Excerpts from Steven Chamberlain's message of 2016-01-27 12:30:09 -0800: > I'll try to make this my last intervention in this thread. Because > it's not my decision, or area of responsibility, and I likely won't be > one of the people having to do the work when a decision is made, but... >
I appreciate your words very much Steven. > Clint Byrum wrote: > > most of these CVE's would remain fully undisclosed and unfixed in both > > MySQL and MariaDB if the MySQL engineering team or customers had not > > found them. > > Sorry, this is not compelling. As long as Oracle sells MySQL to > enterprise, it *must* do these things, and release source code to > satisfy legal obligations of what is a GPL codebase. It is really only > doing the bare minimum in that regard. It was also a condition of > Oracle's acquisition of MySQL AB: > > "As part of the negotiations with the European Commission, Oracle > committed that MySQL server will continue until at least 2015 to use the > dual-licensing strategy long used by MySQL AB, with proprietary and GPL > versions available" > according to > https://en.wikipedia.org/wiki/MySQL#Legal_disputes_and_acquisitions > > Oracle may still drop MySQL support like a hat due to market conditions, > regardless of whether Debian has already shipped it by then. > The code dump is definitely a condition, but it turns out that's also prevented an actual fork of their work from forming. MariaDB does pull things in, but it's forked so far now that there's still enough compelling reason to run Oracle's code-dumped version that people choose to do it every day. > And apart from sponsoring Debian packaging work, Oracle seems > conspicuously missing from: > http://debconf16.debconf.org/sponsors.html > http://debconf15.debconf.org/ > https://www.debian.org/mirror/sponsors > https://www.freexian.com/en/services/debian-lts.html > I think this unfairly characterizes them as free riders when the point we've been trying to make is that they're not free riding, but just choosing to contribute with engineering time. > Clint Byrum wrote: > > [...] if it were written down somewhere as an actual policy. [...] > > Norvald H. Ryeng wrote: > > Tell us exactly what you want, in detail. If you don't then I don't > > think your position is reasonable. > > Robie Basak wrote: > > So please: the security team needs to engage directly with Oracle by > > responding to Norvald's email and enumerating exactly what is wrong. > > I don't see that Debian has to do that, at all. Other upstream projects > seem to 'just get it', so Oracle management is really expecting special > treatment. IMHO I respond to bad dealings with a company by shopping > elsewhere, not helping them improve their business practices. > Of course Debian doesn't have to do it. However, here you have a corporate citizen who _wants_ to contribute, and they're being told to buzz off. When asking why, they're getting derisive "if you have to ask you'll never know" type of treatment. Just because we don't like them, doesn't mean we can kick them out of our club. > This is perhaps more significant than a mere decision over what goes > into the next release. I see a really fantastic, rare opportunity for > Debian to take a moral stand against Oracle for shameful mistreatment > of free software to date. rock on \m/ > So basically "they're bad people by my own conjecture, so let's stick it to them". I am sorry, but I thought Debian would welcome those who follow our rules. > Niels Thykier wrote: > > I appreciate that the release team failed on action item several > > months back and have not been very proactive in the communication. > > And I am sorry that it has (and probably will) inconvenience you and > > MySQL upstream. > > I do have personal sympathy for Debian contributors who became entwined, > by their career choices, with the business preferences of Oracle and > Canonical. And the team of MySQL developers who must work under > Oracle's non-disclosure policies. But I don't think it should get in > the way of doing whatever seems right for Debian's users and by its > own principles. > This is a very broad statement, and I suggest you add _specifics_ to any accusations that somehow having MySQL in the archive is bad for Debian's principles. Which principles are not being upheld? The users are getting well maintained Free software. The fact that it's being done a way that we all think is silly (and make no mistake, I think it is one of the silliest things I've ever seen in open source software) isn't a valid reason to reject it. It just feels good to say. If you want to kick them out, by all means, do it. But have an actual reason please.
