes them take over MySQL and make the system appear it has MySQL they can choose that, or run both side by side. This is what RHEL said would have to be done pretty much, even some said these forks are nice but it's just easier to go this route then everyones happier. So then just make a package that changes mariadb port # to 3306, remove mysql, install package that is provides mysql and it's friends so mysql appears installed, and move from mariadb db directory and move (backup) mysql's and copy/symlink mariadb's default.
To remain backward compatible, the idea of using the same port number, data files, etc. seem to be in play. If we are to apply for a new port number we have to change the protocol to some extent The only reason RHEL/Fedora have a real problem today is because of packaging policy (see: http://fedoraproject.org/wiki/Packaging:Guidelines), nothing else.
<snipped> -- Colin Charles, http://bytebot.net/blog/ | twitter: @bytebot | skype: colincharles MariaDB: Community developed. Feature enhanced. Backward compatible. Download it at: http://www.mariadb.org/ Open MariaDB/MySQL documentation at the Knowledgebase: http://kb.askmonty.org/
On Tue, 7 Feb 2012 18:31:05 +0800, Colin Charles <colin@montyprogram.com> wrote:
To remain backward compatible, the idea of using the same port number, data files, etc. seem to be in play. If we are to apply for a new port number we have to change the protocol to some extent
We have the same issue with Percona Server and also with Drizzle (to a lesser extent). Maybe somebody can point out how RHEL/Fedora do multiple web servers or email servers as that's essentially what we have here. Surely things like nginx, lighttpd and postfix are also packaged for RHEL/Fedora? -- Stewart Smith
Hi! On 16 Feb 2012, at 10:01, Stewart Smith wrote:
On Tue, 7 Feb 2012 18:31:05 +0800, Colin Charles <colin@montyprogram.com> wrote:
To remain backward compatible, the idea of using the same port number, data files, etc. seem to be in play. If we are to apply for a new port number we have to change the protocol to some extent
We have the same issue with Percona Server and also with Drizzle (to a lesser extent).
Maybe somebody can point out how RHEL/Fedora do multiple web servers or email servers as that's essentially what we have here. Surely things like nginx, lighttpd and postfix are also packaged for RHEL/Fedora?
Its called the alternatives packaging system. I have posted a reference to this here before. It also requires we change the MySQL package. Should we work on this as a community effort? Drizzle has its own port, uses different data files, etc. -- what's the problem there? -- Colin Charles, http://bytebot.net/blog/ | twitter: @bytebot | skype: colincharles MariaDB: Community developed. Feature enhanced. Backward compatible. Download it at: http://www.mariadb.org/ Open MariaDB/MySQL documentation at the Knowledgebase: http://kb.askmonty.org/
On Thu, 16 Feb 2012 10:42:34 +0800, Colin Charles <colin@montyprogram.com> wrote:
On 16 Feb 2012, at 10:01, Stewart Smith wrote:
Maybe somebody can point out how RHEL/Fedora do multiple web servers or email servers as that's essentially what we have here. Surely things like nginx, lighttpd and postfix are also packaged for RHEL/Fedora?
Its called the alternatives packaging system. I have posted a reference to this here before. It also requires we change the MySQL package. Should we work on this as a community effort?
Yep, sounds good. It's probably the easiest way forward... this then can decouple the what-is-default discussion from the ease-of-making-a-choice problem.
Drizzle has its own port, uses different data files, etc. -- what's the problem there?
the mysql protocol plugin - the one that most people end up using. -- Stewart Smith
Hi! On 7 Feb 2012, at 17:50, Clint Byrum wrote:
So, here is a suggested plan, given the facts above:
* Upload mariadb 5.3 to Debian experimental, with it providing mysql-server, mysql-client, and libmysqlclient-dev.
* For Ubuntu users, upload these packages to a PPA for testing applications for compatibility, and rebuild testing.
