- Original Message -
From: spam...@debian.org
To: ste...@pyro.eu.org
Cc: robie.ba...@ubuntu.com, t...@security.debian.org,
debian-release@lists.debian.org, pkg-mysql-ma...@lists.alioth.debian.org
Sent: Tuesday, January 26, 2016 8:15:26 AM GMT +01:00 Amsterdam / Berlin / Bern
/ Rome / Stockholm / Vienna
Subject: Re: [debian-mysql] [Summary] Request for release team decision on
MySQL and MariaDB
...
>> I was wondering why after the 2016-01-19 announcement, there is still no
>> patched mysql-5.5 in jessie or wheezy; and also why mariadb was only
>> just patched today. Debian is typically much faster than this at
>> getting out patches. Is it to do with complexity, available manpower,
>> or other things?
...
>Regarding the speed of patching: MySQL is massive. It takes several
>hours to build and fully test on a good quality machine. Because the
>patched version came out before the CVE's and CPU's attached to it, some
>of this was already done. But a final set of binaries must be prepared,
>tested, and uploaded. I think it is understandable that this might take
>more than 5 days. But it should be completed soon.
Hi,
I only have a comment on this specific question, as I only work on the
technical side:
One of the criticisms by the security team has been that Oracle hasn't done
anything to prepare the security updates. We've agreed that it makes sense for
us to do this, and for the 2016-01-19 we've been working on preparing the
patch, but it's been slow going because of unfamiliarity with the security
patching process. We can definitely do this significantly faster, it's just the
handover process for this update that's taking time.
--
Lars
