First, congratulations Oracle on the GA of MySQL 5.6! Well done!

In this post I walkthrough the features of the first two alpha versions of MariaDB 10.0. The first, 10.0.0-alpha, which was made available in November, and 10.0.1-alpha that saw daylight yesterday. I will go through the features by placing them in the following categories:

  • MariaDB 10.0-only Features (features that aren’t in MySQL 5.6)
  • MariaDB 10.0 Merged Features (features merged from MySQL 5.6)
  • MariaDB 10.0 Reimplemented Features (features reimplemented from features in MySQL 5.6)
  • MariaDB 5.x Features now in MySQL 5.6 (features introduced in earlier MariaDB versions which have now been introduced in MySQL 5.6)
  • MariaDB 5.x Features Backported from MySQL 5.6 (features introduced in earlier MariaDB versions which were backports of features from MySQL 5.6 development versions)

Some of the features will have links to the MySQL manual for the documentation Oracle has made available on the feature.

MariaDB 10.0-only Features

Features in this section are unique to MariaDB 10.0 and aren’t found in MySQL 5.6.

Available since 10.0.0
  • Multi-source replication (MDEV-253)
    • Multi-source replication is a longtime wish of many users. In scenarios where you partition your data over many masters you can then replicate the data from all masters onto one slave. Typical use cases are:
      • Data partitioned over many masters can be pulled together onto one slave for analytical queries
      • Many masters can replicate to the same slave and a complete backup can be done on the slave
      • Newer hardware usually provides more performance. Usually all hardware isn’t upgraded at once and multi-source can be used for replicating many masters to a powerful new slave.
    • Original code from Taobao
  • Even faster Group Commit
    • Further enhancements have been made to group commit. A couple of blog posts about the improvements by the developer, Kristian Nielsen, can be found here.
  • SHOW EXPLAIN
    • Get the query plan of a running statement.
Now available in 10.0.1
  • Cassandra Storage Engine
    • An integration of the NoSQL database Apache Cassandra. Cassandra is seen as a storage engine to MariaDB. The integration enables:
      • Combining data from Cassandra and MariaDB
      • Reading and writing to Cassandra from MariaDB. SQL’s SELECT, INSERT, UPDATE and DELETE all work.
  • Engine independent statistics
    • Optimizer statistics is the collection of data that describe more details about the database and the objects in the database.
    • Statistics are now provided separately from storage engines. Before, statistics were supplied by the storage engines themselves and the quality of the statistics were usually quite poor. Also, since before this they were provided through the storage engine interface, a lot of restrictions were put on them.
    • These statistics are used by the query optimizer to choose the best execution plan for each SQL statement. Better statistics results in better execution plans and end users will experience faster results in general.
    • Statistics are collected also for non-indexed columns. InnoDB’s statistics, for example, were previously only for indexes.
  • Improved Dynamic Columns
    • Dynamic Columns has been in MariaDB for a while already. This feature allows you to store a different set of columns for every row in a table. In that manner Dynamic Columns can be called NoSQL-like.
    • Since MariaDB introduced Dynamic Columns there has been user feedback and research going on to improve it further. Dynamic Columns has some new capabilities that now are in mainline MariaDB:
      • Database interoperability: It’s pretty rare that companies use only a single type of database and even critical business systems are often built on several different types of databases. Usually the data from those different databases is combined in an upper application level. MariaDB introduces the possibility of doing this at a low level inside the MariaDB database. The first implementation of this is integration with Cassandra. With Dynamic Columns and the Cassandra Storage Engine you can now combine data residing in Cassandra with data inside MariaDB and this is done through normal looking queries on the MariaDB side.
      • Data interchange: JSON has become a very popular standard for data interchange. In Dynamic Columns one can now request a row in JSON format.
  • Per thread memory usage (MDEV-4011)
    • Based on a patch by Taobao, INFORMATION_SCHEMA and SHOW STATUS enables the analysis of thread specific memory usage
  • Faster ALTER TABLE with UNIQUE key (MDEV-539)
    • Significant speed up of ALTER TABLE with unique keys (for Aria and MyISAM storage engines)

MariaDB 10.0 Merged Features

Features listed in this category have been directly merged from MySQL 5.6.