* If testing goes well, replace mysql-5.5 with mariadb in both Debian unstable and Ubuntu precise. If there are reservations about switching this late in precise's cycle, ship mysql-5.5 in precise, and push off Ubuntu's transition until the next cycle.
Before I strike out on this path alone, which, I understand, may sound a bit radical, I want to hear what you all think.
Thank you for your time and consideration.
As we've spoken about this extensively before, I think the plan above is cogent and is something that should go forward. Security is no laughing matter, and we (at MariaDB) take it seriously and gladly poke around to see what's fixed, rewrite fixes if need be, etc. Let us do the heavy lifting. Another reference post: http://blog.montyprogram.com/oracles-27-mysql-security-fixes-and-mariadb/ cheers, -c -- Colin Charles, http://bytebot.net/blog/ | twitter: @bytebot | skype: colincharles MariaDB: Community developed. Feature enhanced. Backward compatible. Download it at: http://www.mariadb.org/ Open MariaDB/MySQL documentation at the Knowledgebase: http://kb.askmonty.org/
This will only get harder as the community bug tracker gets further out of sync with the private one.
There is some need to consider acting quickly:
...
Before I strike out on this path alone, which, I understand, may sound a bit radical, I want to hear what you all think.
Thank you for your time and consideration.
For all I've read on the subject during the past years, I think it would be a great move - but my opinion counts only for about 20 servers :-).
On Tue, 2012-02-07 at 01:50 -0800, Clint Byrum wrote:
I'm writing to the greater Debian and Ubuntu community to ask for your thoughts on a proposal to drop MySQL in favor of MariaDB. Its clear to me that Oracle is not going to do work in the open, and this will become a huge support burden for Linux distributions. The recent CVE's had to be hunted down and investigated at great difficulty to several people, since the KB articles referenced and the internal Oracle bug numbers referenced were not available.
This will only get harder as the community bug tracker gets further out of sync with the private one.
As a member of the security team, I think Oracle's move to a private bug tracker and not publishing details on the security issues is a disaster for Linux distributions attempting to maintain MySQL. I would support moving to a project that still does development in the open and is not actively trying to hide details of security issues. Marc.
On Tue, Feb 7, 2012 at 13:04, Marc Deslauriers <marc.deslauriers@canonical.com> wrote:
Oracle's move to a private bug tracker and not publishing details on the security issues is a disaster for Linux distributions attempting to maintain MySQL.
Guess you'll only be able to maintain MySQL so far before it becomes obsolete. Hence maria the fork :) Distros will pick it up when they feel ready (and users much later but that's just me wild-guessing). -- "On the internet, nobody knows you're a dog."
Hello, On 2/7/2012 8:04 AM, Marc Deslauriers wrote:
As a member of the security team, I think Oracle's move to a private bug tracker and not publishing details on the security issues is a disaster for Linux distributions attempting to maintain MySQL.
I would support moving to a project that still does development in the open and is not actively trying to hide details of security issues.
We already moved all our clients to our custom MariaDB RPM's. They are optimized for performance and available for free (without support) in our repository for Redhat/CentOS 5/6 (http://rpm.axivo.com/). In a nutshell, MariaDB performs way better than any MySQL version we tested. Regards, Floren Munteanu
I have already moved some of my servers to mariadb, with minor to none downtime during the process, but I have also kept some of them stuck with mysql just because of the "official" support (well, it is the elected one in main repository after all) I have also done some bench marking and have also seen no loss in performance, depending on the memcache/loadbalance/db engine, it got even a little better. They have published some bug fixes that were really critical for me. And MOST OF THE TIME, the binaries and libraries are transparently compatible with MySQL, therefore, I have never had an application or frame work even realize it was not running on top of MySQL. I have seen a few discussions in the past couple of years (not sure from who) in the ubuntu-server list, and back when I have first followed this up, maintainers claimed it was not really fully compatible due to some of the dependencies that the other packages have set, and apache2 was one of the most important... So have in mind there will have a major scrub in a lot of packages to change their dependencies from mysql (and its libraries) to mariadb. Of course, its a doable task, but might be a little larger than we may first realize. 2012/2/7 Marc Deslauriers <marc.deslauriers@canonical.com>
On Tue, 2012-02-07 at 01:50 -0800, Clint Byrum wrote:
I'm writing to the greater Debian and Ubuntu community to ask for your thoughts on a proposal to drop MySQL in favor of MariaDB. Its clear to me that Oracle is not going to do work in the open, and this will become a huge support burden for Linux distributions. The recent CVE's had to be hunted down and investigated at great difficulty to several people, since the KB articles referenced and the internal Oracle bug numbers referenced were not available.
