[Pkg-samba-maint] Samba and badlock in Debian

Jelmer Vernooij jelmer at jelmer.uk
Mon Apr 4 10:02:52 UTC 2016


On Mon, Apr 04, 2016 at 11:46:56AM +0200, Alain Deléglise wrote:
> On Mon, 2016-04-04 at 10:37 +0200, Alain Deléglise wrote:
> >> Hi list,
> >>
> >> we're really concerned about the badlock bug. As mentionned in the
> >> Samba
> >> release planing, the 4.1 versions will not be covered by the security
> >> patches. Unfortunately we're using the 4.1 version, as we use Debian
> >> wheezy and jessie on production servers.
> >>
> >> I've read, in a recent message
> >> http://lists.alioth.debian.org/pipermail/pkg-samba-maint/2016-March/0
> >> 18057.html,
> >> that we're not the only one to be concerned :)
> >>
> >> How will you manage this problem ? How can one get a maintened
> >> package
> >> for debian versions, other than unstable ?
> > One option is to backport Samba 4.3 or 4.4 (which I hope to upload to
> > experimental shortly).  Providing and maintaining a backport of Samba
> > and the relevant libraries would be most helpful for many of our users.
> >
> >> I see that the 4.3.6 is in testing state, but the tracker contains no
> >> information about badlock. Am I missing something ?
> > This issue is not yet public, so no patches are publicly available to
> > address them, so you won't see anything until the 12th.
> >
> >> As Sernet provides pre-compiled, pre-packaged paid packages of Samba,
> >> how the community will achieve security standards on entreprise class
> >> open-source softwares, such as Samba ?
> > I'm not sure what you are asking about here.
> >
> >> Finally, how can I/we help you guys on maintaing Samba in Debian ?
> > As you can see here, we do need help:
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814382
> >
> > Tasks include bug triage, (mostly telling folks to report issues
> > upstream), packaging new versions as they come out, etc.
> >
> > In the short term the best thing that would help is testing the
> > unstable and soon to be uploaded experimental packages.
> >
> > Finally, do trust that we take the maintenance of Samba in Debian
> > seriously.  We are very short-staffed, and in the long run new
> > packagers would make a massive difference. 
> >
> > We will get 'badlock' dealt with one way or the other, but we can't
> > really talk about it more than that in public right now.
> >
> > Andrew Bartlett
> >
> Hi Andrew,
> 
> thanks for this quick answer.
> 
> I will respond on the
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814382 asking what can
> I do.
> 
> I'm sure that you guys are serious about maintaing Samba for Debian, and
> please be sure that me
> and my fellow colleagues would pay you a beer if you somehow manage to
> come in France ;)
> 
> However, do you have resources (tutorial, documentation) on how to
> "properly" backport Samba 4.3 or 4.4 ?
> Do you have work to do for me right now, I'm a sysadmin and dont know
> how to C :p

There is some documentation here:

https://wiki.debian.org/SimpleBackportCreation

> Finally, I'm talking about Sernet because of their decision to make
> their packages for a fee.
> I do respect their decision, but IMO it complexify the process of
> maintaing "enterprise class OSS",
> by making volunteers think that their work is not recognized ...

I'm not interpreting it that way, the packages in Debian were never
related to the ones provided by SerNet.

Jelmer



More information about the Pkg-samba-maint mailing list