Hi Otto, On Thu, Mar 02, 2017 at 01:04:16AM +0200, Otto Kekäläinen wrote: > Sorry for the late reply. I think that the urgent security slip was > already fixed by updating mariadb-10.1 to have the correct conflicts.
I believe this is incorrect. The only commit addressing this is https://anonscm.debian.org/git/pkg-mysql/mariadb-10.1.git/commit/?id=75fa84af6bdf84ff95bd0cabb2a8966330d77154, right? That drops a Depends line only. It'll stop users hitting it by default, which they were on upgrade from jessie I think since default-mysql-server became MariaDB. However, if users do install mariadb-common while mysql-server-5.7 (or 5.6) is still installed, I believe the security issue will still happen. > from happening again, but then again we already have quite a lot of > virtual and metapackages, and this feels a bit of over-engineering and > I am afraid that while solving the issue it also adds to the stuff we > need to maintain and document etc. Due to backwards compatiblity we > might have to maintain in parallel anyway the direct conflicts plus > the usage of this new metapackage. As above, I don't think we have a direct conflicts right now. If we did have one, this matter would be less urgent. Another approach might be to do it entirely in code in src:mysql-defaults. Since we have a wrapper that both MySQL and MariaDB packaging use, we might be able to do something in there. However, I'm not sure what we'd do if mysql-server-5.7 and mariadb-common both want the symlink, since whatever we choose one of the two variants will somehow be broken. > Please allow for some more time for me to think about this before > introducing new metapackages. Sure. Unless I'm mistaken though, can we add the mariadb-common Conflicts: mysql-server-5.6, mysql-server-5.7 now? > > This presumably can't go in during the stretch freeze, so is it time to > > branch off in git for stretch across mysql-defaults, mysql-5.7 (maybe > > not needed as it's not in stretch) and mariadb-10.1 as needed, so we can > > start committing changes for post-stretch? > > Personally I'd like to focus my time right now on 'stand-by' for > potential issues that might still pop up during the freeze. I didn't > find a nice overview of how many RC bugs there still are for Stretch > or such (mostly browsing https://release.debian.org/), but I assume > the release is near and then we can for sure branch off maintenance > branches. OK, but I think the Conflicts should go into stretch at least. Robie
signature.asc
Description: PGP signature
