[Pkg-samba-maint] Debian Wheezy package for samba4 with fix for CVE-2013-0172

Andrew Bartlett abartlet at samba.org
Tue Feb 12 09:23:34 UTC 2013 

On Tue, 2013-02-12 at 06:52 +0100, Christian PERRIER wrote:
> Quoting Andrew Bartlett (abartlet at samba.org):
> > I was a little shocked to realise that the package in Wheezy hasn't had
> > the CVE-2013-0172 fix applied.
> 
> Hello Andrew, thanks for your continued interest in this packaging work.
> 
> I am a bit "shocked", too (or ashamed, in some way)....but I'm sorry
> to say that I don't have the time and skills to deal with the samba4
> package right now, which is more or less "the Jelmer Thing" (no offense
> intended, that's just the facts).

We have to work with the time and resources we have.  Jelmer has been
pretty busy, so my 'way out' is that Brian is in my timezone and is able
to help out.  My day job is developing Samba for Netgear's ReadyNAS,
which is in turn a Debian box (essentially), so despite being a
long-time Fedora user, I'm willing to give it a go. 

> I'm just watching bugs arriving, including the gazillion upgrade
> bugs that pile up in Launchpad because of whatever automated bug
> reporting thing that exists in Ubuntu.
> 
> I hope we'll be able to manage preparing the Big Merge of samba and
> samba4 packages and therefore provide decent "samba" packages in
> jessie, that are indeed the 4.x.y series.

I'm glad to hear that.  It is sad to have to say (over and over) that no
distribution provides a proper Samba 4.0 package, and while I can't help
Red Hat's decision not to package the AD DC due to Heimdal, I can try
and help here. 

In turn I hope that helps Ubuntu start to provide current, correct Samba
packages, between these two we find a great bulk of our users.

> In doing so, I thing we'll need to keep backportability so that we can
> later on provide backported "samba" packages.

I think this might be asking too much.  I think the kind of packages we
want going forward are not the kind of packages that would backport
well.  As we can't even find the resources to build a single package at
all, adding that requirement is too much, in my view. 

> So, in short, as of now, I take care of the "samba" package, namely
> what was once called Samba3..:-)

Any assistance you can provide is much appreciated.  My hope is that we
just don't make your task any harder than it needs to be. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the Ubuntu-motu mailing list