This will only get harder as the community bug tracker gets further out of sync with the private one.
As a member of the security team, I think Oracle's move to a private bug tracker and not publishing details on the security issues is a disaster for Linux distributions attempting to maintain MySQL.
I would support moving to a project that still does development in the open and is not actively trying to hide details of security issues.
Marc.
-- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
-- Fábio Leitão ..-. .- -... .. --- .-.. . .. - .- --- ...-.-
On Sat, 2012-02-11 at 20:47 -0200, Fabio T. Leitao wrote:
I have already moved some of my servers to mariadb, with minor to none downtime during the process, but I have also kept some of them stuck with mysql just because of the "official" support (well, it is the elected one in main repository after all)
Out of curiosity, what version of MySQL did you migrate to what version of MariaDB? Marc.
The first time I have attempted this was in the previous release of Ubuntu, o I am not totally sure of what version number was available. At least two of the most recent trys were with 11.10 oneiric... the servers had mysql 5.1.58-1ubuntu1 and now are running mariadb 5.2.10-mariadb107~oneiric I have got those binaries from their official repository: http://ftp.osuosl.org/pub/mariadb/repo/5.2/ubuntu/ oneiric/main i386 I also use their libraries for apache and rails (the framework that runs on these servers) 2012/2/12 Marc Deslauriers <marc.deslauriers@canonical.com>
On Sat, 2012-02-11 at 20:47 -0200, Fabio T. Leitao wrote:
I have already moved some of my servers to mariadb, with minor to none downtime during the process, but I have also kept some of them stuck with mysql just because of the "official" support (well, it is the elected one in main repository after all)
Out of curiosity, what version of MySQL did you migrate to what version of MariaDB?
Marc.
-- Fábio Leitão ..-. .- -... .. --- .-.. . .. - .- --- ...-.-
Excerpts from Clint Byrum's message of Tue Feb 07 01:50:18 -0800 2012:
Many of us in the Free and Open Source software community have seen a trend regarding Oracle's stewardship of Open source software that it inherited when it purchased Sun. In particular there were two fairly large public project blow ups that resulted in OpenOffice splintering, and the Hudson community (almost?) completely moving to an independent fork called Jenkins.
It has been brought to my attention that MySQL may have gone this way as well, but in a much more subtle way. This started about a year ago, and has only recently really become obvious.
A few notable fellows from the MySQL ecosystem have commented:
Mark Callaghan http://mysqlha.blogspot.com/2011/02/where-have-bugs-gone.html (read the comments on this one, very informative, and most of the commenters are extremely important non-Oracle members of the MySQL community)
http://mysqlha.blogspot.com/2011/11/great-work-bug-12704861-was-fixed.html
Stewart Smith: http://www.mysqlperformanceblog.com/2011/11/20/bug12704861/
And the CVE's are extremely vague:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0119
"Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors"
Links to here:
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
Which links to here:
http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1390289.1
Which requires an account (which I created). I did try to login but got some kind of failure..
"Failure of server APACHE bridge:".
The bzr commits for the latest MySQL releases also reference log bug#'s that are thought to belong to the private oracle support system, not accessible to non-paying customers.
This is all very troubling, as in a Linux distribution, we must be able to support our users and track upstream development.