Already available since MariaDB 10.0.0
  • InnoDB and Performance Schema
    • Most InnoDB enhancements, but some, for example InnoDB’s fulltext capabilities, will come in an upcoming version of 10.0.
      MySQL Manual: InnoDB.
    • The full new performance schema with all the new event filtering, instrumentation, and other goodies.
      MySQL Manual: Performance Schema
  • ORDER BY … LIMIT -optimization
    • A useful optimization for showing only a few rows of a bigger resultset.
      MySQL Manual:Limit Optimization
Now added in 10.0.1
  • Plugin-load-add (MDEV-3860)
    • Used to avoid specifying a large set of plugins in a single long argument

MariaDB 10.0 Reimplemented Features

These features are re-implementations of the corresponding functionality in MySQL 5.6. In future versions of MariaDB 10.0 there will be a few more features in this category. I’ll cover them in a future blog post.

In 10.0.1
  • Add full support for auto-initialized/updated timestamp and datetime

MariaDB 5.x Features now in MySQL 5.6

Earlier MariaDB 5.x versions included features that have now been introduced in MySQL 5.6. It should be noted that the corresponding features in MySQL 5.6 haven’t been merged from MariaDB. Oracle has re-implemented them.

MariaDB 5.x Features Backported from MySQL 5.6

These features were merged from MySQL 5.6’s development trees to MariaDB, where they were then hardened for production use.

  • Binlog checksums, were introduced in MariaDB 5.3. It is backport of the corresponding feature in MySQL 5.6.

As you can see above there are quite many features in MariaDB 10.0 already, but more is coming. Stay tuned for an update on features going into MariaDB 10.0.2.

I’m getting more and more concerned about the current Oracle approach to MySQL security. And the fact that I was solely responsible for the security@mysql.com for about ten years, doesn’t make it easier, on the contrary, it only emphasizes changes in the attitude.

Starting from the obvious — somewhat slower response to critical bug fixes, which can be expected, Oracle is a big company, right? Very little information about security vulnerabilities is disclosed, CPUs are carefully stripped from anything that might help to understand the problem, it takes hours to map them to code changes. Heck, even test cases are kept private now. This seriously smells Security through Obscurity to me.

But all that isn’t news. Here I want to talk about the recent wave of security vulnerabilities. If you search for, say, “mysql security full-disclosure”, you will find the original postings to the full-disclosure@lists.grok.org.uk mailing list, as well as further discussion and my replies. Not Oracle replies, though. In short, the vulnerabilities  announced in the early December were:

  1. CVE-2012-5611 MySQL (Linux) Stack based buffer overrun PoC Zeroday
  2. CVE-2012-5612 MySQL (Linux) Heap Based Overrun PoC Zeroday
  3. CVE-2012-5613 MySQL (Linux) Database Privilege Elevation Zeroday
  4. CVE-2012-5614 MySQL Denial of Service Zeroday PoC
  5. CVE-2012-5615 MySQL Remote Preauth User Enumeration Zeroday
  6. CVE-2012-5627 MySQL Local/Remote FAST Account Password Cracking

All posted to the full disclosure mailing list, accompanied by exploits in Perl. Out of these issues, the 3rd was a configuration issue (FILE privilege granted to untrusted user, no --secure-file-priv used), 4th was already fixed in the latest MariaDB and MySQL releases (the reporter used an outdated MySQL version), 1st — the most dangerous one — was already fixed in the latest MariaDB release (we were lucky to discover this issue independently few weeks ealier and immediately released a fix). Everything else was valid, exploitable, and very much public, after the original postings were quoted in various blogs and news articles.

