Fedora project may expel MySQL
The developers of Fedora Linux are pondering a slap in the face for Oracle by picking MariaDB as the database for the forthcoming Fedora 19. MariaDB is a fork of MySQL, bills itself as a “drop-in replacement” for the database and is the result of efforts by Michael "Monty" Widenius, the founder of MySQL. Red Hatter Jaroslav …
This topic is closed for new posts.
I am so glad ..
.. they do their best to keep the LAMP acronym alive :).
I mean, it could have become LAPP with Postgresql (etc for all the other DBs out there).
The two main reasons I like this move is security and control. An open product means I can have a security evaluation done that actually means something, and not having a company dictate what someone can do with it means you can't be roped into a scam scheme where a year later your costs skyrocket because you are now dependent on it (we all know who made that approach popular).
Re: I am so glad ..
But if you wanted secure then you wouldnt be using LAMP in the first place...
Surprisingly enough, Microsoft SQL Server is by far the most secure commonly used database software on the market at the moment! (With an average of about 1 vulnerability a year)
Re: I am so glad ..
Yet another Open Source split! As an IT Manager, this is another good reason to only buy commercial software....
Re: I am so glad ..
Yep - old news - you get what you pay for! -
MySQL - 145 known vulnerabilities: http://secunia.com/advisories/product/8355/
SQL Server 2008 (similar age) - 4 known vulnerabilities: http://secunia.com/advisories/product/21744/
Re: I am so glad ..
@TheVogon : "Known", meaning that SQL Server is likely harbouring just as many security vulns but as yet are either a) not disclosed or b) haven't been found yet (security through obscurity) . GLWT
Re: I am so glad ..
@TheVogon does that account for the underlying vulnerabilities of the OS too? You cant have a database server without sitting it on something and SQL server requires windows dont it?
Honest question.
Re: I am so glad ..
MySQL is commerical software too and in fact for some functionality you only get it in the commercial version.
Real developers use Postgres.
Re: I am so glad ..
I can answer that - No it doesnt include the OS. If you ran MySQL on Windows then it would be the same obviously, as SQL only runs on Windows server.
If you ran it on a commercial Linux distribution then the vulnerability count over time would likely be much higher. For instance SUSE 10 is now on over 3,800 known vulnerabilities now versus about 380 for Windows Server 2008....And Linux is still higher even on a 'reduced package' install that is equivalent to the contents of a Windows install!
Re: I am so glad ..
Real developers with jobs use SQL Server, Oracle, DB2 and Sybase....
Re: I am so glad ..
True (although large corporates / governments can audit the code) - but if there are fewer known vulnerabilities and no access to the source code - it makes it much tougher to attack either by a) using an existing vulnerability or b) to find new ones.
Re: I am so glad ..
Sybase? - You could do better with Postgresql.
DB2 - Only big iron from IBM.
More economical to go with SQL server and Oracle.
Can scale higher with ease using Oracle.
Re: I am so glad ..
@Miek : I'm all for promoting Open Source, but your argument is invalid. You are changing an apples to apples comparison to an apples to oranges comparison. Comparisons need to be fair and based on what we know, are you suggesting we should compare MySQL SQL Server's known vulnerabilities againt a hypothesised figure for SQL Server because you don't like the Microsoft way? Or perhaps we level the playing field and guess how many vulnerabilities we don't know about for both? It would be fantastical to suggest we already know all MySQL vulnerabilities, how are we to determine the figure of that which do not know? Either way, it is not going to produce an unbiased and skewed result. Just like anything else, we have to work with the knowns, not the unknowns.
Re: I am so glad ..
The next fork should be moominDb.
Look, I use MS SQL, but an RDBMS from a fellow admirer of Tove Jansson - how cool is that?
Re: I am so glad ..
MSSQL is awesomely secure! Last time a filesystem filled up in a former job, the whole DB was impossible to recover! Maximum security: NOBODY will ever be able to read your data! HAHAHAHAHA
Honestly, I switched back to PostgreSQL a long time ago because Monty hated transactions, and that attitude was very visible in the MySQL 3.x documentation. Other gems in that documentation was raging against Foreign Keys, and basically saying you don't need subqueries, or stored procs ... whatever. I now use PostgreSQL for FOSS stuff, and DB2/Sybase/Oracle for more commercial stuff. I try to avoid MSSQL, but given that it's basically ripoff Sybase, I can do that too...
Re: Daniel B. Re: I am so glad ..
"......Last time a filesystem filled up in a former job......" So, you want us to accept your advice as "experienced", but admit to falling victim of a noob says admin error?
Re: I am so glad ..
So presumably you just restored your backup and replayed your log files?
Re: I am so glad ..
That might have used to have been the case. Now it is easier (and much much cheaper) to scale on SQL server:
http://www.tpc.org/tpce/results/tpce_perf_results.asp
http://download.microsoft.com/download/3/D/D/3DDCC479-E303-401F-9093-942549FF8A33/Redknee_Solution_Brief_with_XIO_NEC_Intel_Mar2012.pdf
http://blogs.msdn.com/b/nikosan/archive/2012/05/25/sql-server-2012-licensing-value-vs-oracle-database.aspx
Re: I am so glad ..
Of course, unlike SQL Server, MySQL/MariaDB doesn't let you exploit impersonation to compromise the OS. Just like IIS had fewer vulns than Apache but a compromised IIS usually leads to a compromised system due to impersonation privileges, while Apache on Fedora/RHEL with SELinux leads to a frustrated attacker.
