In end of May I told about the numbering plans for the next version of MariaDB in the blog post What comes in between MariaDB now and MySQL 5.6?. We received quite a lot of feedback and criticism on the idea of calling the next version MariaDB 10.0. Here is a little more information about why it makes sense to call the next version 10.0.

This is not news for most of you. MariaDB is not just a set of patches applied on top of MySQL. MariaDB includes features which are similar to the corresponding features in MySQL, but the implementations differ, like for example the thread pool, microsecond support and query annotations in RBR binlog. MariaDB also includes a lot of features that are not in MySQL. For a complete listing of feature differences check out http://kb.askmonty.org/en/mariadb-versus-mysql-features/.

To call the next MariaDB version MariaDB 5.6 would be misleading.

Eventually there will be a version of MariaDB which includes all the features of MySQL 5.6 either ported or implemented in a different way, but before that there will be at least a couple of releases which include some features which have been ported from MySQL 5.6 and some completely new features that aren’t in MySQL 5.6.

A concern we have received is that tools and other clients validating the server version they are connecting to might become incompatible with MariaDB without changes in the tool/client. Thank you Peter Laursen from Webyog for your input on this! The issue is that tools and other clients rely on the return statement of “SELECT VERSION();”. Based on what version number is returned the tool enables / disables features. The fact is that no version numbering can solve it. Even if we would call our next release 5.6.1, it would not have all the features of MySQL 5.6.1, only some of them. It would also have some of the features of later MySQL releases, and features that are not in MySQL at all. In other words no single MySQL version number can adequately describe the feature set  of MariaDB. Thus we think it will be less confusing and less ambiguous to use a completely different number, a distinct version series.

We suggest that “SELECT VERSION();” return the correct version, e.g. 10.0.1-MariaDB.

In addition to the reasoning above current MariaDB releases already introduce additional functionality for tools — like more statistics and extra switches — compared to MySQL. This added functionality is highly beneficial for tools to take advantage of. We highly recommend tool vendors to separate between MySQL and MariaDB in this regard today, and doing so will only become more important going forward. We are also thinking about introducing a way for DBAs to impact what the VERSION() string says.

One area that seems to rule out all fancier version numbering, like 5.5-10.0, is the distribution packages, which in general support only normal versioning of type major.minor[.build[.revision]]. Even if a specific package format would support some more complex version number scheme the upgrade determination becomes hard if the introduced new version number is not only incremented numbers.

I hope this explains the logic behind choosing 10 to be the version number of the next MariaDB version. Your feedback on this is still however still more than welcome.

It is not a secret that we’ve been kicking the tires and playing with JIRA for project management. After using it since the beginning of the year most of us like the feel of it and we’ve decided that it makes sense to start using it more.

As you know, the MariaDB project has many fragmented resources. We report bugs in Launchpad. We store our plans in worklog. We’ve never used the Launchpad Blueprint feature for this very reason. We don’t use Launchpad Answers because we have the Knowledgebase.

With this move to hosted JIRA (yes, this is an important link: http://mariadb.org/jira) we can report bugs, have future plans, and also give users a roadmap which is pretty cool. One nifty feature is that in the past two releases, we had a roadmap and we didn’t slip in terms of a schedule. We had on time releases and that’s awesome!

So what does this mean for you? To report bugs, you will now do so on JIRA. To make feature requests and talk about our future plans, you will also now use JIRA.

We plan to deprecate Worklog and Launchpad bugs by 30 June 2012. Launchpad will however continue to host the source code for MariaDB.

What will happen to bugs already reported on Launchpad? We have migration scripts ready for this and when we press the button bug reports will nicely migrate over to JIRA. After that is done we’ll place a notification on the MariaDB bugs page in Launchpad about reporting new bugs in JIRA.

What will happen to feature requests and ideas already in worklog? Worklog will be put into a read-only mode and there will be notifications about the move to JIRA. Whenever needed we’ll copy & paste worklog items into JIRA.

