| Message ID | 20240226203532.12112-1-ju.o@free.fr |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [1/1] package/mysql: change default implementation to mariadb | expand |
>>>>> "Julien" == Julien Olivain <ju.o@free.fr> writes: > The mysql package is a virtual package with two implementations: > oracle-mysql (the initial project), and mariadb (the fork of mysql). > This virtual package was introduced in commit [1] (2016). > The last version bump of oracle-mysql was in commit [2] (2014). This > mysql version 5.1.73 dates from 2013 [3]. > Package statistics at [4] reports 177 CVEs on this oracle-mysql > version (as of Buildroot tag 2024.02-rc1). > Finally, oracle-mysql has 12 package patches accumulated over the time > and there is nobody registered in the DEVELOPER file for it. > On the other hand, the Buildroot mariadb package seems to be in a > better shape: the package version is more recent, and received > frequent updates, since its introduction. > There is several packages selecting BR2_PACKAGE_MYSQL, which will use > the old oracle-mysql without the user knowing it (other than > generating the CVE list with "make pkg-stats"). > In the meantime oracle-mysql receive a major update, this commits > changes the default implementation of the mysql virtual package from > oracle-mysql to mariadb. > [1] https://gitlab.com/buildroot.org/buildroot/-/commit/3d707d2b4fa6362cb37754f6c5fbb06240f5faf5 > [2] https://gitlab.com/buildroot.org/buildroot/-/commit/42c56751fc554503a03d4a914ce2e814eeaf5a41 > [3] https://github.com/mysql/mysql-server/releases/tag/mysql-5.1.73 > [4] http://autobuild.buildroot.org/stats/master.html > Signed-off-by: Julien Olivain <ju.o@free.fr> > --- > Patch tested on branch master at commit 7a9ba7a with commands: Thanks. Maybe we should instead get rid of the oracle-mysql package (and the virtual package) if nobody cares about keeping it updated anyway?
Hi Peter, All, On 01/03/2024 09:24, Peter Korsgaard wrote: >>>>>> "Julien" == Julien Olivain <ju.o@free.fr> writes: > > > The mysql package is a virtual package with two implementations: > > oracle-mysql (the initial project), and mariadb (the fork of mysql). > > This virtual package was introduced in commit [1] (2016). > > > The last version bump of oracle-mysql was in commit [2] (2014). This > > mysql version 5.1.73 dates from 2013 [3]. > > > Package statistics at [4] reports 177 CVEs on this oracle-mysql > > version (as of Buildroot tag 2024.02-rc1). > > > Finally, oracle-mysql has 12 package patches accumulated over the > time > > and there is nobody registered in the DEVELOPER file for it. > > > On the other hand, the Buildroot mariadb package seems to be in a > > better shape: the package version is more recent, and received > > frequent updates, since its introduction. > > > There is several packages selecting BR2_PACKAGE_MYSQL, which will > use > > the old oracle-mysql without the user knowing it (other than > > generating the CVE list with "make pkg-stats"). > > > In the meantime oracle-mysql receive a major update, this commits > > changes the default implementation of the mysql virtual package from > > oracle-mysql to mariadb. > > > [1] > https://gitlab.com/buildroot.org/buildroot/-/commit/3d707d2b4fa6362cb37754f6c5fbb06240f5faf5 > > [2] > https://gitlab.com/buildroot.org/buildroot/-/commit/42c56751fc554503a03d4a914ce2e814eeaf5a41 > > [3] https://github.com/mysql/mysql-server/releases/tag/mysql-5.1.73 > > [4] http://autobuild.buildroot.org/stats/master.html > > > Signed-off-by: Julien Olivain <ju.o@free.fr> > > --- > > Patch tested on branch master at commit 7a9ba7a with commands: > > Thanks. Maybe we should instead get rid of the oracle-mysql package > (and > the virtual package) if nobody cares about keeping it updated anyway? I was initially thinking about proposing a big bump to mysql-8.0.x some time later. Upstream has still specific features that could be interesting to somebody... I personally don't need those for the moment, so I am also OK to drop it with the virtual package. My initial intent was to raise the attention on this decade old package, with quite a few CVEs associated to it ;) Best regards, Julien.
