I'm keen to discuss the thought process behind a number of the no-dsa
flags on Samba security releases. Does this list reach those involved
in that, or is this more a general 'interest in security' list?
On Tue, May 11, 2021 at 11:12 PM Andrew Bartlett wrote:
I'm keen to discuss the thought process behind a number of the no-
dsa
flags on Samba security releases. Does this list reach those
involved
in that, or is this more a general 'interest in security' list?
It tends to be more of a general security list. Probably contacting
the security team directly on security@debian.org or
team@security.debian.org is more appropriate, or if you want to
discuss the issues in public, the debian-security-tracker list.
https://security-tracker.debian.org/tracker/data/report https://lists.debian.org/debian-security-tracker/
On Wed, 2021-05-12 at 05:10 +0000, Paul Wise wrote:
On Tue, May 11, 2021 at 11:12 PM Andrew Bartlett wrote:
I'm keen to discuss the thought process behind a number of the no-
dsa
flags on Samba security releases. Does this list reach those
involved
in that, or is this more a general 'interest in security' list?
It tends to be more of a general security list. Probably contacting
the security team directly on security@debian.org or team@security.debian.org is more appropriate, or if you want to
discuss the issues in public, the debian-security-tracker list.
https://security-tracker.debian.org/tracker/data/report https://lists.debian.org/debian-security-tracker/
Thanks, I've mailed the security team, CCing the Debian Samba Team.
Hopefully they can help me out.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
Hello Andrew,
I read your message as well as https://alioth-lists.debian.net/pipermail/pkg-samba-maint/2021-May/022771.html
and I believe I can add a few more pointers, as part of the
(separate)
Debian Long Term Support (LTS) team.
(I'm a bit confused because you're listed as a Debian package
maintainer at https://packages.debian.org/sid/samba but I assume
you're asking from upstream / Samba maintainers' point of view.)
First "no-dsa" (and its sub-states ignored/postponed) is described
at: https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory
Note that no-dsa usually means fixing the issue is not
urgent/critical,
needs not high-priority tracking/action from the Security Team, but
the package maintainer(s) may track and prepare a fix nonetheless,
e.g. through Debian's quarterly point releases (10.x).
Likewise, I read "Minor issue" as "non-critical".
By contrast, "unimportant" is a lesser severity state, and matching
CVEs will likely never be fixed due to inapplicability in Debian or questionable security relevance.
Looking at the open CVEs and samba package history, it seems the
immediate limiting factor for fixing CVEs is whether the samba
branches shipped in Debian (4.5.x and 4.9.x) were maintained upstream
at CVE time, and probably packager man-power to ship a minor upgrade
and/or backport fixes.
If you're interested in the handling of samba in Debian LTS (stretch/oldstable) specifically, which is extended support and is
usually performed by the LTS team without involving the package
maintainers, you may want to reach debian-lts@lists.debian.org.
Cheers!
Sylvain Beucler
Debian LTS Team
On Wed, May 12, 2021 at 07:34:56PM +1200, Andrew Bartlett wrote:
On Wed, 2021-05-12 at 05:10 +0000, Paul Wise wrote:
On Tue, May 11, 2021 at 11:12 PM Andrew Bartlett wrote:
I'm keen to discuss the thought process behind a number of the
no-
dsa
flags on Samba security releases. Does this list reach those
involved
in that, or is this more a general 'interest in security' list?
It tends to be more of a general security list. Probably
contacting
the security team directly on security@debian.org or team@security.debian.org is more appropriate, or if you want to
discuss the issues in public, the debian-security-tracker list.
https://security-tracker.debian.org/tracker/data/report https://lists.debian.org/debian-security-tracker/
Thanks, I've mailed the security team, CCing the Debian Samba Team.
Hopefully they can help me out.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT
https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
On Mon, 2021-05-17 at 22:17 +0200, Sylvain Beucler wrote:
Hello Andrew,
I read your message as well as https://alioth-lists.debian.net/pipermail/pkg-samba-maint/2021-May/022771.html
and I believe I can add a few more pointers, as part of the
(separate)
Debian Long Term Support (LTS) team.
(I'm a bit confused because you're listed as a Debian package
maintainer at https://packages.debian.org/sid/samba but I assume
you're asking from upstream / Samba maintainers' point of view.)
Yeah, I helped build the current monster, and try to help out when I
can, mostly in terms of advise, but I've increasingly stepped back. My various Debian privileges, such as I had them, have expired and I
should probably be retired to 'lurker' status.
First "no-dsa" (and its sub-states ignored/postponed) is described
at: https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory
Note that no-dsa usually means fixing the issue is not
urgent/critical,
needs not high-priority tracking/action from the Security Team, but
the package maintainer(s) may track and prepare a fix nonetheless,
e.g. through Debian's quarterly point releases (10.x).
Likewise, I read "Minor issue" as "non-critical".
By contrast, "unimportant" is a lesser severity state, and matching
CVEs will likely never be fixed due to inapplicability in Debian or questionable security relevance.
Can you clarify the mapping between "Minor issue"/"non-critical" and
the Severity levels table? Samba generally only issues a CVE for
things that are "medium" or above.
Yes, due to the various cycles, freeze windows and support lifetimes,
Debian almost always ships unsupported Samba versions, and even if the
series is supported, the point release is not, because those are not followed, so manual back-porting is always required.
I certainly don't envy the responsibility of back-porting patches into previously un-tested combinations without the backing of the full Samba
CI stack.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 89:12:38 |
Calls: | 6,658 |
Files: | 12,203 |
Messages: | 5,334,022 |