BTW. I even can't login to my old oracle account to create /comment on the issue - my password does not work, attempts to recover it failed. I would have to create a new account to post a new issue and the form to create it asks me for a lot of personal information and probably along the way I will have to agree to sell my kidney. Also I will have to get that account **just** to be able to possibly get to know what key they will have when they fix the problem.
On Thu, Oct 23, 2025 at 12:25 PM Jarek Potiuk <[email protected]> wrote: > Hello Everyone, > > *TL;DR; I would like to propose complete dropping of MySQL "Oracle > published" client libraries from our container images.* > > Two years ago [1] - we switched to MariaDB clients by default because of a > very convoluted (and plain wrong) approach of Oracle for their Apt > repositories and we are back to the situation we faced 2 years ago. > > We protected (nicely) against total disaster (where I had to manually > build and push 100 of our broken images during the weekend) and switched to > MariaDB by default. We still left the option to build the image with MySQL > client and we still run it in our CI - this is how we found tonight > that the problem is back, Luckily all that is needed is we need to drop the > optional support we have for MySQL images described in [2]. It requires the > users who wish to use MySQL client to build the images using our > Dockerfiles with specific build arguments. We kept it for compatibility and > convenience of those who would have to use the clients. We never heard back > from anyone if they are using or not - it's very likely, it's used > extremely rarely (if at all). > > The problem is (and you can find many articles, stack overflow issues, > blog posts about it) that Oracle uses a very convoluted and wrong way of > making their apt packages available - they sign their packages and repos > with expiring keys. No other company I know is using this, this is against > debian recommendations and every two years it causes the same problem - the > old packages are not installable, images released in the past that have > their repos added are blocked from installing **anything** (i.e. apt > install fails to install anything unless you remove oracle's repos and > keys) > > Just to be clear - this is (so far) not a problem for the server side of > MySQL. We are ok with our tests where MySQL is used as a server - because > we can use images they publish to run the servers) and MariaDB clients work > well with those. But for MySQL clients - every 2 years (it's already the > 3rd time it happened) it makes our images and dockerfiles broken - and our > users who want to use the clients - scrambling to install those. > > To add to that - when it happens, Oracle is surprised. Always. No > exception. It happened tonight and as of tonight, you have no way > installing the packages at all (even if you somehow get hold of the new > key) because their repos are signed with old, expired keys - 2 years ago it > took them almost a week to fix it and the bug created [3] was created where > I - among others explained them the problem they had and what solution they > can apply. > > They ignored it. Today the story repeated itself. MySQL clients stopped > installing - because they are signed by expired keys and their repo is also > signed by the same expired key. They have learned nothing and did not fix > the problem. They will have another sh**tstom coming and will scramble to > fix it again. > > But I do not wish our community (and me particularly) to be part of it any > more - my proposal is to simply drop that option and let the users be on > their own if they want to use MySQL client. > > I will proceed with removing it now in a PR (completely) so that we fix > our failing canary builds and If no-one objects, I will call for LAZY > CONSENSUS and will not revert the change. > > J. > > [1] Lazy consensus from 2023 > https://lists.apache.org/thread/rxbyxg11jg7y35k8om0f8wgb2l9h459l > [2] Optional support for MySQL clients > https://airflow.apache.org/docs/docker-stack/build.html#building-images-with-mysql-client > [3] Bug from 2 years ago - https://bugs.mysql.com/bug.php?id=113432 >
