Public bug reported: [Availability] MariaDB was first introduced to Ubuntu in 14.04 LTS (Trusty Tahr) with the `mariadb-5.5` package. It has been in Ubuntu universe for many years under various source package names (e.g., `mariadb-10.6`). This MIR is for the latest versionless `mariadb` source package.
The package has been actively maintained in both Debian and Ubuntu, receiving security updates. The package builds for all supported architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x. Link to package: https://launchpad.net/ubuntu/+source/mariadb [Rationale] - MariaDB is a widely-used, high-performance, open-source relational database that serves as a drop-in replacement for MySQL. It is a core component of the popular LAMP (Linux, Apache, MySQL, PHP) stack. Prominent users include Wikipedia.org. As of 2025, over 50% of WordPress sites run MariaDB according to https://wordpress.org/about/stats/#mysql_version. - Created by the original authors of MySQL, it is now more popular than MySQL for new deployments of major applications like WordPress, Mediawiki, and Nextcloud. - Debian has exclusively shipped MariaDB as its default MySQL-variant for nearly a decade, meaning most software in Debian is tested against it. - Promoting MariaDB to main alongside MySQL provides a choice of fully-supported, modern database servers for Ubuntu users and positions Ubuntu to potentially switch defaults if MySQL's popularity continues to decline. - MariaDB continues to be actively developed with modern features (e.g., vector support for AI use cases in its standard open-source release) that are sometimes only available in proprietary editions of MySQL. - This MIR covers the promotion of the core MariaDB suite to main. The binary packages to be promoted are: - `mariadb-server`, `mariadb-server-core`: The database server. - `mariadb-client`, `mariadb-client-core`: The command-line client and tools. - `mariadb-common`: Common configuration files. - `mariadb-backup`: The dedicated backup tool. - `libmariadb3`: The client library used by other applications. - `libmariadbd19t64`: The embedded server library. - `libmariadb-dev`, `libmariadb-dev-compat`, `libmariadbd-dev`: Development files. - `mariadb-client-compat`, `mariadb-server-compat`: MySQL compatibility links. - Transitional dummy packages like `mariadb-server-10.5`. - The various storage engine plugins (e.g. `mariadb-plugin-rocksdb`, `mariadb-plugin-spider`), test packages (`mariadb-test`), and other non-essential components can remain in universe. [Security] - CVEs: https://mariadb.com/docs/server/security/securing-mariadb/security/ - Ubuntu CVE tracker: https://ubuntu.com/security/cve?package=mariadb - Debian Security Tracker: https://security-tracker.debian.org/tracker/source-package/mariadb As a major, network-facing database server, MariaDB has a history of security vulnerabilities. These have been actively tracked and addressed by upstream and Debian Security Team, with the Ubuntu Security team sponsoring Ubuntu security updates and publishing USNs. The security maintenance model involves backporting fixes and new upstream point releases as needed. Recent examples include: - USN-7548-1: https://ubuntu.com/security/notices/USN-7548-1 - USN-7519-1: https://ubuntu.com/security/notices/USN-7519-1 - USN-7376-2: https://ubuntu.com/security/notices/USN-7376-2 - USN-6839-1: https://ubuntu.com/security/notices/USN-6839-1 - USN-6600-1: https://ubuntu.com/security/notices/USN-6600-1 - MariaDB's security model is very similar to that of MySQL, which is already in main, providing a familiar foundation for security assessment. - The package does not install `suid` or `sgid` binaries. The main `mariadbd` daemon is installed in `/usr/sbin` and runs as the unprivileged `mysql` user. - The package installs services (`mariadb.service`) that are enabled by default. - The package opens the standard database port 3306 by default, which is not a privileged port (< 1024). This is the industry standard for MySQL/MariaDB and is expected behavior. - The package ships with AppArmor profiles to confine the database daemon, enhancing security. - The package uses OpenSSL for encrypted connections. Recent versions of MariaDB have significantly improved security by enabling TLS by default, providing TLS auto-configuration, and adding support for modern authentication methods. [Quality assurance - function/usage] - The package works out-of-the-box with a default configuration suitable for development. - For production use, it requires configuration, which is expected for a database server. The default installation uses `unix_socket` authentication for the root user, allowing passwordless administration via `sudo`. This is a modern, secure default that avoids setting a root password during installation. - MariaDB has extensive autopkgtest, Salsa CI and review processes. In the past 10 year history in Ubuntu the number of bugs has been very low compared to how popular and complex the package is. - Extensive documentation is available from upstream and in the community. [Quality assurance - maintenance] - The package is actively maintained by upstream (MariaDB Foundation), in Debian, and in Ubuntu. The packages are maintained by the same team in both Debian and Ubuntu. - Ubuntu: https://bugs.launchpad.net/ubuntu/+source/mariadb/+bugs - Debian: https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=mariadb - Upstream: https://jira.mariadb.org/ - The package does not deal with exotic hardware. - The package has a Stable Release Update (SRU) exception, allowing for regular microrelease updates, which demonstrates its stability and the established process for its maintenance in Ubuntu. See https://documentation.ubuntu.com/sru/en/latest/reference/exception-MariaDB-Galera-Updates/ [Quality assurance - testing] - The package has an extensive test suite that is run at build time. A failure in the test suite will cause the build to fail. - Example build log: https://launchpad.net/ubuntu/+source/mariadb/1:11.8.3-1/+build/31080430 - The package has a comprehensive set of autopkgtests that are passing on all supported architectures. - Autopkgtest logs: https://autopkgtest.ubuntu.com/packages/m/mariadb - Health in Debian is good: https://tracker.debian.org/pkg/mariadb - Autopkgtest logs: https://ci.debian.net/packages/m/mariadb/ - Salsa CI is extensive and maintained: https://salsa.debian.org/mariadb-team/mariadb/-/commits/debian/latest - Link to definition: https://git.launchpad.net/ubuntu/+source/mariadb/tree/debian/salsa-ci.yml [Quality assurance - packaging] - debian/watch is present and works. - debian/control defines a correct Maintainer field ("Ubuntu Developers <[email protected]>") for uploads in Ubuntu. - The package is complex but well-maintained to the smallest details. The output of `lintian --pedantic` reports very few issues and will be attached to the bug. - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies. - The package is not installed by default, but it is a core part of the LAMP stack. It uses debconf for initial configuration, but does not ask any questions with a priority higher than 'medium'. - Packaging is standard for a large C++ project using cmake. - Link to debian/rules: https://git.launchpad.net/ubuntu/+source/mariadb/tree/debian/rules [UI standards] - The `mariadb-server` component is not end-user facing. - The `mariadb-client` package provides a command-line interface (CLI) which is end-user facing. It does not require translations as it is a technical tool. - The software does not provide a graphical UI, so no .desktop file is required. [Dependencies] - The `check-mir` tool reports that some build-dependencies are in universe: `libfmt-dev` and `libjudy-dev`. While these could also be included in main, none are strictly required: - fmtlib: In `debian/rules`, `-DHAVE_SYSTEM_LIBFMT_EXITCODE=0` instructs the build to use the system-provided fmtlib library, but the MariaDB sources also embed a copy of this formatting library which could be used as an alternative to promoting fmtlib to main. As the proposer of this MIR, I would recommend also having fmtlib in main because it is also a build dependency for other packages like Ceph, Doxygen, Pytorch and more. - judy: The Judy library is used by the OQGraph storage engine (package `mariadb-plugin-oqgraph`). MariaDB can be built without this plugin, or the binary package for the plugin can be excluded from main as an alternative to promoting judy to main. As the proposer of this MIR, I would recommend having judy in main because it rarely has any updates and is unlikely to require much effort. - The core `mariadb-server` package has a runtime dependency on `galera-4` to support HA clustering. `galera-4` is also being proposed for inclusion in main (see separate MIR). - All other mandatory runtime dependencies for the core packages are already in main. Some optional dependencies are only in universe, just as is the case for the MySQL packages in main. [Standards compliance] - This package correctly follows FHS and Debian Policy (Standards-Version: 4.7.2). [Maintenance/Owner] - I suggest the owning team to be the Ubuntu Server team. The expertise they already have in maintaining the MySQL packaging directly carries over to MariaDB packaging. I am committed to continue contributing and in general it seems that MariaDB packaging has many more contributors than MySQL packaging. - The future owning team is not yet subscribed, but will subscribe to the package before promotion. - This package does not use static builds. - This package does not use vendored code. - This package is not based on Rust or Go. - The package is regularly built in the archive. - Build history on Launchpad: https://launchpad.net/ubuntu/+source/mariadb/+publishinghistory [Background information] - The package description explains the package well. - Upstream Name: MariaDB Server - Link to upstream project: https://mariadb.org/ - MariaDB is a community-developed, commercially supported fork of the MySQL relational database management system, intended to remain free and open-source software under the GNU General Public License. - The Debian packaging is mature and robust, making extensive use of `Conflicts` and `Replaces` to manage seamless upgrades and coexistence with/replacement of MySQL components. - The `libmariadb3` client library, combined with the compatibility packages, serves as a drop-in replacement for MySQL's client library, ensuring that applications built for MySQL can work with MariaDB with minimal or no changes. - Its inclusion and continued support in main is critical for Ubuntu's role as a server platform. ** Affects: mariadb (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2122095 Title: [MIR] mariadb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2122095/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
