On Mon, 09 Apr 2012 10:21:08 -0700, Clint Byrum <cl...@fewbar.com> wrote: > Excerpts from micah anderson's message of Sun Apr 08 10:13:40 -0700 2012: > > severity 660206 serious > > thanks > > > > This is actually a regression, the only way to get things to work again > > is to downgrade package like such: > > > > apt-get install mysql-server-5.1=5.1.49-3 mysql-client-5.1=5.1.49-3 > > mysql-common=5.1.49-3 mysql-server-core-5.1=5.1.49-3 > > libmysqlclient16=5.1.49-3 > > > > micah > > > > So, I'm not sure I agree that this is such a serious > regression.
I would agree that this is not a *very* serious regression, but its a regression nonetheless. In my opinon an un intenteded regression is not suitable for release as a security upload and should be replaced as soon as a fix becomes available. >*lenny* shipped with rails 2.1.0. 1.2.6 was released in 2007, and is >not supported in Debian at all. The referenced upstream bug talks about >using client versions older than 4.1, which is basically ancient. I agree. However, the reality is that the security upgrade brought in unrelated changes to the security upgrade and caused unrelated software to break. > I'm not disputing that this is a regression introduced by the upstream > jump to 5.1.61, but I don't know that its worth downgrading and losing > security updates for. Perhaps the client libraries should be updated to > something that is still supported by upstream and/or Debian. The two choices here are to either downgrade mysql, or to upgrade client libraries. While it seems sensible to upgrade client libraries to a newer supported version, one should not have to do that because of a security upgrade of another package. That option takes you from the realm of routine security maintainence into the much more serious realm of migrating completely other software to new client libraries that would require a significant architecture overhaul (I dont know how much you know about rails, but the difference between 2.1 and 2.2 is not a trivial minor release, but typically involves almost a complete rewrite). During a maintainence window, when you are expecting to only do an isolated security upgrade of a package, the last thing the sysadmin who is performing the upgrade is going to do is to re-write some other code to deal with a surprise regression in the security package. So while I do agree with you that the 'right' thing to do is to get the software updated to newer client libraries, rather than to have exposed security holes, the reality is that until that can happen (and in one case that I am dealing with, that re-write is in progress, but is 6 months out) I would hope that stable-security or a stable update would include a fix to this regression, when it comes available. micah -- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
