[Pkg-samba-maint] Feedback wanted on CVEs in Samba/Debian

Andrew Bartlett abartlet at samba.org
Wed May 12 08:34:05 BST 2021 

G'Day Debian Samba and Security teams,

I'm wondering if I can get some feedback on the recent Samba security
releases we have made.

The reason I ask is that quite a few of our recent CVEs have been
marked 'no-dsa' by Debian, indeed per 
https://security-tracker.debian.org/tracker/source-package/samba
by my count 17/25 CVEs issued in the past two years have been tagged
that way.

I value Debian's feedback as this significant re-evaluation of Samba
security issues isn't something other distributions do.  I appreciate
that Debian's resources are constrained by volunteer effort and your
barrier for updates in stable is high.

However this is also a useful thing:  Nobody else is questioning our
updates, and so knowing there is great wisdom in the Debian security
team I'm looking for feedback.

On the Samba side these take a significant effort, often in the order
of at least 60 engineer hours per issue (at my employer alone, I see
timesheets that average 50 hours before adding release management
time). 

Given the high costs of preparing security releases, I'm looking for
feedback as to if in Debian's view we are publishing too many?  Is
there a better criteria we on the Samba Team could be using before
starting the heavyweight 'ship a security release' process?

I noted so many of our issues are tagged "minor issue".  
Are we perhaps we are not being clear as to the severity, or do you
feel on reflection we shouldn't have issued a CVE for these?

In the alternate, is there some other barrier to these being taken up
in Debian?  It it just a matter of resourcing (you would love to ship
all our updates, but just can't justify the volunteer packaging time)?

Your feedback is most appreciated, it will help us refine our
processes.

Thanks,

Andrew Bartlett

(the CVEs in bold in the image attached are those marked no-dsa in Debian in the last two years per security-tracker)


-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Image-QOC720.png
Type: image/png
Size: 15282 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20210512/3bba0157/attachment-0001.png>

More information about the Pkg-samba-maint mailing list