'Twas brillig, and David Walser at 13/04/12 15:31 did gyre and gimble: > The objections to this have been quite unwarranted. It sounds like some > people > want to institute a new policy that MySQL security bugs won't be fixed. > Upgrading to newer versions of things isn't ideal, but sometimes it's what has > to be done, because there's no other way, and we already do it sometimes in > other cases. There's no reason this should be any more controversial.
The proposal here was not just to ship a new version, but to ship a totally different fork -> mysql -> maridadb (it's even in the subject!). This is why there have been objections. It's not (primarily at least) to do with shipping a newer version. > For us, upgrading to MariaDB instead of MySQL 5.5.22 isn't any different than > what those other distros have done. MariaDB is as much a newer version of > what > we have now as MySQL 5.5.22 is. They are both derived from the same code > base. > Furthermore, the other distros have been able to upgrade it apparently without > even having to rebuild anything else, so the potential for damage seems to not > be so great after all. I disagree. It's a totally different package. There are also bugs relating to how a service package is enabled/disabled on upgrade which might lead to people having the service enabled when they have previously specifically disabled it. Should we then patch and upgrade rpm-helper too to deal with this issue? We've not even addressed it in Cauldron yet, but then I think it may be something that users could live with in a distro upgrade, but they certainly would not expect it from a security update. This idea just seems wrong for a stable update. Would we have shipped LO rather than OOo as an update? I don't think so. Would we have shipped Xorg rather than the old X as an update? I don't think so either. Why make a special exception for MariaDB? I would far rather ship a newer MySQL package than (to use a cliche) change horses in midstream[1] Col 1. http://www.phrases.org.uk/meanings/115400.html -- Colin Guthrie colin(at)mageia.org http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/