So what should we, the Debian and Ubuntu MySQL maintainers and users, do about this?
Well there is a Jenkins to MySQL's Hudson, a LibreOffice to their OpenOffice.
MariaDB 5.3, in release-candidate now, is 100% backward compatible with MySQL 5.1. It also includes a few speedups and features that can be found in MySQL 5.5 and Percona Server. It is developed 100% in the open, on launchpad.net, including a public bug tracker and up to date bzr trees of the code.
http://mariadb.org https://launchpad.net/maria
I'm writing to the greater Debian and Ubuntu community to ask for your thoughts on a proposal to drop MySQL in favor of MariaDB. Its clear to me that Oracle is not going to do work in the open, and this will become a huge support burden for Linux distributions. The recent CVE's had to be hunted down and investigated at great difficulty to several people, since the KB articles referenced and the internal Oracle bug numbers referenced were not available.
This will only get harder as the community bug tracker gets further out of sync with the private one.
There is some need to consider acting quickly:
Ubuntu precise, the next LTS release of Ubuntu will be hitting feature freeze on Feb. 16. The release, due in April, will be supported with security updates for 5 years. That may be 5 long years of support if MySQL continues to obscure things.
Debian wheezy is still quite far off, but it is critical that this be done and decided by the time the release freeze begins.
So, here is a suggested plan, given the facts above:
* Upload mariadb 5.3 to Debian experimental, with it providing mysql-server, mysql-client, and libmysqlclient-dev.
* For Ubuntu users, upload these packages to a PPA for testing applications for compatibility, and rebuild testing.
* If testing goes well, replace mysql-5.5 with mariadb in both Debian unstable and Ubuntu precise. If there are reservations about switching this late in precise's cycle, ship mysql-5.5 in precise, and push off Ubuntu's transition until the next cycle.
Before I strike out on this path alone, which, I understand, may sound a bit radical, I want to hear what you all think.
Thank you for your time and consideration.
Thanks everyone for all of the thoughts and the great discussion that has taken place since my original message. As a smart person once said, "The plan is nothing, Planning is everything." In the course of looking at this from many different angles, I think I have come to understand the different facets of the problem and the situation that Debian and Ubuntu are in with regard to MySQL. To re-cap, the original suggestion was that we might "replace" MySQL with MariaDB in Debian and Ubuntu. This was somewhat ambiguous, and probably needed clarification. My intention was to suggest that MariaDB would be the database that Ubuntu supports, not that MySQL would be removed from Debian or Ubuntu. If it still meets the requirements for inclusion in either distribution, it should remain there. In discussing this with various parties, it has become clear that Oracle does not intend to change their policy on security updates, and will continue to keep them hidden. This is unfortunate for the model that Debian and Ubuntu have traditionally taken for MySQL, which was to just cherry pick security fixes, and avoid importing all of the incompatible changes that get introduced on a regular basis. However, the code is still Free, and the releases are still available to us with the fixes in them. We are not exposing Debian or Ubuntu users to any new dangers. For this reason, as a conservative step, it seems clear that for Precise Pangolin (the upcoming 12.04 release of Ubuntu), we should continue to release with MySQL 5.5. I do expect that this may be a somewhat painful decision, as we will be forced to release any bug fix release from Oracle as a whole update. However, it is less of a risk than switching out for a totally new code base with more than half of the release cycle done. In order to prepare for a potential promotion of MariaDB and/or Percona Server to Ubuntu main, I am going to work toward getting them both into the Ubuntu and Debian archives ASAP. Because we are past feature freeze in Ubuntu, there is no guarantee that they will ship with precise in universe. I will make sure that they are able to replace the precise mysql package in such a way where we can put them in to our backports repository and have them available to precise users for testing. I think this will give users a "way out" if they do not want to stay on the track of running the latest patch release of MySQL all of the time. Of course, users can also just get these packages from Percona or the MariaDb project