[Buildroot] [PATCH 1/1] package/mysql: change default implementation to mariadb

[Buildroot] [PATCH 1/1] package/mysql: change default implementation to mariadb

[Julien Olivain]

The mysql package is a virtual package with two implementations:
oracle-mysql (the initial project), and mariadb (the fork of mysql).
This virtual package was introduced in commit [1] (2016).

The last version bump of oracle-mysql was in commit [2] (2014). This
mysql version 5.1.73 dates from 2013 [3].

Package statistics at [4] reports 177 CVEs on this oracle-mysql
version (as of Buildroot tag 2024.02-rc1).

Finally, oracle-mysql has 12 package patches accumulated over the time
and there is nobody registered in the DEVELOPER file for it.

On the other hand, the Buildroot mariadb package seems to be in a
better shape: the package version is more recent, and received
frequent updates, since its introduction.

There is several packages selecting BR2_PACKAGE_MYSQL, which will use
the old oracle-mysql without the user knowing it (other than
generating the CVE list with "make pkg-stats").

In the meantime oracle-mysql receive a major update, this commits
changes the default implementation of the mysql virtual package from
oracle-mysql to mariadb.

[1] https://gitlab.com/buildroot.org/buildroot/-/commit/3d707d2b4fa6362cb37754f6c5fbb06240f5faf5
[2] https://gitlab.com/buildroot.org/buildroot/-/commit/42c56751fc554503a03d4a914ce2e814eeaf5a41
[3] https://github.com/mysql/mysql-server/releases/tag/mysql-5.1.73
[4] http://autobuild.buildroot.org/stats/master.html

Signed-off-by: Julien Olivain <ju.o@free.fr>
---
Patch tested on branch master at commit 7a9ba7a with commands:

    make check-package
    ...
    0 warnings generated

    # Build packages using mysql
    cat > .config <<EOF
    BR2_aarch64=y
    BR2_TOOLCHAIN_EXTERNAL=y
    BR2_PER_PACKAGE_DIRECTORIES=y
    BR2_PACKAGE_BUSYBOX_SHOW_OTHERS=y
    BR2_PACKAGE_MOTION=y
    BR2_PACKAGE_PERL=y
    BR2_PACKAGE_PERL_DBD_MYSQL=y
    BR2_PACKAGE_TCL=y
    BR2_PACKAGE_CPPDB=y
    BR2_PACKAGE_LIBDBI_DRIVERS=y
    BR2_PACKAGE_MARIADB_SERVER=y
    BR2_PACKAGE_APR_UTIL=y
    BR2_PACKAGE_POCO=y
    BR2_PACKAGE_POCO_DATA_MYSQL=y
    BR2_PACKAGE_DOVECOT=y
    BR2_PACKAGE_DOVECOT_MYSQL=y
    BR2_PACKAGE_COLLECTD=y
    BR2_PACKAGE_COLLECTD_MYSQL=y
    BR2_PACKAGE_FREERADIUS_SERVER=y
    BR2_PACKAGE_GERBERA=y
    BR2_PACKAGE_PURE_FTPD=y
    BR2_PACKAGE_ZABBIX=y
    BR2_PACKAGE_ZABBIX_SERVER=y
    BR2_PACKAGE_RSYSLOG=y
    BR2_TARGET_ROOTFS_EXT2=y
    BR2_TARGET_ROOTFS_EXT2_4=y
    BR2_TARGET_ROOTFS_EXT2_SIZE="500M"
    # BR2_TARGET_ROOTFS_TAR is not set
    EOF
    make olddefconfig
    make -j$(nproc)
---
 package/mysql/Config.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/mysql/Config.in b/package/mysql/Config.in
index 8942e55a455..dc9a899329f 100644
--- a/package/mysql/Config.in
+++ b/package/mysql/Config.in
@@ -10,7 +10,7 @@ if BR2_PACKAGE_MYSQL
 
 choice
 	prompt "mysql variant"
-	default BR2_PACKAGE_ORACLE_MYSQL
+	default BR2_PACKAGE_MARIADB
 	help
 	  Select either the oracle mysql server or the mariadb server
 
-- 
2.43.2

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/mysql: change default implementation to mariadb

[Peter Korsgaard]

>>>>> "Julien" == Julien Olivain <ju.o@free.fr> writes:

 > The mysql package is a virtual package with two implementations:
 > oracle-mysql (the initial project), and mariadb (the fork of mysql).
 > This virtual package was introduced in commit [1] (2016).

 > The last version bump of oracle-mysql was in commit [2] (2014). This
 > mysql version 5.1.73 dates from 2013 [3].

 > Package statistics at [4] reports 177 CVEs on this oracle-mysql
 > version (as of Buildroot tag 2024.02-rc1).