What does it mean to the openness of the MariaDB project? It’s not affected at all. The MariaDB project will remain an open community friendly project and as a bonus it will be easier to follow what is going on in the project since you don’t have to jump between several tools to get the complete picture.

The consolidation to JIRA provides the means to report and track project status easier than before, which allows the MariaDB team, community members and other to better coordinate and prioritize work.

As a side note, JIRA (and other software by Atlassian) has sometimes been criticized in the open source world because of its commercial nature and many are unaware of the fact that Atlassian do offer a free Open Source Project License to open source projects, which is what is being used with MariaDB.

As another side note, I’m not going to dive into comparing features in e.g. Launchpad with features in JIRA. I do know it would be possible to use blueprints for feature specifications etc. in Launchpad. The most important aspect in my mind is that you pick a tool that you like the feel of, has the features you need and tightens collaboration between developers, project managers, community members and other persons involved in the project.

In short, this is all about three project tools becoming one.

Over the past few days extensive conversations around a new security vulnerability in MariaDB and MySQL have taken place.

It all started as a chain reaction when Monty Program publicly disclosed information about the flaw they had found and about how to make sure your MariaDB and MySQL installations can be fixed. The initial information got assigned the security vulnerabitlity identifier CVE-2012-2122 and the contents can be seen e.g. here http://seclists.org/oss-sec/2012/q2/493.

The bug was found two months ago on April 4th.

Before disclosing the information publicly, given the seriousness of this bug and considering the millions of MySQL and MariaDB installations deployed worldwide, Monty Program informed the biggest distributors of MySQL and MariaDB as a precaution.

On April 6th, Monty Program informed Oracle about it in bug report http://bugs.mysql.com/bug.php?id=64884 and provided a suggested fix.

The other big distributors of MySQL and MariaDB are the major Linux distributions that were alerted also in April and provided with a fix for old (unsupported by Oracle) MySQL versions. This gave Oracle and the Linux distributions some lead time to check if their MySQL and/or MariaDB builds were vulnerable and apply the provided fix if needed.

Whether your MySQL or MariaDB installation is vulnerable depends on where and how the binaries you use were built.

Official binaries of MariaDB, provided by Monty Program, MySQL binaries provided by Oracle and – in the case you use Percona’s provided binaries of their server – have all been tested. All these vendors have confirmed that the vulnerability isn’t present in their binaries and that it actually has never been present due to the way that the binaries are built.

All binaries listed on the SkySQL website are either official Oracle or official MariaDB binaries mirrored from dev.mysql.com/downloads and downloads.mariadb.org.

If you built your binaries yourself, you (or your database administrator) can easily test if your installation is vulnerable or not by following the instructions found e.g. here http://ronaldbradford.com/blog/repost-a-tragically-comedic-security-flaw-in-mysql-2012-06-11/.

In the case that you build or have built your own binaries another good piece of information is that the fix (getting rid of the problem independently of how you build) was first released in MariaDB in version 5.5.23 on April 10. Oracle followed by having the fix in MySQL 5.5.24 on May 7.

Most of us, MariaDB and MySQL users, do not have a need to build binaries on our own, i.e. we are on a platform that the official MariaDB and MySQL binaries are provided for and we do not have our own patches that would need to be applied before producing our own binaries.

For most of us it’s therefore recommended to get the binaries from the official channels, such as through the Linux distribution you use via the distribution’s repository or through the official download channel of the database, which in the case of MariaDB is http://downloads.mariadb.org.

Also, if you want to make sure that you’re on the latest version of MariaDB and you’re running on CentOS, Fedora, Debian, Red Hat or Ubuntu you should consider adding MariaDB’s official repository, http://downloads.mariadb.org/mariadb/repositories/.

MariaDB and/or MySQL packagers (such as Linux distributions) should make sure they sign up for the MariaDB mailing list intended for packagers at https://lists.askmonty.org/cgi-bin/mailman/listinfo/packagers to receive important notifications including early disclosure of security vulnerabilities, like this one.