Fedora project may expel MySQL The developers of Fedora Linux are pondering a slap in the face for Oracle by picking MariaDB as the database for the forthcoming Fedora 19. MariaDB is a fork of MySQL, bills itself as a “drop-in replacement” for the database and is the result of efforts by Michael "Monty" Widenius, the founder of MySQL. Red Hatter Jaroslav …
.. they do their best to keep the LAMP acronym alive :).
I mean, it could have become LAPP with Postgresql (etc for all the other DBs out there).
The two main reasons I like this move is security and control. An open product means I can have a security evaluation done that actually means something, and not having a company dictate what someone can do with it means you can't be roped into a scam scheme where a year later your costs skyrocket because you are now dependent on it (we all know who made that approach popular).
@Miek : I'm all for promoting Open Source, but your argument is invalid. You are changing an apples to apples comparison to an apples to oranges comparison. Comparisons need to be fair and based on what we know, are you suggesting we should compare MySQL SQL Server's known vulnerabilities againt a hypothesised figure for SQL Server because you don't like the Microsoft way? Or perhaps we level the playing field and guess how many vulnerabilities we don't know about for both? It would be fantastical to suggest we already know all MySQL vulnerabilities, how are we to determine the figure of that which do not know? Either way, it is not going to produce an unbiased and skewed result. Just like anything else, we have to work with the knowns, not the unknowns.
I can answer that - No it doesnt include the OS. If you ran MySQL on Windows then it would be the same obviously, as SQL only runs on Windows server.
If you ran it on a commercial Linux distribution then the vulnerability count over time would likely be much higher. For instance SUSE 10 is now on over 3,800 known vulnerabilities now versus about 380 for Windows Server 2008....And Linux is still higher even on a 'reduced package' install that is equivalent to the contents of a Windows install!
Except with Windows, most service compromises cause an entire OS compromise, regardless of how well you configure it. Impersonation lets even Network Service and Local Service accounts escalate to SYSTEM.
On Linux, services can be isolated to the point where a compromise leads to absolute nothing (especially if you syscall-filter and deploy AA/SELinux).
Thanks for making it clear that you don't understand what you are talking about. By 'impersonation' I assume you mean 'constrained delegation' - Which allows the administrator to selectively allow an account to request Kerberos tickets limited to specific services on specific servers. It does not allow you to escalate anything, and is far more powerful than anything available for services on Linux....
That might have used to have been the case. Now it is easier (and much much cheaper) to scale on SQL server:
http://www.tpc.org/tpce/results/tpce_perf_results.asp
http://download.microsoft.com/download/3/D/D/3DDCC479-E303-401F-9093-942549FF8A33/Redknee_Solution_Brief_with_XIO_NEC_Intel_Mar2012.pdf
http://blogs.msdn.com/b/nikosan/archive/2012/05/25/sql-server-2012-licensing-value-vs-oracle-database.aspx
Of course, unlike SQL Server, MySQL/MariaDB doesn't let you exploit impersonation to compromise the OS. Just like IIS had fewer vulns than Apache but a compromised IIS usually leads to a compromised system due to impersonation privileges, while Apache on Fedora/RHEL with SELinux leads to a frustrated attacker.
I suppose if you wanted the best of both worlds you could run IIS and SQL Server on Linux... oh... wait..
MSSQL is awesomely secure! Last time a filesystem filled up in a former job, the whole DB was impossible to recover! Maximum security: NOBODY will ever be able to read your data! HAHAHAHAHA
Honestly, I switched back to PostgreSQL a long time ago because Monty hated transactions, and that attitude was very visible in the MySQL 3.x documentation. Other gems in that documentation was raging against Foreign Keys, and basically saying you don't need subqueries, or stored procs ... whatever. I now use PostgreSQL for FOSS stuff, and DB2/Sybase/Oracle for more commercial stuff. I try to avoid MSSQL, but given that it's basically ripoff Sybase, I can do that too...
I wouldn't call that "many other Linux distros". The only major one I can see is openSUSE, and they have both MySQL and MariaDB available. This is hardly the mass exodus seen from OpenOffice.org to LibreOffice.
It looks like, rather than being behind, Fedora is in the forefront here. If Fedora makes the jump then that will filter through to RHEL, which would be much more significant.
"This is hardly the mass exodus seen from OpenOffice.org to LibreOffice." -- It will be, I already intend to replace my MySQL instances with Maria when the next good opportunity arises and I'm sure many other Linux Admins out there are looking at the Asshole company Oracle and thinking さようなら
This post has been deleted by its author
you mean...
'3 Secunia Advisories in 2012
Secunia has issued a total of 3 Secunia advisories in 2012 for PostgreSQL 8.x. Currently, 0% (0 out of 3) are marked as unpatched."
(and 0 in 2013 so far)
I see the same 3 advisories apply to 9.x (currently 9.0, 9.1 and now 9.2. Looking at the most significant one, SA50218, 9.1.5 with the fix to 9.1 was released THE SAME DAY AS THE ADVISORY. and, the bulk of the security exposures was with an obscure 'contrib' plugin/addon module for libxslt
Whilst I'm generally supportive of Fedora replacing MySQL with MariaDB I have to suggest that the decision may have been slightly swung by Oracle's attempts to steal RHEL customers with their substandard RHEL-clone. What I'm waiting for is RedHat to kick MySQL out of RHEL and CentOS, then I'll be quietly pouring a celebratory drink or three.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
