Ubuntu
mariadb-5.5 package

  1. Utopic (14.10)
  2. Bug #1313187
  3. Comment #4

Comment 4 for bug 1313187

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Otto, thanks for taking on this work.

The Launchpad branches may be a convenient mechanism for managing
packaging in the devel branch but it is not an ideal fit for security
updates. I suspect that you can make it work, but working with the raw
packaging pieces alone may be easier.

When we update MySQL, the process usually looks like this:

1) Download the MySQL sources for all releases that are going to be
updated. (We use 'umt download mysql-5.5', where 'umt' is an unpackaged
tool that helps standardize the updates process; apt-get source should
also work, but it won't automatically download versions from all supported
releases.)

2) Download the new MySQL tarball from Oracle and check signatures.

3) Rename the tarball to *.orig.tar.gz

4) Edit debian/changelog to indicate a new upstream release, CVEs closed,
reference a launchpad tracking bug to make it easy to see which releases
get the updated packages, and give each release a version-specific number
to ensure upgrades go smoothly.

5) quilt push -a -- note failures, determine if patches need to be dropped
because they were integrated upstream or just need to be refreshed.

6) quilt pop -a -- this cleans up the .pc/ directory and the sources and
makes diffs far more legible.

7) Build and test

I assume the process for MariaDB will be largely identical.

Of course, sponsored updates will require more work to capture the
changes made to the packaging. Normally we ask for a "debdiff" between the
old and the new package, which is efficient for reviewing and applying
when the changes are small. This process doesn't work well for wholesale
updates of huge software suites -- no one wants to read a diff of a
compressed tarball -- so the process is slightly different.

You'll go through these same steps, but we'll need a patch that we can
apply to the unpacked sources to update the fuzz in the patches we keep
and drop the patches we no longer need. We can download the new tarball
ourselves but please include the sha256sum of the tarball you used to
ensure we're working from the same page. (Best would be to convince the
MariaDB developers to sign their packages.)

Probably using cp -a to make a complete copy of the unpacked source tree
would be the best way to make a patch for the debian/ directory changes.
It would be worthwhile to review this patch by hand to ensure it is
minimal and correct; we'll check it for .pc files, editor detritus, etc.,
but the fewer issues we find the faster we can get updates to our users.

Thanks again Otto, please don't hesitate to ask questions.