I'm keen to discuss the thought process behind a number of the no-dsa
flags on Samba security releases. Does this list reach those involved
in that, or is this more a general 'interest in security' list?

Thanks!

Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, May 11, 2021 at 11:12 PM Andrew Bartlett wrote:

I'm keen to discuss the thought process behind a number of the no-dsa
flags on Samba security releases. Does this list reach those involved
in that, or is this more a general 'interest in security' list?

It tends to be more of a general security list. Probably contacting
the security team directly on security@debian.org or
team@security.debian.org is more appropriate, or if you want to
discuss the issues in public, the debian-security-tracker list.

https://security-tracker.debian.org/tracker/data/report https://lists.debian.org/debian-security-tracker/

--
bye,
pabs

https://wiki.debian.org/PaulWise

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 2021-05-12 at 05:10 +0000, Paul Wise wrote:

On Tue, May 11, 2021 at 11:12 PM Andrew Bartlett wrote:

I'm keen to discuss the thought process behind a number of the no-
dsa
flags on Samba security releases. Does this list reach those
involved
in that, or is this more a general 'interest in security' list?

It tends to be more of a general security list. Probably contacting
the security team directly on security@debian.org or
team@security.debian.org is more appropriate, or if you want to
discuss the issues in public, the debian-security-tracker list.

https://security-tracker.debian.org/tracker/data/report https://lists.debian.org/debian-security-tracker/

Thanks, I've mailed the security team, CCing the Debian Samba Team.

Hopefully they can help me out.

Andrew Bartlett

--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello Andrew,

I read your message as well as https://alioth-lists.debian.net/pipermail/pkg-samba-maint/2021-May/022771.html and I believe I can add a few more pointers, as part of the (separate)
Debian Long Term Support (LTS) team.

(I'm a bit confused because you're listed as a Debian package
maintainer at https://packages.debian.org/sid/samba but I assume
you're asking from upstream / Samba maintainers' point of view.)

First "no-dsa" (and its sub-states ignored/postponed) is described at: https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory
Note that no-dsa usually means fixing the issue is not urgent/critical,
needs not high-priority tracking/action from the Security Team, but
the package maintainer(s) may track and prepare a fix nonetheless,
e.g. through Debian's quarterly point releases (10.x).
Likewise, I read "Minor issue" as "non-critical".

By contrast, "unimportant" is a lesser severity state, and matching
CVEs will likely never be fixed due to inapplicability in Debian or questionable security relevance.

Looking at the open CVEs and samba package history, it seems the
immediate limiting factor for fixing CVEs is whether the samba
branches shipped in Debian (4.5.x and 4.9.x) were maintained upstream
at CVE time, and probably packager man-power to ship a minor upgrade
and/or backport fixes.

If you're interested in the handling of samba in Debian LTS
(stretch/oldstable) specifically, which is extended support and is
usually performed by the LTS team without involving the package
maintainers, you may want to reach debian-lts@lists.debian.org.

Cheers!
Sylvain Beucler
Debian LTS Team


On Wed, May 12, 2021 at 07:34:56PM +1200, Andrew Bartlett wrote:

On Wed, 2021-05-12 at 05:10 +0000, Paul Wise wrote:

On Tue, May 11, 2021 at 11:12 PM Andrew Bartlett wrote:

I'm keen to discuss the thought process behind a number of the no-
dsa
flags on Samba security releases. Does this list reach those
involved
in that, or is this more a general 'interest in security' list?

It tends to be more of a general security list. Probably contacting
the security team directly on security@debian.org or team@security.debian.org is more appropriate, or if you want to
discuss the issues in public, the debian-security-tracker list.

https://security-tracker.debian.org/tracker/data/report https://lists.debian.org/debian-security-tracker/

Thanks, I've mailed the security team, CCing the Debian Samba Team.

Hopefully they can help me out.

Andrew Bartlett

--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 2021-05-17 at 22:17 +0200, Sylvain Beucler wrote:

Hello Andrew,

I read your message as well as https://alioth-lists.debian.net/pipermail/pkg-samba-maint/2021-May/022771.html
and I believe I can add a few more pointers, as part of the
(separate)
Debian Long Term Support (LTS) team.

(I'm a bit confused because you're listed as a Debian package
maintainer at https://packages.debian.org/sid/samba but I assume
you're asking from upstream / Samba maintainers' point of view.)

Yeah, I helped build the current monster, and try to help out when I
can, mostly in terms of advise, but I've increasingly stepped back. My
various Debian privileges, such as I had them, have expired and I
should probably be retired to 'lurker' status.

First "no-dsa" (and its sub-states ignored/postponed) is described
at: https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory
Note that no-dsa usually means fixing the issue is not
urgent/critical,
needs not high-priority tracking/action from the Security Team, but
the package maintainer(s) may track and prepare a fix nonetheless,
e.g. through Debian's quarterly point releases (10.x).
Likewise, I read "Minor issue" as "non-critical".

By contrast, "unimportant" is a lesser severity state, and matching
CVEs will likely never be fixed due to inapplicability in Debian or questionable security relevance.

Can you clarify the mapping between "Minor issue"/"non-critical" and
the Severity levels table? Samba generally only issues a CVE for
things that are "medium" or above.

Looking at the open CVEs and samba package history, it seems the
immediate limiting factor for fixing CVEs is whether the samba
branches shipped in Debian (4.5.x and 4.9.x) were maintained upstream
at CVE time, and probably packager man-power to ship a minor upgrade
and/or backport fixes.

