[Pkg-samba-maint] Samba and badlock in Debian

Mon Apr 4 09:46:56 UTC 2016

On Mon, 2016-04-04 at 10:37 +0200, Alain Deléglise wrote:
>> Hi list,
>>
>> we're really concerned about the badlock bug. As mentionned in the
>> Samba
>> release planing, the 4.1 versions will not be covered by the security
>> patches. Unfortunately we're using the 4.1 version, as we use Debian
>> wheezy and jessie on production servers.
>>
>> I've read, in a recent message
>> http://lists.alioth.debian.org/pipermail/pkg-samba-maint/2016-March/0
>> 18057.html,
>> that we're not the only one to be concerned :)
>>
>> How will you manage this problem ? How can one get a maintened
>> package
>> for debian versions, other than unstable ?
> One option is to backport Samba 4.3 or 4.4 (which I hope to upload to
> experimental shortly).  Providing and maintaining a backport of Samba
> and the relevant libraries would be most helpful for many of our users.
>
>> I see that the 4.3.6 is in testing state, but the tracker contains no
>> information about badlock. Am I missing something ?
> This issue is not yet public, so no patches are publicly available to
> address them, so you won't see anything until the 12th.
>
>> As Sernet provides pre-compiled, pre-packaged paid packages of Samba,
>> how the community will achieve security standards on entreprise class
>> open-source softwares, such as Samba ?
> I'm not sure what you are asking about here.
>
>> Finally, how can I/we help you guys on maintaing Samba in Debian ?
> As you can see here, we do need help:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814382
>
> Tasks include bug triage, (mostly telling folks to report issues
> upstream), packaging new versions as they come out, etc.
>
> In the short term the best thing that would help is testing the
> unstable and soon to be uploaded experimental packages.
>
> Finally, do trust that we take the maintenance of Samba in Debian
> seriously.  We are very short-staffed, and in the long run new
> packagers would make a massive difference. 
>
> We will get 'badlock' dealt with one way or the other, but we can't
> really talk about it more than that in public right now.
>
> Andrew Bartlett
>
Hi Andrew,

thanks for this quick answer.

I will respond on the
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814382 asking what can
I do.

I'm sure that you guys are serious about maintaing Samba for Debian, and
please be sure that me
and my fellow colleagues would pay you a beer if you somehow manage to
come in France ;)

However, do you have resources (tutorial, documentation) on how to
"properly" backport Samba 4.3 or 4.4 ?
Do you have work to do for me right now, I'm a sysadmin and dont know
how to C :p

Finally, I'm talking about Sernet because of their decision to make
their packages for a fee.
I do respect their decision, but IMO it complexify the process of
maintaing "enterprise class OSS",
by making volunteers think that their work is not recognized ...

Thanks again,

Alain Deléglise