 > Finally, oracle-mysql has 12 package patches accumulated over the time
 > and there is nobody registered in the DEVELOPER file for it.

 > On the other hand, the Buildroot mariadb package seems to be in a
 > better shape: the package version is more recent, and received
 > frequent updates, since its introduction.

 > There is several packages selecting BR2_PACKAGE_MYSQL, which will use
 > the old oracle-mysql without the user knowing it (other than
 > generating the CVE list with "make pkg-stats").

 > In the meantime oracle-mysql receive a major update, this commits
 > changes the default implementation of the mysql virtual package from
 > oracle-mysql to mariadb.

 > [1] https://gitlab.com/buildroot.org/buildroot/-/commit/3d707d2b4fa6362cb37754f6c5fbb06240f5faf5
 > [2] https://gitlab.com/buildroot.org/buildroot/-/commit/42c56751fc554503a03d4a914ce2e814eeaf5a41
 > [3] https://github.com/mysql/mysql-server/releases/tag/mysql-5.1.73
 > [4] http://autobuild.buildroot.org/stats/master.html

 > Signed-off-by: Julien Olivain <ju.o@free.fr>
 > ---
 > Patch tested on branch master at commit 7a9ba7a with commands:

Thanks. Maybe we should instead get rid of the oracle-mysql package (and
the virtual package) if nobody cares about keeping it updated anyway?


-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/mysql: change default implementation to mariadb

[Julien Olivain]

Hi Peter, All,

On 01/03/2024 09:24, Peter Korsgaard wrote:
>>>>>> "Julien" == Julien Olivain <ju.o@free.fr> writes:
> 
>  > The mysql package is a virtual package with two implementations:
>  > oracle-mysql (the initial project), and mariadb (the fork of mysql).
>  > This virtual package was introduced in commit [1] (2016).
> 
>  > The last version bump of oracle-mysql was in commit [2] (2014). This
>  > mysql version 5.1.73 dates from 2013 [3].
> 
>  > Package statistics at [4] reports 177 CVEs on this oracle-mysql
>  > version (as of Buildroot tag 2024.02-rc1).
> 
>  > Finally, oracle-mysql has 12 package patches accumulated over the 
> time
>  > and there is nobody registered in the DEVELOPER file for it.
> 
>  > On the other hand, the Buildroot mariadb package seems to be in a
>  > better shape: the package version is more recent, and received
>  > frequent updates, since its introduction.
> 
>  > There is several packages selecting BR2_PACKAGE_MYSQL, which will 
> use
>  > the old oracle-mysql without the user knowing it (other than
>  > generating the CVE list with "make pkg-stats").
> 
>  > In the meantime oracle-mysql receive a major update, this commits
>  > changes the default implementation of the mysql virtual package from
>  > oracle-mysql to mariadb.
> 
>  > [1] 
> https://gitlab.com/buildroot.org/buildroot/-/commit/3d707d2b4fa6362cb37754f6c5fbb06240f5faf5
>  > [2] 
> https://gitlab.com/buildroot.org/buildroot/-/commit/42c56751fc554503a03d4a914ce2e814eeaf5a41
>  > [3] https://github.com/mysql/mysql-server/releases/tag/mysql-5.1.73
>  > [4] http://autobuild.buildroot.org/stats/master.html
> 
>  > Signed-off-by: Julien Olivain <ju.o@free.fr>
>  > ---
>  > Patch tested on branch master at commit 7a9ba7a with commands:
> 
> Thanks. Maybe we should instead get rid of the oracle-mysql package 
> (and
> the virtual package) if nobody cares about keeping it updated anyway?

I was initially thinking about proposing a big bump to mysql-8.0.x some
time later. Upstream has still specific features that could be 
interesting
to somebody...

I personally don't need those for the moment, so I am also OK to drop
it with the virtual package.

My initial intent was to raise the attention on this decade old package,
with quite a few CVEs associated to it ;)

Best regards,

Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/mysql: change default implementation to mariadb

[Yann E. MORIN]

Julien, All,

On 2024-03-01 22:45 +0100, Julien Olivain spake thusly:
> On 01/03/2024 09:24, Peter Korsgaard wrote:
> > > > > > > "Julien" == Julien Olivain <ju.o@free.fr> writes:
> >  > The mysql package is a virtual package with two implementations:
> >  > oracle-mysql (the initial project), and mariadb (the fork of mysql).
> >  > This virtual package was introduced in commit [1] (2016).
> >  > The last version bump of oracle-mysql was in commit [2] (2014). This
> >  > mysql version 5.1.73 dates from 2013 [3].
[--SNIP--]
> > Thanks. Maybe we should instead get rid of the oracle-mysql package (and
> > the virtual package) if nobody cares about keeping it updated anyway?
> I was initially thinking about proposing a big bump to mysql-8.0.x some
> time later. Upstream has still specific features that could be interesting
> to somebody...
> 
> I personally don't need those for the moment, so I am also OK to drop
> it with the virtual package.