directly until this is complete. For Debian, I think its clear that MySQL should stay in Debian. What is not clear is how much of my time and other maintainers' time will be spent on it going forward. I think that is up for individual contributors to decide. I will continue to spend time to make sure that the Debian packages stay in sync with whatever goodness we have added to the Ubuntu packages as time permits. Long term, we need to have a frank and open discussion about how important it is to us, and our users, that we cherry pick fixes rather than ship upstream releases. I'd like to invite everyone who is interested in solving this in Ubuntu and Debian to join us at the next Ubuntu Developer Summit in Oakland, CA, USA, the week of May 7th - May 11th. More details can be found here: http://uds.ubuntu.com/ Watch the ubuntu-server mailing list[1] for details on how to join the discussion. -Clint [1] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
All I am asking for is this: Please, do not substitute packages. Let mysql-server.deb retain its origin. Please, add MariaDB under a different name and let the end users decide whether they want to stick with the Oracle's MySQL or to switch to using MariaDB. If MariaDB is better, faster, more scalable, and more stable, the end users will flock. And those who decide to switch to MariaDB would still want to do it on their schedule, as opposed to on the Ubuntu release schedule. Regards, Alex Esterkin On Fri, Feb 17, 2012 at 11:39, Clint Byrum <clint@ubuntu.com> wrote:
Excerpts from Clint Byrum's message of Tue Feb 07 01:50:18 -0800 2012:
Many of us in the Free and Open Source software community have seen a trend regarding Oracle's stewardship of Open source software that it inherited when it purchased Sun. In particular there were two fairly large public project blow ups that resulted in OpenOffice splintering, and the Hudson community (almost?) completely moving to an independent fork called Jenkins.
It has been brought to my attention that MySQL may have gone this way as well, but in a much more subtle way. This started about a year ago, and has only recently really become obvious.
A few notable fellows from the MySQL ecosystem have commented:
Mark Callaghan http://mysqlha.blogspot.com/2011/02/where-have-bugs-gone.html (read the comments on this one, very informative, and most of the commenters are extremely important non-Oracle members of the MySQL community)
http://mysqlha.blogspot.com/2011/11/great-work-bug-12704861-was-fixed.html
Stewart Smith: http://www.mysqlperformanceblog.com/2011/11/20/bug12704861/
And the CVE's are extremely vague:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0119
"Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors"
Links to here:
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
Which links to here:
http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1390289.1
Which requires an account (which I created). I did try to login but got some kind of failure..
"Failure of server APACHE bridge:".
The bzr commits for the latest MySQL releases also reference log bug#'s that are thought to belong to the private oracle support system, not accessible to non-paying customers.
This is all very troubling, as in a Linux distribution, we must be able to support our users and track upstream development.
So what should we, the Debian and Ubuntu MySQL maintainers and users, do about this?
Well there is a Jenkins to MySQL's Hudson, a LibreOffice to their OpenOffice.
MariaDB 5.3, in release-candidate now, is 100% backward compatible with MySQL 5.1. It also includes a few speedups and features that can be found in MySQL 5.5 and Percona Server. It is developed 100% in the open, on launchpad.net, including a public bug tracker and up to date bzr trees of the code.
http://mariadb.org https://launchpad.net/maria
I'm writing to the greater Debian and Ubuntu community to ask for your thoughts on a proposal to drop MySQL in favor of MariaDB. Its clear to me that Oracle is not going to do work in the open, and this will become a huge support burden for Linux distributions. The recent CVE's had to be hunted down and investigated at great difficulty to several people, since the KB articles referenced and the internal Oracle bug numbers referenced were not available.
This will only get harder as the community bug tracker gets further out of sync with the private one.
There is some need to consider acting quickly:
Ubuntu precise, the next LTS release of Ubuntu will be hitting feature freeze on Feb. 16. The release, due in April, will be supported with security updates for 5 years. That may be 5 long years of support if MySQL continues to obscure things.
