Subject: 20120131: ubuntu-server IRC meeting minutes -
msg#00010

Previous Message by Date:

Re: [Maria-discuss] MySQL's future in Debian and Ubuntu

Hi! On 7 Feb 2012, at 17:50, Clint Byrum wrote: > So, here is a suggested plan, given the facts above: > > * Upload mariadb 5.3 to Debian experimental, with it providing > mysql-server, mysql-client, and libmysqlclient-dev. > > * For Ubuntu users, upload these packages to a PPA for testing > applications for compatibility, and rebuild testing. > > * If testing goes well, replace mysql-5.5 with mariadb in both Debian > unstable and Ubuntu precise. If there are reservations about switching > this late in precise's cycle, ship mysql-5.5 in precise, and push off > Ubuntu's transition until the next cycle. > > Before I strike out on this path alone, which, I understand, may sound > a bit radical, I want to hear what you all think. > > Thank you for your time and consideration. As we've spoken about this extensively before, I think the plan above is cogent and is something that should go forward. Security is no laughing matter, and we (at MariaDB) take it seriously and gladly poke around to see what's fixed, rewrite fixes if need be, etc. Let us do the heavy lifting. Another reference post: http://blog.montyprogram.com/oracles-27-mysql-security-fixes-and-mariadb/ cheers, -c -- Colin Charles, http://bytebot.net/blog/ | twitter: @bytebot | skype: colincharles MariaDB: Community developed. Feature enhanced. Backward compatible. Download it at: http://www.mariadb.org/ Open MariaDB/MySQL documentation at the Knowledgebase: http://kb.askmonty.org/ _______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@xxxxxxxxxxxxxxxxxxx Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp

Next Message by Date:

Call for testing: Security Update for tomcat6

Hi Team! We currently have a stable release update in -proposed for lucid, maverick, natty and oneiric to resolve two security issues: 1) The Hash DoS vulnerability that has been identified in a number of languages: https://bugs.launchpad.net/bugs/cve/2011-4858 2) An inefficiency in the way that tomcat handles parameters which causes a potential vulnerability: https://bugs.launchpad.net/bugs/cve/2012-0022 The update to tomcat6 is a bit bigger than the usual SRU; I have done some limited testing using the solr-tomcat package (and it looks OK) but due to the size of the changes it would be great for this proposed update to get more exposure before it enters -updates! If you can find the time to try this proposed update out please log successful/unsuccessful testing on this bug report: https://bugs.launchpad.net/ubuntu/+source/tomcat6/+bug/909828 Please follow these instructions to enable -proposed: https://wiki.ubuntu.com/Testing/EnableProposed Thanks in advance and please ping me (jamespage in #ubuntu-server) if you need any help. Cheers James -- James Page Ubuntu Core Developer -- ubuntu-server mailing list ubuntu-server@xxxxxxxxxxxxxxxx https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam

Previous Message by Thread:

MySQL's future in Debian and Ubuntu

Many of us in the Free and Open Source software community have seen a trend regarding Oracle's stewardship of Open source software that it inherited when it purchased Sun. In particular there were two fairly large public project blow ups that resulted in OpenOffice splintering, and the Hudson community (almost?) completely moving to an independent fork called Jenkins. It has been brought to my attention that MySQL may have gone this way as well, but in a much more subtle way. This started about a year ago, and has only recently really become obvious. A few notable fellows from the MySQL ecosystem have commented: Mark Callaghan http://mysqlha.blogspot.com/2011/02/where-have-bugs-gone.html (read the comments on this one, very informative, and most of the commenters are extremely important non-Oracle members of the MySQL community) http://mysqlha.blogspot.com/2011/11/great-work-bug-12704861-was-fixed.html Stewart Smith: http://www.mysqlperformanceblog.com/2011/11/20/bug12704861/ And the CVE's are extremely vague: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0119 "Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors" Links to here: http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Which links to here: http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1390289.1 Which requires an account (which I created). I did try to login but got some kind of failure.. "Failure of server APACHE bridge:". The bzr commits for the latest MySQL releases also reference log bug#'s that are thought to belong to the private oracle support system, not accessible to non-paying customers. This is all very troubling, as in a Linux distribution, we must be able to support our users and track upstream development. So what should we, the Debian and Ubuntu MySQL maintainers and users, do about this? Well there is a Jenkins to MySQL's Hudson, a LibreOffice to their OpenOffice. MariaDB 5.3, in release-candidate now, is 100% backward compatible with MySQL 5.1. It also includes a few speedups and features that can be found in MySQL 5.5 and Percona Server. It is developed 100% in the open, on launchpad.net, including a public bug tracker and up to date bzr trees of the code. http://mariadb.org https://launchpad.net/maria I'm writing to the greater Debian and Ubuntu community to ask for your thoughts on a proposal to drop MySQL in favor of MariaDB. Its clear to me that Oracle is not going to do work in the open, and this will become a huge support burden for Linux distributions. The recent CVE's had to be hunted down and investigated at great difficulty to several people, since the KB articles referenced and the internal Oracle bug numbers referenced were not available. This will only get harder as the community bug tracker gets further out of sync with the private one. There is some need to consider acting quickly: Ubuntu precise, the next LTS release of Ubuntu will be hitting feature freeze on Feb. 16. The release, due in April, will be supported with security updates for 5 years. That may be 5 long years of support if MySQL continues to obscure things. Debian wheezy is still quite far off, but it is critical that this be done and decided by the time the release freeze begins. So, here is a suggested plan, given the facts above: * Upload mariadb 5.3 to Debian experimental, with it providing mysql-server, mysql-client, and libmysqlclient-dev. * For Ubuntu users, upload these packages to a PPA for testing applications for compatibility, and rebuild testing. * If testing goes well, replace mysql-5.5 with mariadb in both Debian unstable and Ubuntu precise. If there are reservations about switching this late in precise's cycle, ship mysql-5.5 in precise, and push off Ubuntu's transition until the next cycle. Before I strike out on this path alone, which, I understand, may sound a bit radical, I want to hear what you all think. Thank you for your time and consideration. -- ubuntu-server mailing list ubuntu-server@xxxxxxxxxxxxxxxx https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam

Next Message by Thread:

Call for testing: Security Update for tomcat6

Hi Team! We currently have a stable release update in -proposed for lucid, maverick, natty and oneiric to resolve two security issues: 1) The Hash DoS vulnerability that has been identified in a number of languages: https://bugs.launchpad.net/bugs/cve/2011-4858 2) An inefficiency in the way that tomcat handles parameters which causes a potential vulnerability: https://bugs.launchpad.net/bugs/cve/2012-0022 The update to tomcat6 is a bit bigger than the usual SRU; I have done some limited testing using the solr-tomcat package (and it looks OK) but due to the size of the changes it would be great for this proposed update to get more exposure before it enters -updates! If you can find the time to try this proposed update out please log successful/unsuccessful testing on this bug report: https://bugs.launchpad.net/ubuntu/+source/tomcat6/+bug/909828 Please follow these instructions to enable -proposed: https://wiki.ubuntu.com/Testing/EnableProposed Thanks in advance and please ping me (jamespage in #ubuntu-server) if you need any help. Cheers James -- James Page Ubuntu Core Developer -- ubuntu-server mailing list ubuntu-server@xxxxxxxxxxxxxxxx https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam