Problem/Motivation
- Let's assume a Drupal 9 EOL of Nov. 2023 to coincide with Symfony 4's EOL, unless we decide something different in #3018653: Decide on Drupal 9's EOL date range (and therefore, Drupal 10's release date range).
- As far as we know, all minimum database versions required by the core database drivers other than MariaDB will be security supported until approximately then:
- MySQL 5.7 Community Server is supported by Oracle until October 2023.
- PostgreSQL 10 is EOL by PostgreSQL after November 2022. However, RHEL/CentOS 8 will continue providing security backports until May 2024.
- SQLite 3.26 is part of RHEL/CentOS 8 core (not an app stream), so as far as we know, will receive security backports until 2029.
- However, MariaDB 10.2 goes EOL in May 2022, and there aren't any major Linux distros providing freely accessible security backports beyond that. SUSE 15 SP1 ships with MariaDB 10.2, but SUSE 15 SP2 will ship in June 2020 with MariaDB 10.4, and SP1 will go out of mainstream support 6 months later. One can purchase up to 3 years of additional SP1 support beyond that, but that's not free.
- Because people can purchase extended support for MariaDB 10.2 (from MariaDB or from SUSE), it would be disruptive for core to raise the platform requirement in a Drupal minor release. Therefore, if we need to do it during D9's lifetime, it's better to do it prior to 9.0.
- At the same time, we shouldn't require core contributors or maintainers to install software with publicly known security vulnerabilities in order to work on, test, or review issues. Nor should we require them to purchase extended support from anyone in order to get a secure build.
- MariaDB 10.3 is EOL by MariaDB in May 2023, but it will ship with Ubuntu 20.04, so Ubuntu will provide freely available security backports until April 2025.
Proposed resolution
- Raise the minimum MariaDB version required by core to 10.3. If we want to pick a patch version within the 10.3 series, then 10.3.7 is a logical choice, since that's the first stable (GA) release.
- For people still stuck on 10.2, create a contrib driver for it similar to the one for MySQL 5.6 and PostgreSQL 9.6.
Note that I was against this in #3107113-28: [policy] Decide on MySQL/MariaDB/Percona Server version support status for Drupal 9, but that was before SUSE upgraded their MariaDB version in 15 SP2.