[Pkg-samba-maint] Samba and badlock in Debian

Mon Apr 4 10:14:40 UTC 2016

On Mon, Apr 04, 2016 at 11:46:56AM +0200, Alain Deléglise wrote:
>> On Mon, 2016-04-04 at 10:37 +0200, Alain Deléglise wrote:
>>>> Hi list,
>>>>
>>>> we're really concerned about the badlock bug. As mentionned in the
>>>> Samba
>>>> release planing, the 4.1 versions will not be covered by the security
>>>> patches. Unfortunately we're using the 4.1 version, as we use Debian
>>>> wheezy and jessie on production servers.
>>>>
>>>> I've read, in a recent message
>>>> http://lists.alioth.debian.org/pipermail/pkg-samba-maint/2016-March/0
>>>> 18057.html,
>>>> that we're not the only one to be concerned :)
>>>>
>>>> How will you manage this problem ? How can one get a maintened
>>>> package
>>>> for debian versions, other than unstable ?
>>> One option is to backport Samba 4.3 or 4.4 (which I hope to upload to
>>> experimental shortly).  Providing and maintaining a backport of Samba
>>> and the relevant libraries would be most helpful for many of our users.
>>>
>>>> I see that the 4.3.6 is in testing state, but the tracker contains no
>>>> information about badlock. Am I missing something ?
>>> This issue is not yet public, so no patches are publicly available to
>>> address them, so you won't see anything until the 12th.
>>>
>>>> As Sernet provides pre-compiled, pre-packaged paid packages of Samba,
>>>> how the community will achieve security standards on entreprise class
>>>> open-source softwares, such as Samba ?
>>> I'm not sure what you are asking about here.
>>>
>>>> Finally, how can I/we help you guys on maintaing Samba in Debian ?
>>> As you can see here, we do need help:
>>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814382
>>>
>>> Tasks include bug triage, (mostly telling folks to report issues
>>> upstream), packaging new versions as they come out, etc.
>>>
>>> In the short term the best thing that would help is testing the
>>> unstable and soon to be uploaded experimental packages.
>>>
>>> Finally, do trust that we take the maintenance of Samba in Debian
>>> seriously.  We are very short-staffed, and in the long run new
>>> packagers would make a massive difference. 
>>>
>>> We will get 'badlock' dealt with one way or the other, but we can't
>>> really talk about it more than that in public right now.
>>>
>>> Andrew Bartlett
>>>
>> Hi Andrew,
>>
>> thanks for this quick answer.
>>
>> I will respond on the
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814382 asking what can
>> I do.
>>
>> I'm sure that you guys are serious about maintaing Samba for Debian, and
>> please be sure that me
>> and my fellow colleagues would pay you a beer if you somehow manage to
>> come in France ;)
>>
>> However, do you have resources (tutorial, documentation) on how to
>> "properly" backport Samba 4.3 or 4.4 ?
>> Do you have work to do for me right now, I'm a sysadmin and dont know
>> how to C :p
> There is some documentation here:
>
> https://wiki.debian.org/SimpleBackportCreation
>
>> Finally, I'm talking about Sernet because of their decision to make
>> their packages for a fee.
>> I do respect their decision, but IMO it complexify the process of
>> maintaing "enterprise class OSS",
>> by making volunteers think that their work is not recognized ...
> I'm not interpreting it that way, the packages in Debian were never
> related to the ones provided by SerNet.
>
> Jelmer
HI Jelmer,

> I'm not interpreting it that way, the packages in Debian were never
> related to the ones provided by SerNet.

you're right, my bad. This is about the "samba+" packages.

Alain Deléglise