Yes, due to the various cycles, freeze windows and support lifetimes,
Debian almost always ships unsupported Samba versions, and even if the
series is supported, the point release is not, because those are not
followed, so manual back-porting is always required.

I certainly don't envy the responsibility of back-porting patches into previously un-tested combinations without the backing of the full Samba
CI stack.

If you're interested in the handling of samba in Debian LTS (stretch/oldstable) specifically, which is extended support and is
usually performed by the LTS team without involving the package
maintainers, you may want to reach debian-lts@lists.debian.org.

Thanks. My view is that Debian should probably strip much of Samba out
before it moves to LTS, in particular the AD DC.

That said, the LTS team has patched a number of issues that are
unpatched in Debian Stable, and I congratulate them on that, but I warn
that future security issues may not be so easy to backport.

Finally, thanks so much for the extra context, I appreciate it.

Andrew Bartlett

Cheers!
Sylvain Beucler
Debian LTS Team

On Wed, May 12, 2021 at 07:34:56PM +1200, Andrew Bartlett wrote:

On Wed, 2021-05-12 at 05:10 +0000, Paul Wise wrote:

On Tue, May 11, 2021 at 11:12 PM Andrew Bartlett wrote:

I'm keen to discuss the thought process behind a number of the
no-
dsa
flags on Samba security releases. Does this list reach those
involved
in that, or is this more a general 'interest in security' list?

It tends to be more of a general security list. Probably
contacting
the security team directly on security@debian.org or team@security.debian.org is more appropriate, or if you want to
discuss the issues in public, the debian-security-tracker list.

https://security-tracker.debian.org/tracker/data/report https://lists.debian.org/debian-security-tracker/

Thanks, I've mailed the security team, CCing the Debian Samba Team.

Hopefully they can help me out.

Andrew Bartlett

--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT
https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, May 18, 2021 at 09:38:30AM +1200, Andrew Bartlett wrote:

On Mon, 2021-05-17 at 22:17 +0200, Sylvain Beucler wrote:

Hello Andrew,

I read your message as well as https://alioth-lists.debian.net/pipermail/pkg-samba-maint/2021-May/022771.html
and I believe I can add a few more pointers, as part of the
(separate)
Debian Long Term Support (LTS) team.

(I'm a bit confused because you're listed as a Debian package
maintainer at https://packages.debian.org/sid/samba but I assume
you're asking from upstream / Samba maintainers' point of view.)

Yeah, I helped build the current monster, and try to help out when I
can, mostly in terms of advise, but I've increasingly stepped back. My various Debian privileges, such as I had them, have expired and I
should probably be retired to 'lurker' status.

First "no-dsa" (and its sub-states ignored/postponed) is described
at: https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory
Note that no-dsa usually means fixing the issue is not
urgent/critical,
needs not high-priority tracking/action from the Security Team, but
the package maintainer(s) may track and prepare a fix nonetheless,
e.g. through Debian's quarterly point releases (10.x).
Likewise, I read "Minor issue" as "non-critical".

By contrast, "unimportant" is a lesser severity state, and matching
CVEs will likely never be fixed due to inapplicability in Debian or questionable security relevance.

Can you clarify the mapping between "Minor issue"/"non-critical" and
the Severity levels table? Samba generally only issues a CVE for
things that are "medium" or above.

You mean the NVD severities? We do not use those values for deciding
the Debian specific assessment if an issue warrants a DSA or not, but
the tracker displays them them as part of fetching the NVD data.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello Andrew,

On Tue, May 18, 2021 at 09:38:30AM +1200, Andrew Bartlett wrote:

Yes, due to the various cycles, freeze windows and support lifetimes,
Debian almost always ships unsupported Samba versions, and even if the
series is supported, the point release is not, because those are not followed, so manual back-porting is always required.

The default release policy is to only ship security fixes in Debian
stable, but for selected quality packages the release team is inclined
to accept following an upstream stable branch, which apparently
happened to some extent in stretch (before LTS), 4.5.8->4.5.16:

samba (2:4.5.8+dfsg-2) Thu, 18 May 2017
samba (2:4.5.8+dfsg-2+deb9u1) Thu, 13 Jul 2017
samba (2:4.5.12+dfsg-1) Sat, 26 Aug 2017
samba (2:4.5.12+dfsg-2) Mon, 25 Sep 2017
samba (2:4.5.12+dfsg-2+deb9u1) Mon, 20 Nov 2017
samba (2:4.5.12+dfsg-2+deb9u2) Mon, 05 Mar 2018
samba (2:4.5.12+dfsg-2+deb9u3) Mon, 13 Aug 2018
samba (2:4.5.12+dfsg-2+deb9u4) Thu, 22 Nov 2018
samba (2:4.5.16+dfsg-1) Thu, 31 Jan 2019
samba (2:4.5.16+dfsg-1+deb9u1) Fri, 05 Apr 2019
samba (2:4.5.16+dfsg-1+deb9u2) Wed, 08 May 2019

(of course I can't speak for the debian samba or release teams, just
pointing out that a few packages are maintained with no/fewer backports.)

I certainly don't envy the responsibility of back-porting patches into previously un-tested combinations without the backing of the full Samba
CI stack.

In LTS there is focus on developing automated testing, e.g. https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/1
so I believe we can contribute some man-power on improving Debian
Samba testing, not just in LTS but generally, if there's interest.

Cheers!
Sylvain

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)