← Back to team overview

maria-developers team mailing list archive

Re: release day of week for security releases


Hi, Daniel!

On Dec 02, Daniel Black wrote:
> Thanks for the latest releases with security fixes.
> While I appreciate that all of the development of these security fixes
> was in public (without mentioning it was a security fix - well at
> least the remote code exec), I'm wondering if security releases could
> occur on a weekday where sysadmins need not forsake part of their
> weekend to correct a public vulnerability. Just my thoughts and
> preferences. I appreciate others may consider things different.

Yes, I agree. And I'm sorry for this.

The release was delayed, because it was our first "a" release (with a
letter in the version), and neither packaging nor publishing system
wasn't quite ready for that. Normally we try to release early in the

On the other hand, after we released fixed binaries, there was a public
disclosure of this vulnerability on the various security mailing lists,
accompanied with an exploit. Apparently, it was found independently,
and almost at the same time. Had we waited with our release till Monday,
our users wouldn't have a fixed version, when the exploit went public.

> It also appears that the fedora 17 mariadb galera updates are only
> partially pushed. Maybe its just my setup after switching from
> non-galera repo.

Probably, yes. Next week we're going to do the next MariaDB-Galera
release, and then we remove "galera repo". We will have one repository
both with galera and non-galera packages.


Follow ups