Hello Otto, thanks for taking on this work. The Launchpad branches may be a convenient mechanism for managing packaging in the devel branch but it is not an ideal fit for security updates. I suspect that you can make it work, but working with the raw packaging pieces alone may be easier.
When we update MySQL, the process usually looks like this: 1) Download the MySQL sources for all releases that are going to be updated. (We use 'umt download mysql-5.5', where 'umt' is an unpackaged tool that helps standardize the updates process; apt-get source should also work, but it won't automatically download versions from all supported releases.) 2) Download the new MySQL tarball from Oracle and check signatures. 3) Rename the tarball to *.orig.tar.gz 4) Edit debian/changelog to indicate a new upstream release, CVEs closed, reference a launchpad tracking bug to make it easy to see which releases get the updated packages, and give each release a version-specific number to ensure upgrades go smoothly. 5) quilt push -a -- note failures, determine if patches need to be dropped because they were integrated upstream or just need to be refreshed. 6) quilt pop -a -- this cleans up the .pc/ directory and the sources and makes diffs far more legible. 7) Build and test I assume the process for MariaDB will be largely identical. Of course, sponsored updates will require more work to capture the changes made to the packaging. Normally we ask for a "debdiff" between the old and the new package, which is efficient for reviewing and applying when the changes are small. This process doesn't work well for wholesale updates of huge software suites -- no one wants to read a diff of a compressed tarball -- so the process is slightly different. You'll go through these same steps, but we'll need a patch that we can apply to the unpacked sources to update the fuzz in the patches we keep and drop the patches we no longer need. We can download the new tarball ourselves but please include the sha256sum of the tarball you used to ensure we're working from the same page. (Best would be to convince the MariaDB developers to sign their packages.) Probably using cp -a to make a complete copy of the unpacked source tree would be the best way to make a patch for the debian/ directory changes. It would be worthwhile to review this patch by hand to ensure it is minimal and correct; we'll check it for .pc files, editor detritus, etc., but the fewer issues we find the faster we can get updates to our users. Thanks again Otto, please don't hesitate to ask questions. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1313187 Title: USN-2170-1: MySQL vulnerabilities also applies to MariaDB To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-5.5/+bug/1313187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
