[Bug 1768119] Re: [MIR] percona-xtradb-cluster-5.7, percona-xtrabackup, libdbd-mysql-perl

Mathieu Trudel-Lapierre mathieu.tl at gmail.com
Tue Oct 30 14:11:35 UTC 2018 

All these have a very active security history, it would be good to have
an official buy-in from the Security team. They will also benefit from a
security review.

I'm concerned by percona-xtrabackup, it does not seem well maintained in
Debian, which increases the work for us. It is not up to date in the
Ubuntu archive either. There's also a patch for mips assembler, which
doesn't fill me with confidence.

percona-xtradb-cluster has had a lot of CVEs in the past. It also seems
to be slightly out of date in the Ubuntu archive, and newer versions are
not at all in Debian.

libdbd-mysql-perl is in a set of packages that we typically consider to
be well-maintained in Debian, which is a good sign. Tests exists and are
run at build time, that's good.

Are there any plans, any steps to move away from percona software, which
seems to be relatively poorly maintained?

** Changed in: libdbd-mysql-perl (Ubuntu)
     Assignee: Mathieu Trudel-Lapierre (cyphermox) => Ubuntu Security Team (ubuntu-security)

** Changed in: percona-xtrabackup (Ubuntu)
     Assignee: Mathieu Trudel-Lapierre (cyphermox) => Ubuntu Security Team (ubuntu-security)

** Changed in: percona-xtradb-cluster-5.7 (Ubuntu)
     Assignee: Mathieu Trudel-Lapierre (cyphermox) => Ubuntu Security Team (ubuntu-security)

** Changed in: percona-xtrabackup (Ubuntu)
       Status: New => Incomplete

** Changed in: percona-xtradb-cluster-5.7 (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libdbd-mysql-perl in Ubuntu.
https://bugs.launchpad.net/bugs/1768119

Title:
  [MIR] percona-xtradb-cluster-5.7, percona-xtrabackup, libdbd-mysql-
  perl

Status in libdbd-mysql-perl package in Ubuntu:
  New
Status in percona-xtrabackup package in Ubuntu:
  Incomplete
Status in percona-xtradb-cluster-5.7 package in Ubuntu:
  Incomplete

Bug description:
  percona-xtradb-cluster-5.7
  --------------------------
  [Availability]
  Currently in universe

  [Rationale]
  Percona XtraDB cluster is the database deployed with every OpenStack deployment performed and recommended by Canonical and therefore should be fully supported by Canonical and in Ubuntu Main.

  [Security]
  While there aren't CVEs open for percona-xtradb-cluster-5.7, it is the latest in a series of package versions where previous versions do have CVE histories as can be seen by searching for "percona-xtradb-cluster" at https://people.canonical.com/~ubuntu-security/cve/universe.html.

  [Quality Assurance]
  The package does prompt for a MySQL administrative "root" user password during install. Note that 2 systemd unit files are provided, one for the bootstrap node (can be started with 'systemctl start mysql at bootstrap') and another for non-bootstrap nodes (can be started with 'systemctl start mysql') in order to bootstrap a cluster. There are no major bugs in Ubuntu and there are no major bugs in Debian. Note that there are bugs currently open for prior versions of this package as can be seen at https://bugs.launchpad.net/ubuntu and searching for "percona-xtradb-cluster".

  [Dependencies]
  All are in main except for libdbd-mysql-perl

  [Standards Compliance]
  FHS and Debian Policy compliant.

  [Maintenance]
  ?

  [Background]
  Percona XtraDB Cluster is based on the Percona Server database server and provides a High Availability solution. Percona XtraDB Cluster provides synchronous replication, supports multi-master replication, parallel applying on slaves, automatic node provisioning with primary focus on data consistency.

  percona-xtrabackup
  ------------------
  [Availability]
  Currently in universe

  [Rationale]
  Percona XtraBackup is the backup utility that is used to backup Percona XtraDB cluster databases in OpenStack deployments performed and recommended by Canonical and therefore should be fully supported by Canonical and in Ubuntu Main.

  [Security]
  There are 2 CVEs listed for percona-xtrabackup at https://people.canonical.com/~ubuntu-security/cve/universe.html.

  [Quality Assurance]
  Package works out of the box with no prompting. There are no major bugs in Ubuntu. There is a "Grave" and a "Serious" bug open in Debian for old versions of the package.

  [Dependencies]
  All are in main except for libdbd-mysql-perl

  [Standards Compliance]
  FHS and Debian Policy compliant.

  [Maintenance]
  ?

  [Background]
  Percona XtraBackup is an open-source hot backup utility for MySQL that doesn't lock your database during the backup. It can back up data from InnoDB, XtraDB and MyISAM tables on MySQL/Percona Server 5.1 and 5.5 servers, and has many advanced features.

  libdbd-mysql-perl
  -----------------
  [Availability]
  Currently in universe

  [Rationale]
  libdbd-mysql-perl is a dependency of percona-xtradb-cluster-5.7 and percona-xtrabackup.

  [Security]
  No security history.

  [Quality Assurance]
  Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian. Unit tests are run during build.

  [Dependencies]
  All are in main

  [Standards Compliance]
  FHS and Debian Policy compliant.

  [Maintenance]
  ?

  [Background]
  Perl5 database interface to the MariaDB/MySQL database

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libdbd-mysql-perl/+bug/1768119/+subscriptions

More information about the foundations-bugs mailing list