Bug#923347: No sensible security support due to Oracle's policies
> let's apply the policy buster and > revisit one year before bullseye, maybe there's a more friendly fork by then > which > Debian can adopt. yesterday the package got removed from testing; i'm not going to seek to reintroduce it -- Sandro "morph" Tosi My website: http://sandrotosi.me/ Me at Debian: http://wiki.debian.org/SandroTosi G+: https://plus.google.com/u/0/+SandroTosi
Bug#923347: No sensible security support due to Oracle's policies
On Thu, Mar 28, 2019 at 07:29:07PM -0400, Sandro Tosi wrote: > Hello Moritz, > could you please reply to the points made below? thanks! Sorry, missed your reply. > > what kind of security support do Debian provide to the mysql server > > packages? None at all, they're only in unstable for that reason (Debian switched to MariaDB which is more transparent). > > > This leaves us with the following options for buster: > > > - There are no reverse dependencies in buster, remove it from testing > > > and hope that someone less hostile to the FLOSS community creates a > > > fork > > > > from a quick look (on unstable): > > > > $ apt-cache rdepends python-mysql.connector > > python-mysql.connector > > Reverse Depends: > > mysql-utilities > > mysql-workbench > > $ apt-cache rdepends python3-mysql.connector > > python3-mysql.connector > > Reverse Depends: > > openlp > > python3-sql > > > > so some packages, not many, didnt verity if they are in buster atm mysql-utilities and mysql-workbench are not in buster. openlp and python3-sql are. > > > - Aside from the packaged software and given that this is the only Python > > > binding for mysql/mariadb, there's most definitely a sizable number of > > > inhouse code using that module. Update src:debian-security-support to > > > mark mysql-connector-python as unsupported and add a > > README.Debian.security > > > which also documents this status within the package itself. > > > > i think this is up to the security team to decide, no? IMHO ideally we'd not ship any code by Oracle and their ugly policies, but sometimes (and especially late in the freeze), compromies/middlegrounds are necessary. If you as the maintainer are fine with that, let's apply the policy buster and revisit one year before bullseye, maybe there's a more friendly fork by then which Debian can adopt. Cheers, Moritz
Bug#923347: No sensible security support due to Oracle's policies
Hello Moritz, could you please reply to the points made below? thanks! On Wed, Feb 27, 2019 at 12:23 AM Sandro Tosi wrote: > Hello Moritz, > i'm not sure what kind of input you're expecting from (if at all, and > this RC is mostly for the RT), but i'll reply > > > mysql-connector-python is affected by Oracle's policy of not disclosing > > what security fixes they fix. > > > > CVE-2019-2435 is labeled with a CVSS 8.1/10 score and only fixed in > > 8.x, while the version in stretch (2.1.x) is marked as vulnerable, > > but no 2.1.9 release is available, i.e. we cannot effectively provide > > a fix within stable only 20 months after stretch was released. > > > > This renders mysql-connector-python unsuitable for inclusion in a stable > > release with security support. > > what kind of security support do Debian provide to the mysql server > packages? > > > This leaves us with the following options for buster: > > - There are no reverse dependencies in buster, remove it from testing > > and hope that someone less hostile to the FLOSS community creates a > > fork > > from a quick look (on unstable): > > $ apt-cache rdepends python-mysql.connector > python-mysql.connector > Reverse Depends: > mysql-utilities > mysql-workbench > $ apt-cache rdepends python3-mysql.connector > python3-mysql.connector > Reverse Depends: > openlp > python3-sql > > so some packages, not many, didnt verity if they are in buster atm > > > - Aside from the packaged software and given that this is the only Python > > binding for mysql/mariadb, there's most definitely a sizable number of > > inhouse code using that module. Update src:debian-security-support to > > mark mysql-connector-python as unsupported and add a > README.Debian.security > > which also documents this status within the package itself. > > i think this is up to the security team to decide, no? > > -- > Sandro "morph" Tosi > My website: http://sandrotosi.me/ > Me at Debian: http://wiki.debian.org/SandroTosi > G+: https://plus.google.com/u/0/+SandroTosi > -- Sandro "morph" Tosi My website: http://sandrotosi.me/ Me at Debian: http://wiki.debian.org/SandroTosi G+: https://plus.google.com/u/0/+SandroTosi
Bug#923347: No sensible security support due to Oracle's policies
Dear Mortiz, There is also another Python connector for MariaDB/MySQL in the repos, `python3-mysqldb` and `python-mysqldb`. This is not a pure python package but a wrapper around C module. On Tue, 26 Feb 2019 20:32:06 +0100 Moritz Muehlenhoff wrote: > - Aside from the packaged software and given that this is the only Python > binding for mysql/mariadb. > > Cheers, > Moritz
Bug#923347: No sensible security support due to Oracle's policies
Hello Moritz, i'm not sure what kind of input you're expecting from (if at all, and this RC is mostly for the RT), but i'll reply > mysql-connector-python is affected by Oracle's policy of not disclosing > what security fixes they fix. > > CVE-2019-2435 is labeled with a CVSS 8.1/10 score and only fixed in > 8.x, while the version in stretch (2.1.x) is marked as vulnerable, > but no 2.1.9 release is available, i.e. we cannot effectively provide > a fix within stable only 20 months after stretch was released. > > This renders mysql-connector-python unsuitable for inclusion in a stable > release with security support. what kind of security support do Debian provide to the mysql server packages? > This leaves us with the following options for buster: > - There are no reverse dependencies in buster, remove it from testing > and hope that someone less hostile to the FLOSS community creates a > fork from a quick look (on unstable): $ apt-cache rdepends python-mysql.connector python-mysql.connector Reverse Depends: mysql-utilities mysql-workbench $ apt-cache rdepends python3-mysql.connector python3-mysql.connector Reverse Depends: openlp python3-sql so some packages, not many, didnt verity if they are in buster atm > - Aside from the packaged software and given that this is the only Python > binding for mysql/mariadb, there's most definitely a sizable number of > inhouse code using that module. Update src:debian-security-support to > mark mysql-connector-python as unsupported and add a README.Debian.security > which also documents this status within the package itself. i think this is up to the security team to decide, no? -- Sandro "morph" Tosi My website: http://sandrotosi.me/ Me at Debian: http://wiki.debian.org/SandroTosi G+: https://plus.google.com/u/0/+SandroTosi
Bug#923347: No sensible security support due to Oracle's policies
Source: mysql-connector-python Severity: serious mysql-connector-python is affected by Oracle's policy of not disclosing what security fixes they fix. CVE-2019-2435 is labeled with a CVSS 8.1/10 score and only fixed in 8.x, while the version in stretch (2.1.x) is marked as vulnerable, but no 2.1.9 release is available, i.e. we cannot effectively provide a fix within stable only 20 months after stretch was released. This renders mysql-connector-python unsuitable for inclusion in a stable release with security support. This leaves us with the following options for buster: - There are no reverse dependencies in buster, remove it from testing and hope that someone less hostile to the FLOSS community creates a fork - Aside from the packaged software and given that this is the only Python binding for mysql/mariadb, there's most definitely a sizable number of inhouse code using that module. Update src:debian-security-support to mark mysql-connector-python as unsupported and add a README.Debian.security which also documents this status within the package itself. Cheers, Moritz