[Pkg-samba-maint] Old versions of Samba in Debian

L.P.H. van Belle belle at bazuin.nl
Wed Sep 11 13:36:56 BST 2019 

Hai, 

@Andrew, Personaly i dont think that disabling the AD DC is a good way todo this. 
That will break peoples setups but im also thinking in how to support samba the best way conform debian policies. 

My idea.. Below is a bit based on how i do it now.. 

Currently we can use the following, i hope below is correct.
Note, that the placement of fasttrack might be lower of even higher than sid. 
I have not had the time for a good/close look at the fasttrack requirements.

oldoldstable	jessie		4.2.14
oldstable		stretch		4.5.16
stable		buster		4.9.5
backports		buster-backports	----- + buster-stable
testing		bulseye		4.9.13
fasttrack 		buster-fasttrack	----- + buster-backports
sid			sid			4.9.13
experimental	experimental	4.10.8

debian-lts		Upto at least 5 years..  But there is no samba is maintained in LTS. 
At least according to the lts security update history. 

Samba rotation every 6 months. 
Debian rotation every 2 year ( +extra time, aka. when its ready (but max 3 years so far.) 

Im currently holding on my repo. 
oldoldoldstable	wheezy		dropped from repo (was 4.1-4.6)
oldoldstable	jessie		4.5EOL + 4.6EOL + 4.7EOL and 4.8 security only. 
oldstable		stretch		4.6EOF + 4.7EOL + 4.7EOL and 4.8 security only +4.9 +4.10
stable		buster		4.10 and and prepairing for 4.11
experimental	experimental	4.11rc4

The only way todo this is right, in my opionion, is adding the version number
of samba to the package names and use meta packages. 

For example. 
samba is a meta package pointing to the samba-version which is the version at the point of Debian release. 
For buster samba-4.9 	samba -> samba4.9	-> 4.9.5 
Debian testing allows us to add backports, and brings samba currently to samba4.9 -> 4.9.13
Still through the meta package, that allows a backports within the same version of samba 4.9.x

Now after some time 4.10.8 is moving to sid and we can add samba410 to fasttrack. 
Result now is you can run buster with 4.9.5 or 4.9.-latest or 4.10-latest
Which provides a nice upgrade path with less risk in AD-DB upgrade problems.

And we hold/wait to move 4.10 to testing, so when do we move it to testing, at a new samba release. 
(I dont know if this conflics with debian policies, but i dont think so. )

Then we repait the steps for backports, but now samba will notice a major change from 4.9 to 4.10
You are now asked if you want this upgrade of not, but with then needed messages of advantages/disadvantages. 

And only if a samba version moved from experimental to unstable its added to fasttrack. 

So, now at this point people have a choice, follow newer samba versions or keep the setup as is. 
If you remove the meta package you only follow the samba line you have installed.
(Ps this is a bit the same how the kernel upgrades are done.)

And lots of build dependecies can be re-used or can easy be backported. 

Now you might notice i did not say a lot about the security fixes. 
In above you only add the newer version of samba and we need to fix the one in debian stable. 
So not much changes in that process. 

Since there is not Debian LTS for samba, i dont see that as a problem. 
At some point you must upgrade samba, because of the windows upgrades. 

Just trowing in ideas here... 


Greetz, 

Louis




-----Oorspronkelijk bericht-----
Van: Pkg-samba-maint [mailto:pkg-samba-maint-bounces+belle=bazuin.nl at alioth-lists.debian.net] Namens Andrew Bartlett
Verzonden: woensdag 11 september 2019 1:08
Aan: Mathieu Parent; Matt Grant; belle at samba.org
CC: Debian Samba Maintainers
Onderwerp: [Pkg-samba-maint] Old versions of Samba in Debian

On Sun, 2019-09-08 at 23:10 +0200, Mathieu Parent wrote:
> Most of the time, security fixes were applicable in older versions
> without problem.

I just want to give a word of warning.  The Samba Team means it when we
say we don't support older versions.  We don't go out of our way
looking for issues in older versions and you may have seen the mess we
got into when I tried to patch Samba 4.5 for ldb issues.  

That is, in Samba we simple don't have a good/functioning process for
the issues that don't impact our supported versions. 

I realise that cuts directly across everything it means to be Debian,
and I don't know a good solution.  

We can't lean on Red Hat et al to support the older versions because
they don't ship the AD DC.  

Indeed I would favour having the AD DC self-disable once debian becomes
old-stable (but I know that is not practical).  It certainly should be
pulled from debian-lts.

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba





_______________________________________________
Pkg-samba-maint mailing list
Pkg-samba-maint at alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-samba-maint

More information about the Pkg-samba-maint mailing list