Hi, On 08/05/2020 11:39, Chris Lamb wrote: >> The 3 recent vulnerabilities are an opportunity to refresh the package, >> so as not to have too big of a diff should a more critical vulnerability >> happen in the future. > > No objections in theory but I am finding it difficult to gauge the > risk of introducing problems by refreshing this package without > knowing much about it. > > (Do we have an idea of how big the debdiff would be for this initial > upload?
I had published the wheezy debdiff at: https://www.beuc.net/tmp/debian-lts/mysql-connector-java/ It's big (700kB), but it will keep growing bigger. > Have we had issues in the past? Maybe Markus (as last uploader) or Emmanuel (former maintainer) have feedback on upgrading libmysql-connector-java to the latest stable dot-release 5.1.42->5.1.49? > Is there another metric we can use?) The test suite is a good indicator of whether regressions occurred: https://wiki.debian.org/LTS/TestSuites/mysql-connector-java So far I didn't see regressions, there are still some failing tests (in current and proposed versions) that requires some classpath fiddling, which I'll tackle if we follow this path. More generally, the "not updating the package" alternative also has consequences, namely not fixing 3 opaque vulnerabilities of varying severity, and reduced ability to fix a severe issue in the future. The "backporting the patches" alternative seems unpractical since even with the changelog, I'm not able to distinguish what is a bug fix and what is vulnerability fix, neither in this upload nor in the last. The "drop security support" alternative can be considered as well, though given that we do have a stable branch from upstream, this sounds a bit harsh. The "replace with a mariadb-connector-java backport" alternative is likely to introduce more issues, starting with having a different Java package name. So do we refresh mysql-connector-java in all affected suites? :) Cheers! Sylvain