Let's face it: noone cared about that package for most than ten years,
not even for those features you mention, so it means noone is interested
in using that package.

So if you do not use it, don't bother expanding the time to update it.

> My initial intent was to raise the attention on this decade old package,
> with quite a few CVEs associated to it ;)

"Quite a few" is probably the best understatement of the year (and it's
only March!). ;-)

So I'd side with Peter here: drop it, and then drop the virtual package.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/mysql: change default implementation to mariadb

[Arnout Vandecappelle via buildroot]

On 02/03/2024 15:37, Yann E. MORIN wrote:
> Julien, All,
> 
> On 2024-03-01 22:45 +0100, Julien Olivain spake thusly:
>> On 01/03/2024 09:24, Peter Korsgaard wrote:
>>>>>>>> "Julien" == Julien Olivain <ju.o@free.fr> writes:
>>>   > The mysql package is a virtual package with two implementations:
>>>   > oracle-mysql (the initial project), and mariadb (the fork of mysql).
>>>   > This virtual package was introduced in commit [1] (2016).
>>>   > The last version bump of oracle-mysql was in commit [2] (2014). This
>>>   > mysql version 5.1.73 dates from 2013 [3].

  There's one reason to prefer oracle-mysql: mariadb (server) is almost twice as 
big.

> [--SNIP--]
>>> Thanks. Maybe we should instead get rid of the oracle-mysql package (and
>>> the virtual package) if nobody cares about keeping it updated anyway?
>> I was initially thinking about proposing a big bump to mysql-8.0.x some
>> time later. Upstream has still specific features that could be interesting
>> to somebody...

  Unfortunately, mysql 8.x is also much larger than the old 5.1. So for this 
particular concern, that's not really a factor.

>>
>> I personally don't need those for the moment, so I am also OK to drop
>> it with the virtual package.
> 
> Let's face it: noone cared about that package for most than ten years,
> not even for those features you mention, so it means noone is interested
> in using that package.
> 
> So if you do not use it, don't bother expanding the time to update it.
> 
>> My initial intent was to raise the attention on this decade old package,
>> with quite a few CVEs associated to it ;)
> 
> "Quite a few" is probably the best understatement of the year (and it's
> only March!). ;-)
> 
> So I'd side with Peter here: drop it, and then drop the virtual package.

  Agreed to that.

  Anyway, I think mysql and mariadb are less and less drop-in replacements, so 
the virtual package is

  If really needed, I think mariadb has a few large subparts that can 
(optionally) be dropped, so it should be possible to reduce the footprint. If 
someone bothers to work on that, of course :-)

  Regards,
  Arnout
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/mysql: change default implementation to mariadb

[Peter Korsgaard]

>>>>> "Arnout" == Arnout Vandecappelle via buildroot <buildroot@buildroot.org> writes:

 > On 02/03/2024 15:37, Yann E. MORIN wrote:
 >> Julien, All,
 >> On 2024-03-01 22:45 +0100, Julien Olivain spake thusly:
 >>> On 01/03/2024 09:24, Peter Korsgaard wrote:
 >>>>>>>>> "Julien" == Julien Olivain <ju.o@free.fr> writes:
 >>>> > The mysql package is a virtual package with two implementations:
 >>>> > oracle-mysql (the initial project), and mariadb (the fork of mysql).
 >>>> > This virtual package was introduced in commit [1] (2016).
 >>>> > The last version bump of oracle-mysql was in commit [2] (2014). This
 >>>> > mysql version 5.1.73 dates from 2013 [3].

 >  There's one reason to prefer oracle-mysql: mariadb (server) is almost
 >  twice as big.

OK, but are there a lot of use cases where you need a full blown SQL
server but don't have a lot of space for the code or database?


 >>> My initial intent was to raise the attention on this decade old package,
 >>> with quite a few CVEs associated to it ;)
 >> "Quite a few" is probably the best understatement of the year (and
 >> it's
 >> only March!). ;-)
 >> So I'd side with Peter here: drop it, and then drop the virtual
 >> package.

 >  Agreed to that.

 >  Anyway, I think mysql and mariadb are less and less drop-in
 >  replacements, so the virtual package is

 >  If really needed, I think mariadb has a few large subparts that can
 >  (optionally) be dropped, so it should be possible to reduce the
 >  footprint. If someone bothers to work on that, of course :-)

We are really close to 2024.02 release, but I'll try to cook up a patch
for dropping oracle-mysql / the virtual package now.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot