Hi, As a mere user (systems administrator), I'll share some questions / criticisms from my perspective that might help shed some light on the underlying issues.
I was wondering why after the 2016-01-19 announcement, there is still no patched mysql-5.5 in jessie or wheezy; and also why mariadb was only just patched today. Debian is typically much faster than this at getting out patches. Is it to do with complexity, available manpower, or other things? Another concern I have is that when I check Debian's Security Tracker, I although I can see which CVEs apply to my (still unpatched) systems, the only descriptions I have are for example: "[...] allows remote authenticated users to affect integrity via unknown vectors related to encryption" That is definitely not okay in a free, open-source software project. I want to be able to evaluate how/whether my specific configuration is vulnerable and assess the risk for myself, while I wait for patches to come, and decide if I even want to apply them at all. Why is it that way? It reflects badly on Oracle that they don't or can't do better, and it reduces my personal trust in them. (It's in the Debian Social Contract, "we will not hide problems"). In contrast, for something as complex as the Linux kernel, I'm usually pointed to a specific Git commit showing how and where the bug was fixed, and there's often public discussion of the vulnerability in Red Hat's bug tracker or other sources. Assuming MariaDB is affected by the same issues, I may not be in a technically better situation if I switched to using that. (Although, it seems one of the recent CVEs did not affect MariaDB?). But I look at their public bug dashboard as a model of how open I want development to happen, and it makes me _feel_ more comfortable and optimistic in that project already. Regards, -- Steven Chamberlain ste...@pyro.eu.org
signature.asc
Description: Digital signature