On Thu, Mar 28, 2019 at 07:29:07PM -0400, Sandro Tosi wrote:
> Hello Moritz,
> could you please reply to the points made below? thanks!
Sorry, missed your reply.
> > what kind of security support do Debian provide to the mysql server
> > packages?
None at all, they're only in unstable for that reason (Debian switched to
MariaDB
which is more transparent).
> > > This leaves us with the following options for buster:
> > > - There are no reverse dependencies in buster, remove it from testing
> > > and hope that someone less hostile to the FLOSS community creates a
> > > fork
> >
> > from a quick look (on unstable):
> >
> > $ apt-cache rdepends python-mysql.connector
> > python-mysql.connector
> > Reverse Depends:
> > mysql-utilities
> > mysql-workbench
> > $ apt-cache rdepends python3-mysql.connector
> > python3-mysql.connector
> > Reverse Depends:
> > openlp
> > python3-sql
> >
> > so some packages, not many, didnt verity if they are in buster atm
mysql-utilities and mysql-workbench are not in buster.
openlp and python3-sql are.
> > > - Aside from the packaged software and given that this is the only Python
> > > binding for mysql/mariadb, there's most definitely a sizable number of
> > > inhouse code using that module. Update src:debian-security-support to
> > > mark mysql-connector-python as unsupported and add a
> > README.Debian.security
> > > which also documents this status within the package itself.
> >
> > i think this is up to the security team to decide, no?
IMHO ideally we'd not ship any code by Oracle and their ugly policies, but
sometimes
(and especially late in the freeze), compromies/middlegrounds are necessary.
If you as the maintainer are fine with that, let's apply the policy buster and
revisit one year before bullseye, maybe there's a more friendly fork by then
which
Debian can adopt.
Cheers,
Moritz
