[debian-mysql] Bug#855936: Bug#850216: mysql-server-5.6: Listens on * by default after installation (related to use of alternatives)
Robie Basak
robie.basak at ubuntu.com
Wed Mar 1 23:30:28 UTC 2017
Hi Otto,
On Thu, Mar 02, 2017 at 01:04:16AM +0200, Otto Kekäläinen wrote:
> Sorry for the late reply. I think that the urgent security slip was
> already fixed by updating mariadb-10.1 to have the correct conflicts.
I believe this is incorrect. The only commit addressing this is
https://anonscm.debian.org/git/pkg-mysql/mariadb-10.1.git/commit/?id=75fa84af6bdf84ff95bd0cabb2a8966330d77154,
right? That drops a Depends line only. It'll stop users hitting it by
default, which they were on upgrade from jessie I think since
default-mysql-server became MariaDB. However, if users do install
mariadb-common while mysql-server-5.7 (or 5.6) is still installed, I
believe the security issue will still happen.
> from happening again, but then again we already have quite a lot of
> virtual and metapackages, and this feels a bit of over-engineering and
> I am afraid that while solving the issue it also adds to the stuff we
> need to maintain and document etc. Due to backwards compatiblity we
> might have to maintain in parallel anyway the direct conflicts plus
> the usage of this new metapackage.
As above, I don't think we have a direct conflicts right now. If we did
have one, this matter would be less urgent.
Another approach might be to do it entirely in code in
src:mysql-defaults. Since we have a wrapper that both MySQL and MariaDB
packaging use, we might be able to do something in there. However, I'm
not sure what we'd do if mysql-server-5.7 and mariadb-common both want
the symlink, since whatever we choose one of the two variants will
somehow be broken.
> Please allow for some more time for me to think about this before
> introducing new metapackages.
Sure. Unless I'm mistaken though, can we add the mariadb-common
Conflicts: mysql-server-5.6, mysql-server-5.7 now?
> > This presumably can't go in during the stretch freeze, so is it time to
> > branch off in git for stretch across mysql-defaults, mysql-5.7 (maybe
> > not needed as it's not in stretch) and mariadb-10.1 as needed, so we can
> > start committing changes for post-stretch?
>
> Personally I'd like to focus my time right now on 'stand-by' for
> potential issues that might still pop up during the freeze. I didn't
> find a nice overview of how many RC bugs there still are for Stretch
> or such (mostly browsing https://release.debian.org/), but I assume
> the release is near and then we can for sure branch off maintenance
> branches.
OK, but I think the Conflicts should go into stretch at least.
Robie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/attachments/20170301/b957ab25/attachment-0003.sig>
More information about the pkg-mysql-maint
mailing list