AL13N <alien@...> writes: > 5. someone has a better idea? > > considering the response i got, now i'll default to letting someone else > handle it, which might mean it never gets fixed. that would also mean for > me that mageia1 would be a bad version to get LTS on.
The objections to this have been quite unwarranted. It sounds like some people want to institute a new policy that MySQL security bugs won't be fixed. Upgrading to newer versions of things isn't ideal, but sometimes it's what has to be done, because there's no other way, and we already do it sometimes in other cases. There's no reason this should be any more controversial. In researching this, it appears that for the security bugs in MySQL (and there are many, at least one of which is remotely exploitable without authentication), only the Oracle MySQL developers really know what the vulnerabilities are and how they were fixed, and they're not telling. The most recent MySQL changelog that referenced security vulnerabilities had no details, and just mentioned two bug numbers. One of those bug numbers doesn't exist. The other is not publicly viewable. At this point, upgrading is the only solution to these security problems, and other distros have already realized this and updated to one of the newest releases. Here are some examples. RHEL6: https://rhn.redhat.com/errata/RHSA-2012-0105.html https://rhn.redhat.com/errata/RHSA-2011-0164.html Fedora 15: https://admin.fedoraproject.org/updates/FEDORA-2012-0987/mysql-5.5.20-1.fc15 Fedora 16: https://admin.fedoraproject.org/updates/FEDORA-2012-0972/mysql-5.5.20-1.fc16 Mandriva Enterprise Server 5, Mandriva 2011, Mandriva 2010.2: http://www.mandriva.com/en/support/security/advisories/?name=MDVA-2012:031 Mandriva 2010.0, Mandriva 2010.1: http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2011:012 For us, upgrading to MariaDB instead of MySQL 5.5.22 isn't any different than what those other distros have done. MariaDB is as much a newer version of what we have now as MySQL 5.5.22 is. They are both derived from the same code base. Furthermore, the other distros have been able to upgrade it apparently without even having to rebuild anything else, so the potential for damage seems to not be so great after all. Finally, someone made a comment about our reputation in this thread. If we just ignore this and don't issue any security updates because it's "too hard" or "too scary," that will hurt our reputation more than anything else.