Julien, All, On 2024-03-01 22:45 +0100, Julien Olivain spake thusly: > On 01/03/2024 09:24, Peter Korsgaard wrote: > > > > > > > "Julien" == Julien Olivain <ju.o@free.fr> writes: > > > The mysql package is a virtual package with two implementations: > > > oracle-mysql (the initial project), and mariadb (the fork of mysql). > > > This virtual package was introduced in commit [1] (2016). > > > The last version bump of oracle-mysql was in commit [2] (2014). This > > > mysql version 5.1.73 dates from 2013 [3]. [--SNIP--] > > Thanks. Maybe we should instead get rid of the oracle-mysql package (and > > the virtual package) if nobody cares about keeping it updated anyway? > I was initially thinking about proposing a big bump to mysql-8.0.x some > time later. Upstream has still specific features that could be interesting > to somebody... > > I personally don't need those for the moment, so I am also OK to drop > it with the virtual package. Let's face it: noone cared about that package for most than ten years, not even for those features you mention, so it means noone is interested in using that package. So if you do not use it, don't bother expanding the time to update it. > My initial intent was to raise the attention on this decade old package, > with quite a few CVEs associated to it ;) "Quite a few" is probably the best understatement of the year (and it's only March!). ;-) So I'd side with Peter here: drop it, and then drop the virtual package. Regards, Yann E. MORIN.
On 02/03/2024 15:37, Yann E. MORIN wrote: > Julien, All, > > On 2024-03-01 22:45 +0100, Julien Olivain spake thusly: >> On 01/03/2024 09:24, Peter Korsgaard wrote: >>>>>>>> "Julien" == Julien Olivain <ju.o@free.fr> writes: >>> > The mysql package is a virtual package with two implementations: >>> > oracle-mysql (the initial project), and mariadb (the fork of mysql). >>> > This virtual package was introduced in commit [1] (2016). >>> > The last version bump of oracle-mysql was in commit [2] (2014). This >>> > mysql version 5.1.73 dates from 2013 [3]. There's one reason to prefer oracle-mysql: mariadb (server) is almost twice as big. > [--SNIP--] >>> Thanks. Maybe we should instead get rid of the oracle-mysql package (and >>> the virtual package) if nobody cares about keeping it updated anyway? >> I was initially thinking about proposing a big bump to mysql-8.0.x some >> time later. Upstream has still specific features that could be interesting >> to somebody... Unfortunately, mysql 8.x is also much larger than the old 5.1. So for this particular concern, that's not really a factor. >> >> I personally don't need those for the moment, so I am also OK to drop >> it with the virtual package. > > Let's face it: noone cared about that package for most than ten years, > not even for those features you mention, so it means noone is interested > in using that package. > > So if you do not use it, don't bother expanding the time to update it. > >> My initial intent was to raise the attention on this decade old package, >> with quite a few CVEs associated to it ;) > > "Quite a few" is probably the best understatement of the year (and it's > only March!). ;-) > > So I'd side with Peter here: drop it, and then drop the virtual package. Agreed to that. Anyway, I think mysql and mariadb are less and less drop-in replacements, so the virtual package is If really needed, I think mariadb has a few large subparts that can (optionally) be dropped, so it should be possible to reduce the footprint. If someone bothers to work on that, of course :-) Regards, Arnout
>>>>> "Arnout" == Arnout Vandecappelle via buildroot <buildroot@buildroot.org> writes: > On 02/03/2024 15:37, Yann E. MORIN wrote: >> Julien, All, >> On 2024-03-01 22:45 +0100, Julien Olivain spake thusly: >>> On 01/03/2024 09:24, Peter Korsgaard wrote: >>>>>>>>> "Julien" == Julien Olivain <ju.o@free.fr> writes: >>>> > The mysql package is a virtual package with two implementations: >>>> > oracle-mysql (the initial project), and mariadb (the fork of mysql). >>>> > This virtual package was introduced in commit [1] (2016). >>>> > The last version bump of oracle-mysql was in commit [2] (2014). This >>>> > mysql version 5.1.73 dates from 2013 [3]. > There's one reason to prefer oracle-mysql: mariadb (server) is almost > twice as big. OK, but are there a lot of use cases where you need a full blown SQL server but don't have a lot of space for the code or database? >>> My initial intent was to raise the attention on this decade old package, >>> with quite a few CVEs associated to it ;) >> "Quite a few" is probably the best understatement of the year (and >> it's >> only March!). ;-) >> So I'd side with Peter here: drop it, and then drop the virtual >> package. > Agreed to that. > Anyway, I think mysql and mariadb are less and less drop-in > replacements, so the virtual package is > If really needed, I think mariadb has a few large subparts that can > (optionally) be dropped, so it should be possible to reduce the > footprint. If someone bothers to work on that, of course :-) We are really close to 2024.02 release, but I'll try to cook up a patch for dropping oracle-mysql / the virtual package now.