I suppose if you wanted the best of both worlds you could run IIS and SQL Server on Linux... oh... wait..
Re: I am so glad ..
Except with Windows, most service compromises cause an entire OS compromise, regardless of how well you configure it. Impersonation lets even Network Service and Local Service accounts escalate to SYSTEM.
On Linux, services can be isolated to the point where a compromise leads to absolute nothing (especially if you syscall-filter and deploy AA/SELinux).
Re: I am so glad ..
With an average of about 1 vulnerability a year
I rather like it that I can now use Microsoft's argument against them: that doesn't prove security, it's more related to the fact that nobody in their right mind uses it on a public facing server..
Re: I am so glad ..
Thanks for making it clear that you don't understand what you are talking about. By 'impersonation' I assume you mean 'constrained delegation' - Which allows the administrator to selectively allow an account to request Kerberos tickets limited to specific services on specific servers. It does not allow you to escalate anything, and is far more powerful than anything available for services on Linux....
so like many many other Linux distros did some time ago. Good of Fedora to keep up with the times :-)
Which ones?
Just out of interest what distro's dumped mySQL?
Im not to hot on my DB skills maybe should brush up, with this mariaDB. Whats the syntax like in comparison to mySQL queries? I read an article in Linux Format about maria couple of months ago. But have never used it.
Re: Which ones?
Whats the syntax like in comparison to mySQL queries?
MariaDB is a drop-in replacement for MySQL. That means you should see no difference at all: just remove MySQL (keeping your data and configuration files), install MariaDB and you're done.
Re: Which ones?
See https://kb.askmonty.org/en/distributions-which-include-mariadb/
Note that MariaDB JDBC driver is definitely not a drop-in replacement for MySQL JDBC driver (yet); it has many bugs where methods aren't implemented. Just use the MySQL JDBC driver with MariaDB server
Re: Which ones?
I wouldn't call that "many other Linux distros". The only major one I can see is openSUSE, and they have both MySQL and MariaDB available. This is hardly the mass exodus seen from OpenOffice.org to LibreOffice.
It looks like, rather than being behind, Fedora is in the forefront here. If Fedora makes the jump then that will filter through to RHEL, which would be much more significant.
This from Ubuntu
p maria - reachability analyzer for Algebraic System Nets
p maria-doc - documentation of Maria
nothing to see here, either.
Re: Which ones?
"This is hardly the mass exodus seen from OpenOffice.org to LibreOffice." -- It will be, I already intend to replace my MySQL instances with Maria when the next good opportunity arises and I'm sure many other Linux Admins out there are looking at the Asshole company Oracle and thinking さようなら
Re: This from Ubuntu
@ g e
https://downloads.mariadb.org/mariadb/repositories/
There are instructions for adding the repo to Ubuntu and others
Re: Which ones?
It's the same thing. Nothing to brush up on.
It's like OpenOffice.org vs LibreOffice
"a very large fraction of the mysql bug database is now not public"
That's pretty Nazi, why would anyone do that?
'Cos...
Oracle seem so preoccupied with shooting themselves in the foot lately, they obviously still have a toe left with MySQL written on it. The Java one's hanging on by a thread, too.
Good
I hope all the others follow. Oracle are bunch of self-serving cunts that ruin every OSS project they touch.
Fuck oracle.
So what if users want to use the latest version of Fedora, yet still want to use MySQL, would they have to install it manually instead of via the package manager?
I would assume that would still be an option, but if Fedora isn't even letting them do that then that's pretty bad of Fedora IMO.
> if Fedora isn't even letting them do that
You sure will be able to, from an RPM or directly from source.
After all you can install the Oracle JDK too, and get patent-encumbered codecs, even libdvdcss from the "nonfree" repositories at will.
This isn't Applosoft control freak territory.
I recently deployed some mysql/mariadb servers, and did some testing.
Mysql5.5.29 outperformed Mariadb10.0 by about 20%. I would be disappointed if forced to change. Why not offer them both since they are 'dropin' replacements?
http://dev.mysql.com/doc/refman/5.6/en/linux-installation-rpm.html
Top database tip.
Here's 0p. Get yourself a proper database.
http://www.postgresql.org/
Re: Top database tip.
Well it's not quite the sieve of MySQL, but still much less secure than SQL server:
http://secunia.com/advisories/product/4587/
Re: Top database tip.
I found another MS Shill! Do I win anything?
Re: Top database tip.
you mean...
'3 Secunia Advisories in 2012
Secunia has issued a total of 3 Secunia advisories in 2012 for PostgreSQL 8.x. Currently, 0% (0 out of 3) are marked as unpatched."
(and 0 in 2013 so far)
I see the same 3 advisories apply to 9.x (currently 9.0, 9.1 and now 9.2. Looking at the most significant one, SA50218, 9.1.5 with the fix to 9.1 was released THE SAME DAY AS THE ADVISORY. and, the bulk of the security exposures was with an obscure 'contrib' plugin/addon module for libxslt
Re: Top database tip.
> I found another MS Shill
No you didn't. It's still RICHTO.
Vic.
Ahem.
Whilst I'm generally supportive of Fedora replacing MySQL with MariaDB I have to suggest that the decision may have been slightly swung by Oracle's attempts to steal RHEL customers with their substandard RHEL-clone. What I'm waiting for is RedHat to kick MySQL out of RHEL and CentOS, then I'll be quietly pouring a celebratory drink or three.
This topic is closed for new posts.
