[ubuntu-hardened] MRE request: mysql-5.5
clint at ubuntu.com
Thu Feb 6 23:04:23 UTC 2014
Excerpts from Robie Basak's message of 2014-02-06 05:31:47 -0800:
> Application drafted by MySQL upstream:
> I would like to apply for a micro release exception for MySQL
> - Micro releases happen from low-volume stable branches,
> approximately once every two months.
> - Stable branches are supported with bug fixes for 8 years.
> - Upstream commits are reviewed by members of the MySQL Server
> Engineering team.
> - All commits to stable branches are evaluated wrt. potential
> regressions and signed off by the MySQL Support team.
> - Unit tests and regression tests are run on multiple platforms per
> push to the source code repository. In addition, there are more
> extensive test suites run daily and weekly.
> - Unit and regression tests are run on both debug and optimized
> - Each micro release receives extensive testing between code freeze
> and release. This includes the full functional test suite,
> performance regression testing, load and stress testing and
> compatibility and upgrade testing from previous micro and
> minor/major releases.
> - Tests are run on all supported platforms.
> In Ubuntu:
> - Unit and regression tests are run as part of the package build
> process, and the package FTBFS if tests fail.
> - Micro releases for MySQL Server 5.1 and 5.5 have routinely been
> accepted as security updates since Ubuntu 12.04 without known
> Additional notes (by rbasak):
> +1 from the Ubuntu Server team. We've been in regular contact with
> upstream for a while now, including their attendance at a number of past
> vUDSs. I met them last weekend at FOSDEM, and we discussed this
> Upstream do not make security patches publicly available, instead
> releasing a new stable release each time security updates are required.
> Thus, the security team have had no choice but to bump to the latest
> release for mysql-5.5 security updates anyway.
Just to clarify.. the security patches are "available" .. they're just
not documented as security patches, nor are the bug reports linking to
them available. So it ranges from "tedious" to "nearly impossible" to
extract the patches from the upstream code trees.
> So users get a micro release bump that includes bugfixes when there is a
> security update, but do not get bugfixes if there is an upstream stable
> release that do not include any security updates.
> Given that this happens, it is an odd situation that users end up
> effectively waiting for a security vulnerability to get any intermediate
+1 from me. Oracle has committed to not breaking backward compatibility
in these releases unless it is a security flaw to be backward
compatible. They've delivered on that, and I think this MRE is a slam
More information about the ubuntu-hardened