In a due time MySQL 5.5.29 is released. The 1st issue — CVE-2012-5611 — looks fixed. The second one — CVE-2012-5612 — is fixed too. Hurra! But 5th and 6th vulnerabilities — CVE-2012-5615 and CVE-2012-5627  — are not fixed. Which, apparently, leaves MySQL installations at the mercy of any script-kiddie, who can use google. And the 1st one (the worst of all) is fixed incompletely — the fact, that is simply impossible to miss, given the amount of testing that MySQL continuous integration framework (Pushbuild2) is performing.

Really, I wouldn’t expect a database vendor to blatantly ignore publicly announced vulnerabilities, that have CVE identifiers, known and easily available exploits, and were posted and reposted all over. So, Oracle, what was that, eh?

2013/Feb/05 UPDATE: MySQL 5.5.30 doesn’t seem to fix these issues either. Two months after the vulnerabilities went public. After MariaDB 5.5.29 release (with the fixes) and this blog post! I don’t think the Hanlon’s razor can explain that.

The MariaDB project is pleased to announce the immediate availability of the following new stable (GA) MariaDB versions:

Security Updates

These releases are “bug fix” releases and they include, among other things, fixes for the following security vulnerabilities:

New Packages

MariaDB 5.5.29 includes packages for Fedora 18 “Spherical Cow” and Ubuntu 12.10 “Quantal Quetzal”. Visit the Repository Configurator to generate the necessary commands to easily install MariaDB on these and many other distributions.

We’ve also extended the repository configuration tool to provide instructions for distributions which include MariaDB. We’ve started with Mageia and will be adding others soon.

Discontinued Builds

Along with the news of new package builds is the news that some old distributions will be deprecated. The MariaDB project tries to support as many different operating systems and Linux distributions as possible. However, when a distribution or OS stops receiving upstream security and other updates it becomes difficult to provide packages for that platform. In such cases, our policy is to deprecate that platform and stop building binary packages for it in our build system.

As of 1 Feb 2013, we will stop building and testing packages for the following:

  • Fedora 16 “Verne”
  • Debian 5 “Lenny”
  • Ubuntu 10.10 “Maverick”
  • Ubuntu 11.04 “Natty”

Even after your chosen Linux distribution is deprecated, packages and support are still available. Companies such as SkySQL and Monty Program (among others) provide paid support for all versions of MariaDB and back to even very old MySQL versions. This includes packaged binaries.

More information on our deprecation policy can be found on the MariaDB Deprecation Policy page.

Archived Releases

From the beginning of the MariaDB project in 2009 we’ve kept all of our old releases online via our network of mirrors. Doing this is great for those few who are interested in old releases, but the disk space required to host all of our old releases is over 130 Gigabytes at present and grows by several gigabytes with each new release. This is too much for some of our mirrors to handle. So, starting with this round of releases our primary mirror will only host the most recent few releases in each series (5.5, 10.0, 5.3, and so on). Mirrors are, of course, free to keep archiving every release, but the primary mirror that they pull from will not.

Old releases do have value, so for those that are interested in old releases, we are setting up a simple, no frills, archive server which will host them. Once the server is up and running, links to archived releases on https://downloads.mariadb.org will point at the archive server. During the transition period, links to some old releases may disappear for a short time, but don’t worry, they haven’t been deleted, they’re just being moved!

If you have hundreds of spare gigabytes on a fast connection and would also like to host the complete MariaDB archive, contact us at mirror at mariadb.org and we’ll include a link your mirror from our archive server. (see Mirroring MariaDB for more information about becoming a mirror).

User Feedback plugin

MariaDB includes a User Feedback plugin. This plugin is disabled by default. If enabled, it submits basic, completely anonymous MariaDB usage information. This information is used by the developers to track trends in MariaDB usage to better guide development efforts.

If you would like to help make MariaDB better, please add “feedback=ON” to your my.cnf (my.ini on Windows) file!

See the User Feedback Plugin page for more information.

Quality

The project always strives for quality, but in reality, nothing is
perfect. Please take time to report any issues you encounter at:

http://mariadb.org/jira

We hope you enjoy MariaDB!