← Back to team overview

maria-developers team mailing list archive

Re: release day of week for security releases



Thanks for the detailed situation report. I appreciate your preferences are the same as mine. I sympathise with being caught in the bind and needing to compromise on release timings. I would of done the same thing.

Glad so see things improving as they always are.

Perhaps reviewing having publicly available crash reports? The coincidence of timing seems a little close. Its a tough choice and I see you've got other urgent stuff to do so please don't let me keep you waiting.

Thanks for the explanation and releases.

----- Original Message -----
From: "Sergei Golubchik" <serg@xxxxxxxxxxxx>
To: "Daniel Black" <daniel.black@xxxxxxxxxxxxx>
Cc: maria-developers@xxxxxxxxxxxxxxxxxxx
Sent: Friday, 7 December, 2012 9:35:44 AM
Subject: Re: [Maria-developers] release day of week for security releases

Hi, Daniel!

On Dec 02, Daniel Black wrote:
> Thanks for the latest releases with security fixes.
> While I appreciate that all of the development of these security fixes
> was in public (without mentioning it was a security fix - well at
> least the remote code exec), I'm wondering if security releases could
> occur on a weekday where sysadmins need not forsake part of their
> weekend to correct a public vulnerability. Just my thoughts and
> preferences. I appreciate others may consider things different.

Yes, I agree. And I'm sorry for this.

The release was delayed, because it was our first "a" release (with a
letter in the version), and neither packaging nor publishing system
wasn't quite ready for that. Normally we try to release early in the

On the other hand, after we released fixed binaries, there was a public
disclosure of this vulnerability on the various security mailing lists,
accompanied with an exploit. Apparently, it was found independently,
and almost at the same time. Had we waited with our release till Monday,
our users wouldn't have a fixed version, when the exploit went public.

> It also appears that the fedora 17 mariadb galera updates are only
> partially pushed. Maybe its just my setup after switching from
> non-galera repo.

Probably, yes. Next week we're going to do the next MariaDB-Galera
release, and then we remove "galera repo". We will have one repository
both with galera and non-galera packages.


Daniel Black, Engineer @ Open Query (http://openquery.com)
Remote expertise & maintenance for MySQL/MariaDB server environments.