Source: mariadb-10.5 Version: 1:10.5.5-1 Tags: security Severity: serious Justification: unsupportable by the Debian security team
Hi Otto, I've hinted that the situation about an embedded ssl library might be suboptimal earlier. Since then, I've checked (using the buildd logs) that indeed mariadb does build an embedded copy of wolfssl. I've also checked with the Debian security team (Moritz Muehlenhoff in particular). Such an embedding is unsupportable by the security team. For that reason, I'm filing this as a release critical bug. It expresses a veto of the security team for including the package in a stable release as is. On a technical level, this seems easy to solve. You currently pass -DWITH_SSL=bundled. The build system supports -DWITH_SSL=system in principle. What I'm less sure about is whether doing so breaks any functionality and whether the involved licenses are actually compatible. I do hope that you can sort this out. Thanks for your hard work in managing this complex package and otherwise integrating it into Debain. Helmut
