Bind 9.16.1 crash on Ubuntu

Robie Basak robie.basak at ubuntu.com
Thu Dec 8 20:05:44 UTC 2022 

Hi,

On Thu, Dec 08, 2022 at 05:22:34PM +0000, Ben Bridges wrote:
> This is bind9 1:9.16.1-0ubuntu2.11 running on Ubuntu 20.04.5 LTS (fully patched).  Has this issue been seen before?  If so, has it been fixed, or is it being fixed?  Is this the right forum for this posting?

This is the right place to ask, but for specific bugs, as Marc said
please make sure a bug exists against the package in Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/bind9 to check existing
reports, and "Report a bug" in the top right if you need to file a new
report.

> More generally ... to what extent do you update the Ubuntu bind9 package?  Is it literally the 9.16.1 base source code (in focal) with no updates other than to patch the CVE security vulnerabilities?  Or are there other patches in it as well?

It varies - we'll patch as we think is appropriate, though that has a
maintenance burden so we try to keep the patching minimal. You can see
the full set of patches currently applied against the Ubuntu 20.04 bind9
package here (the `series` file defines what is applied, as opposed to
simply the contents of the directory):
https://git.launchpad.net/ubuntu/+source/bind9/tree/debian/patches?h=ubuntu/focal-devel

Of course the outcome also depends on how the package is built. You can
see that here:
https://git.launchpad.net/ubuntu/+source/bind9/tree/debian/rules?h=ubuntu/focal-devel

>  For a given Ubuntu LTS version (such as focal), do you ever "start over" with the newest minor release of that branch of BIND (9.16 for focal, 9.18 for jammy)?  Or do you just continue patching the initial release of the branch?

It depends. We'll update to the latest upstream point release on a
case-by-case basis. Upstreams vary in policy and the quality of what
they'll stick in there, and we don't want to regress our users, or
change behaviour on them!

Formally, our policy on what is acceptable to update like this is here:
https://wiki.ubuntu.com/StableReleaseUpdates#New_upstream_microreleases

And then for an update like this to actually happen, an Ubuntu developer
needs to drive it. The Server Team does update some packages routinely,
but it doesn't look like bind9 is currently in that list.

> Is there a specific version of 9.16 that you can say 1:9.16.1-0ubuntu2.11 is equivalent to in terms of patches (both security and non-security)?

No - you have to study the patches.

> Do you recommend for or against Ubuntu users using the BIND packages in ISC's PPA repository instead of the bind9 package in the Ubuntu repository?

You can of course do what you like on your own system. But Ubuntu can
only reasonably support what it ships, so using only our packages is our
recommendation. If we get a bug report about a problem caused by a third
party package, then we normally have to reject that report since there's
nothing we can do about that third party package!

Most packaging problems our users report are caused by third party
repositories breaking things, especially on future release upgrades.
Fundamentally there are some breakages that even a perfect third party
repository maintainer cannot avoid. The apt/dpkg system wasn't designed
to work this way, even if this kind of use is really common in practice.
People tend to get away with it because our policy on changing as little
as possible in stable releases means that these issues don't show
themselves. Until they try to upgrade to the new release, things explode
and they blame us :-(

So while I don't think it's Ubuntu's official position or anything, I
would avoid using third party repositories as much as possible.

On the other hand, we *do* maintain our own packages, and if there's an
issue, it's our intention to patch it if that's possible and reasonable
against our stable release policies that apply across all of our
packages[1]. So please do make sure that a bug report exists :)

Robie

[1] https://wiki.ubuntu.com/StableReleaseUpdates
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20221208/ff7fff43/attachment-0001.sig>

More information about the Ubuntu-devel-discuss mailing list