Debian wheezy is still quite far off, but it is critical that this be done and decided by the time the release freeze begins.
So, here is a suggested plan, given the facts above:
* Upload mariadb 5.3 to Debian experimental, with it providing mysql-server, mysql-client, and libmysqlclient-dev.
* For Ubuntu users, upload these packages to a PPA for testing applications for compatibility, and rebuild testing.
* If testing goes well, replace mysql-5.5 with mariadb in both Debian unstable and Ubuntu precise. If there are reservations about switching this late in precise's cycle, ship mysql-5.5 in precise, and push off Ubuntu's transition until the next cycle.
Before I strike out on this path alone, which, I understand, may sound a bit radical, I want to hear what you all think.
Thank you for your time and consideration.
Thanks everyone for all of the thoughts and the great discussion that has taken place since my original message.
As a smart person once said, "The plan is nothing, Planning is everything."
In the course of looking at this from many different angles, I think I have come to understand the different facets of the problem and the situation that Debian and Ubuntu are in with regard to MySQL.
To re-cap, the original suggestion was that we might "replace" MySQL with MariaDB in Debian and Ubuntu. This was somewhat ambiguous, and probably needed clarification. My intention was to suggest that MariaDB would be the database that Ubuntu supports, not that MySQL would be removed from Debian or Ubuntu. If it still meets the requirements for inclusion in either distribution, it should remain there.
In discussing this with various parties, it has become clear that Oracle does not intend to change their policy on security updates, and will continue to keep them hidden. This is unfortunate for the model that Debian and Ubuntu have traditionally taken for MySQL, which was to just cherry pick security fixes, and avoid importing all of the incompatible changes that get introduced on a regular basis.
However, the code is still Free, and the releases are still available to us with the fixes in them. We are not exposing Debian or Ubuntu users to any new dangers. For this reason, as a conservative step, it seems clear that for Precise Pangolin (the upcoming 12.04 release of Ubuntu), we should continue to release with MySQL 5.5. I do expect that this may be a somewhat painful decision, as we will be forced to release any bug fix release from Oracle as a whole update. However, it is less of a risk than switching out for a totally new code base with more than half of the release cycle done.
In order to prepare for a potential promotion of MariaDB and/or Percona Server to Ubuntu main, I am going to work toward getting them both into the Ubuntu and Debian archives ASAP. Because we are past feature freeze in Ubuntu, there is no guarantee that they will ship with precise in universe. I will make sure that they are able to replace the precise mysql package in such a way where we can put them in to our backports repository and have them available to precise users for testing.
I think this will give users a "way out" if they do not want to stay on the track of running the latest patch release of MySQL all of the time. Of course, users can also just get these packages from Percona or the MariaDb project directly until this is complete.
For Debian, I think its clear that MySQL should stay in Debian. What is not clear is how much of my time and other maintainers' time will be spent on it going forward. I think that is up for individual contributors to decide. I will continue to spend time to make sure that the Debian packages stay in sync with whatever goodness we have added to the Ubuntu packages as time permits.
Long term, we need to have a frank and open discussion about how important it is to us, and our users, that we cherry pick fixes rather than ship upstream releases. I'd like to invite everyone who is interested in solving this in Ubuntu and Debian to join us at the next Ubuntu Developer Summit in Oakland, CA, USA, the week of May 7th - May 11th. More details can be found here:
Watch the ubuntu-server mailing list[1] for details on how to join the discussion.
-Clint
[1] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
-- MySQL Internals Mailing List For list archives: http://lists.mysql.com/internals To unsubscribe: http://lists.mysql.com/internals
participants (10)
-
Alex Esterkin -
Chris Manns -
Clint Byrum -
Colin Charles -
Fabio T. Leitao -
Floren Munteanu -
jurgen.depicker@let.be -
Marc Deslauriers -
Nuno Magalhães -
Stewart Smith