32

I've been using MariaDB, "an enhanced, drop-in replacement for MySQL" on my Debian stable servers for years, because of its increased performance.

However I've noticed that it appears to lag with relation to security updates in MySQL; for instance, there's DSA 3229-1 which lists several vulnerabilities, which do not appear to be patched in the Debian stable mariadb package.

Is this a security versus speed tradeoff? Is MariaDB generally behind on security updates or is this just a one-off?

artfulrobot
  • 2,627
  • 11
  • 30
  • 56

1 Answers1

39

Maria-DB is not a performance-enhanced MySQL version.

Maria-DB is the forked MySQL version current used in the open-source space. It was forked from MySQL due to mistrust in how Oracle will behave in regard of the original MySQL code. You can see here for more information.

While until version 5.1 both were more or less the same code, by 5.5 this changed significantly. This means that they are now two different (albeit largely compatible) products, so it is not automatic that erratas affecting one (eg: MySQL) are applicables to the other (MariaDB).

shodanshok
  • 44,038
  • 6
  • 98
  • 162
  • 1
    The quote is from the MariDB homepage. My saying "its encreased performance" is on my own real-world experience on the specific projects I have used it for. I understand that it has diverged. So you're saying that these CVEs are not [necessarily] relevant to MariaDB because of the divergance? – artfulrobot Apr 20 '15 at 10:50
  • 3
    @artfulrobot It may be that they are not relevant, or that they weren't reported to the Maria-DB maintainers at the same time, as they were to Oracle. Conversely, it might be that some of them were fixed in MariaDB first. – richardb Apr 20 '15 at 10:54
  • got you, thanks. Guess I'll just have to trust Monty. – artfulrobot Apr 20 '15 at 10:55
  • 1
    One more consideration: MySQL probably still has the larger user base, which means that it will be more heavily scrutinized. It may take longer for MariaDB vulnerabilities to be discovered than for MySQL. – Kevin Keane Apr 20 '15 at 21:22
  • 1
    @KevinKeane But on the other hand, a smaller userbase means less demand for exploits and less people actively searching for them. These two factors cancel each other out. – Philipp Apr 20 '15 at 23:18
  • 1
    It would seem that if there is a known exploit for MySQL, then the exploit could be tested against MariaDB, and vice versa. It would seem almost irresponsible not to do so. – dotancohen Apr 21 '15 at 12:39
  • @dotancohen - or advantageous, depending on your perspective. That said, in response to the topic at hand, I would recommend checking for CVE's (https://cve.mitre.org/) rather than relying on errata from MySQL and then testing it out on MariaDB. – willc Jan 12 '17 at 17:43