diff --git a/package/mysql/Config.in b/package/mysql/Config.in index 8942e55a455..dc9a899329f 100644 --- a/package/mysql/Config.in +++ b/package/mysql/Config.in @@ -10,7 +10,7 @@ if BR2_PACKAGE_MYSQL choice prompt "mysql variant" - default BR2_PACKAGE_ORACLE_MYSQL + default BR2_PACKAGE_MARIADB help Select either the oracle mysql server or the mariadb server
The mysql package is a virtual package with two implementations: oracle-mysql (the initial project), and mariadb (the fork of mysql). This virtual package was introduced in commit [1] (2016). The last version bump of oracle-mysql was in commit [2] (2014). This mysql version 5.1.73 dates from 2013 [3]. Package statistics at [4] reports 177 CVEs on this oracle-mysql version (as of Buildroot tag 2024.02-rc1). Finally, oracle-mysql has 12 package patches accumulated over the time and there is nobody registered in the DEVELOPER file for it. On the other hand, the Buildroot mariadb package seems to be in a better shape: the package version is more recent, and received frequent updates, since its introduction. There is several packages selecting BR2_PACKAGE_MYSQL, which will use the old oracle-mysql without the user knowing it (other than generating the CVE list with "make pkg-stats"). In the meantime oracle-mysql receive a major update, this commits changes the default implementation of the mysql virtual package from oracle-mysql to mariadb. [1] https://gitlab.com/buildroot.org/buildroot/-/commit/3d707d2b4fa6362cb37754f6c5fbb06240f5faf5 [2] https://gitlab.com/buildroot.org/buildroot/-/commit/42c56751fc554503a03d4a914ce2e814eeaf5a41 [3] https://github.com/mysql/mysql-server/releases/tag/mysql-5.1.73 [4] http://autobuild.buildroot.org/stats/master.html Signed-off-by: Julien Olivain <ju.o@free.fr> --- Patch tested on branch master at commit 7a9ba7a with commands: make check-package ... 0 warnings generated # Build packages using mysql cat > .config <<EOF BR2_aarch64=y BR2_TOOLCHAIN_EXTERNAL=y BR2_PER_PACKAGE_DIRECTORIES=y BR2_PACKAGE_BUSYBOX_SHOW_OTHERS=y BR2_PACKAGE_MOTION=y BR2_PACKAGE_PERL=y BR2_PACKAGE_PERL_DBD_MYSQL=y BR2_PACKAGE_TCL=y BR2_PACKAGE_CPPDB=y BR2_PACKAGE_LIBDBI_DRIVERS=y BR2_PACKAGE_MARIADB_SERVER=y BR2_PACKAGE_APR_UTIL=y BR2_PACKAGE_POCO=y BR2_PACKAGE_POCO_DATA_MYSQL=y BR2_PACKAGE_DOVECOT=y BR2_PACKAGE_DOVECOT_MYSQL=y BR2_PACKAGE_COLLECTD=y BR2_PACKAGE_COLLECTD_MYSQL=y BR2_PACKAGE_FREERADIUS_SERVER=y BR2_PACKAGE_GERBERA=y BR2_PACKAGE_PURE_FTPD=y BR2_PACKAGE_ZABBIX=y BR2_PACKAGE_ZABBIX_SERVER=y BR2_PACKAGE_RSYSLOG=y BR2_TARGET_ROOTFS_EXT2=y BR2_TARGET_ROOTFS_EXT2_4=y BR2_TARGET_ROOTFS_EXT2_SIZE="500M" # BR2_TARGET_ROOTFS_TAR is not set EOF make olddefconfig make -j$(nproc) --- package/mysql/Config.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)