List:Internals« Previous MessageNext Message »
From:Clint Byrum Date:February 17 2012 4:39pm
Subject:Re: MySQL's future in Debian and Ubuntu
View as plain text  
Excerpts from Clint Byrum's message of Tue Feb 07 01:50:18 -0800 2012:
> Many of us in the Free and Open Source software community have seen a
> trend regarding Oracle's stewardship of Open source software that it
> inherited when it purchased Sun. In particular there were two fairly
> large public project blow ups that resulted in OpenOffice splintering,
> and the Hudson community (almost?) completely moving to an independent
> fork called Jenkins.
> 
> It has been brought to my attention that MySQL may have gone this way
> as well, but in a much more subtle way. This started about a year ago,
> and has only recently really become obvious.
> 
> A few notable fellows from the MySQL ecosystem have commented:
> 
> Mark Callaghan
> http://mysqlha.blogspot.com/2011/02/where-have-bugs-gone.html
> (read the comments on this one, very informative, and most of the
> commenters are extremely important non-Oracle members of the MySQL
> community)
> 
> http://mysqlha.blogspot.com/2011/11/great-work-bug-12704861-was-fixed.html
> 
> Stewart Smith:
> http://www.mysqlperformanceblog.com/2011/11/20/bug12704861/
> 
> And the CVE's are extremely vague:
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0119
> 
> "Unspecified vulnerability in the MySQL Server component in Oracle MySQL
> 5.1.x and 5.5.x allows remote authenticated users to affect availability
> via unknown vectors"
> 
> Links to here:
> 
> http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
> 
> Which links to here:
> 
> http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1390289.1
> 
> Which requires an account (which I created). I did try to login but got
> some kind of failure..
> 
> "Failure of server APACHE bridge:".
> 
> The bzr commits for the latest MySQL releases also reference log bug#'s
> that are thought to belong to the private oracle support system, not
> accessible to non-paying customers.
> 
> This is all very troubling, as in a Linux distribution, we must be able
> to support our users and track upstream development.
> 
> So what should we, the Debian and Ubuntu MySQL maintainers and users,
> do about this?
> 
> Well there is a Jenkins to MySQL's Hudson, a LibreOffice to their
> OpenOffice.
> 
> MariaDB 5.3, in release-candidate now, is 100% backward compatible with
> MySQL 5.1. It also includes a few speedups and features that can be found
> in MySQL 5.5 and Percona Server. It is developed 100% in the open, on
> launchpad.net, including a public bug tracker and up to date bzr trees
> of the code.
> 
> http://mariadb.org
> https://launchpad.net/maria
> 
> I'm writing to the greater Debian and Ubuntu community to ask for your
> thoughts on a proposal to drop MySQL in favor of MariaDB. Its clear to
> me that Oracle is not going to do work in the open, and this will become
> a huge support burden for Linux distributions. The recent CVE's had to
> be hunted down and investigated at great difficulty to several people,
> since the KB articles referenced and the internal Oracle bug numbers
> referenced were not available.
> 
> This will only get harder as the community bug tracker gets further out
> of sync with the private one.
> 
> There is some need to consider acting quickly:
> 
> Ubuntu precise, the next LTS release of Ubuntu will be hitting feature
> freeze on Feb. 16. The release, due in April, will be supported with
> security updates for 5 years. That may be 5 long years of support if
> MySQL continues to obscure things.
> 
> Debian wheezy is still quite far off, but it is critical that this be
> done and decided by the time the release freeze begins.
> 
> So, here is a suggested plan, given the facts above:
> 
> * Upload mariadb 5.3 to Debian experimental, with it providing
> mysql-server, mysql-client, and libmysqlclient-dev.
> 
> * For Ubuntu users, upload these packages to a PPA for testing
> applications for compatibility, and rebuild testing.
> 
> * If testing goes well, replace mysql-5.5 with mariadb in both Debian
> unstable and Ubuntu precise. If there are reservations about switching
> this late in precise's cycle, ship mysql-5.5 in precise, and push off
> Ubuntu's transition until the next cycle.
> 
> Before I strike out on this path alone, which, I understand, may sound
> a bit radical, I want to hear what you all think.
> 
> Thank you for your time and consideration.

Thanks everyone for all of the thoughts and the great discussion that
has taken place since my original message.

As a smart person once said, "The plan is nothing, Planning is
everything."

In the course of looking at this from many different angles, I think
I have come to understand the different facets of the problem and the
situation that Debian and Ubuntu are in with regard to MySQL.

To re-cap, the original suggestion was that we might "replace" MySQL with
MariaDB in Debian and Ubuntu. This was somewhat ambiguous, and probably
needed clarification. My intention was to suggest that MariaDB would be
the database that Ubuntu supports, not that MySQL would be removed from
Debian or Ubuntu. If it still meets the requirements for inclusion in
either distribution, it should remain there.

In discussing this with various parties, it has become clear that Oracle
does not intend to change their policy on security updates, and will
continue to keep them hidden. This is unfortunate for the model that
Debian and Ubuntu have traditionally taken for MySQL, which was to just
cherry pick security fixes, and avoid importing all of the incompatible
changes that get introduced on a regular basis.

However, the code is still Free, and the releases are still available to
us with the fixes in them. We are not exposing Debian or Ubuntu users
to any new dangers. For this reason, as a conservative step, it seems
clear that for Precise Pangolin (the upcoming 12.04 release of Ubuntu),
we should continue to release with MySQL 5.5. I do expect that this may
be a somewhat painful decision, as we will be forced to release any bug
fix release from Oracle as a whole update. However, it is less of a risk
than switching out for a totally new code base with more than half of
the release cycle done.

In order to prepare for a potential promotion of MariaDB and/or Percona
Server to Ubuntu main, I am going to work toward getting them both into
the Ubuntu and Debian archives ASAP. Because we are past feature freeze
in Ubuntu, there is no guarantee that they will ship with precise in
universe. I will make sure that they are able to replace the precise
mysql package in such a way where we can put them in to our backports
repository and have them available to precise users for testing.

I think this will give users a "way out" if they do not want to stay
on the track of running the latest patch release of MySQL all of the
time. Of course, users can also just get these packages from Percona or
the MariaDb project directly until this is complete.

For Debian, I think its clear that MySQL should stay in Debian. What
is not clear is how much of my time and other maintainers' time will be
spent on it going forward. I think that is up for individual contributors
to decide. I will continue to spend time to make sure that the Debian
packages stay in sync with whatever goodness we have added to the Ubuntu
packages as time permits.

Long term, we need to have a frank and open discussion about how important
it is to us, and our users, that we cherry pick fixes rather than ship
upstream releases. I'd like to invite everyone who is interested in
solving this in Ubuntu and Debian to join us at the next Ubuntu Developer
Summit in Oakland, CA, USA, the week of May 7th - May 11th. More details
can be found here:

http://uds.ubuntu.com/

Watch the ubuntu-server mailing list[1] for details on how to join
the discussion.

-Clint

[1] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
Thread
MySQL's future in Debian and UbuntuClint Byrum7 Feb
Re: MySQL's future in Debian and UbuntuClint Byrum17 Feb