Back when Sun Microsystems was setting, some of the programmers who had been involved with the popular and well-known open source MySQL database started a fork of the project called MariaDB.
The new project was led and named by Michael "Monty" Widenius, the original developer of MySQL and one of the founders of the eponymous company that Sun acquired. After leaving Sun, he formed a company in his native Finland -- Monty Program AB -- to host development of MariaDB and made an open offer of employment to any MySQL committer. As a result, a formidable corps of developers gathered at Monty Program.
They've been working hard, though you might not know it. MariaDB has been upstaged by Oracle's continuing development and marketing of MySQL itself, which was acquired with the rest of Sun's assets. All the same, their labors have paid off. In a comparison of six open source databases -- including MySQL -- Network World found MariaDB to be the preferred choice. Monty told me that MariaDB included the equivalent of 30 person-years of development over MySQL, and the Monty Program has certainly proved responsive -- especially at fixing security issues.
A focus on prompt patching
Monty told me that the MariaDB team has been working closely with mitre.org to ensure that security issues are promptly reported and explained in detail. Because Oracle no longer published details of the security fixes it makes, the MariaDB team usually has to reverse-engineer patches from published sources "dropped over the wall" from MySQL. They then merge all MySQL security patches into MariaDB. Monty told me "MariaDB is the most secure version of MySQL" -- a bold claim.
While the details of the vulnerabilities fixed are usually kept private until after new versions of both MariaDB and MySQL have been published, the most recent batch offers an unusual glimpse into the difference in responsiveness between the MariaDB and MySQL teams. MariaDB fixed the issues in a few days, with published and documented open source patches, but MySQL still hasn't (at the time of writing) patched the vulnerabilities.
This is not new. Oracle has been accused of allowing its corporate processes to take priority over community engagement at MySQL: closing access to new development, being slow to fix security bugs, failing to communicate with the MySQL ecosystem. I spoke with a number of people from the wider MySQL and MariaDB ecosystem, and all expressed frustration.
So with news last week of the formation of a MariaDB Foundation, it's clear that a new phase could be starting for the MySQL open source community. MariaDB -- and by implication, MySQL -- now has a dedicated institution, with the intent there should be no single entity in control. I talked about the creation of the MariaDB Foundation with Monty, its CTO, and with its COO Andrew Katz. You can see the full discussion on this and other topics in this video: