Processed: Re: Bug#744718: pu: samba4/4.0.0~beta2+dfsg1-3.2+deb7u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #744718 [release.debian.org] pu: samba4/4.0.0~beta2+dfsg1-3.2+deb7u1
Added tag(s) pending.

-- 
744718: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744718
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/handler.s.b744718.13976851472996.transcr...@bugs.debian.org

Bug#744718: pu: samba4/4.0.0~beta2+dfsg1-3.2+deb7u1

[Adam D. Barratt]

Control: tags -1 + pending

On 2014-04-16 17:51, Ivo De Decker wrote:

On Sun, Apr 13, 2014 at 11:39:09PM +0100, Adam D. Barratt wrote:

  package: winbind4
  version: 4.0.0~beta2+dfsg1-3.2+deb7u1
  architecture: amd64
  essential: false
  unsat-dependency: samba4 (= 4.0.0~beta2+dfsg1-3.2+deb7u1)

It's up to you whether you'd prefer to upload a +deb7u2 to fix that, 
or

I can reject the current upload.


I removed the winbind4 package in a +deb7u2 upload. The debdiff is 
attached.


Thanks; I've flagged the updated package for acceptance.

Regards,

Adam


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/0935949088df313929d9679ee0d58...@mail.adsl.funky-badger.org

Bug#744718: pu: samba4/4.0.0~beta2+dfsg1-3.2+deb7u1

[Ivo De Decker]

Adam,

On Sun, Apr 13, 2014 at 11:39:09PM +0100, Adam D. Barratt wrote:
> On Sun, 2014-04-13 at 23:52 +0200, Ivo De Decker wrote:
> > On Sun, Apr 13, 2014 at 09:48:59PM +0100, Adam D. Barratt wrote:
> > > > The samba4 package in wheezy is not suitable for usage in a production
> > > > environment. It should not have been released with wheezy.
> [...]
> > > Other than that, please go ahead.
> > 
> > Uploaded.
> 
> Unfortunately, it looks like something got missed; our automagic checks
> say:
> 
>   package: winbind4
>   version: 4.0.0~beta2+dfsg1-3.2+deb7u1
>   architecture: amd64
>   essential: false
>   unsat-dependency: samba4 (= 4.0.0~beta2+dfsg1-3.2+deb7u1)
> 
> It's up to you whether you'd prefer to upload a +deb7u2 to fix that, or
> I can reject the current upload.

I removed the winbind4 package in a +deb7u2 upload. The debdiff is attached.

Cheers,

Ivo

diff -Nru samba4-4.0.0~beta2+dfsg1/debian/NEWS 
samba4-4.0.0~beta2+dfsg1/debian/NEWS
--- samba4-4.0.0~beta2+dfsg1/debian/NEWS2014-04-13 23:00:16.0 
+0200
+++ samba4-4.0.0~beta2+dfsg1/debian/NEWS2014-04-16 18:25:15.0 
+0200
@@ -1,6 +1,6 @@
 samba4 (4.0.0~beta2+dfsg1-3.2+deb7u1) wheezy; urgency=medium
 
-   The samba4 binary package was removed from wheezy.
+   The samba4 and winbind4 binary packages have been removed from wheezy.
 
The samba4 source package in wheezy contains a beta version of samba 4.0.
Most samba functionality is disabled in this package, because it is
diff -Nru samba4-4.0.0~beta2+dfsg1/debian/changelog 
samba4-4.0.0~beta2+dfsg1/debian/changelog
--- samba4-4.0.0~beta2+dfsg1/debian/changelog   2014-04-13 23:00:16.0 
+0200
+++ samba4-4.0.0~beta2+dfsg1/debian/changelog   2014-04-16 18:25:15.0 
+0200
@@ -1,3 +1,9 @@
+samba4 (4.0.0~beta2+dfsg1-3.2+deb7u2) wheezy; urgency=medium
+
+  * Remove winbind4 binary package as well, as it depends on samba4.
+
+ -- Ivo De Decker   Wed, 16 Apr 2014 18:25:06 +0200
+
 samba4 (4.0.0~beta2+dfsg1-3.2+deb7u1) wheezy; urgency=medium
 
   * Remove samba4 binary package. It has several security issues, has limited
diff -Nru samba4-4.0.0~beta2+dfsg1/debian/control 
samba4-4.0.0~beta2+dfsg1/debian/control
--- samba4-4.0.0~beta2+dfsg1/debian/control 2014-04-13 23:00:16.0 
+0200
+++ samba4-4.0.0~beta2+dfsg1/debian/control 2014-04-16 18:25:15.0 
+0200
@@ -438,31 +438,6 @@
  .
  This package contains the files required for development.
 
-Package: winbind4
-Conflicts: winbind
-Architecture: any
-Depends: samba4 (=${binary:Version}), ${misc:Depends}, ${shlibs:Depends}
-Enhances: libkrb5-26-heimdal
-Description: service to resolve user and group information from Windows NT 
servers
- Samba is an implementation of the SMB/CIFS protocol for Unix systems,
- providing support for cross-platform file sharing with Microsoft Windows, OS 
X,
- and other Unix systems.  Samba can also function as a domain controller
- or member server in both NT4-style and Active Directory domains.
- .
- These packages contain snapshot versions of Samba 4, the next-generation
- version of Samba.
- .
- This package provides the winbindd daemon, which provides a
- service for the Name Service Switch capability that is present
- in most modern C libraries (like the GNU C Library - glibc.). Please
- note that the functionality of this version of winbind is behind on that
- of the winbind package.
- .
- The service provided by winbindd is called `winbind' and
- can be used to resolve user and group information from a
- Windows NT server. The service can also provide authentication
- services via an associated PAM module.
-
 Package: libsamba-hostconfig0
 Architecture: any
 Pre-Depends: ${misc:Pre-Depends}
diff -Nru samba4-4.0.0~beta2+dfsg1/debian/rules 
samba4-4.0.0~beta2+dfsg1/debian/rules
--- samba4-4.0.0~beta2+dfsg1/debian/rules   2014-04-13 23:00:16.0 
+0200
+++ samba4-4.0.0~beta2+dfsg1/debian/rules   2014-04-16 18:25:15.0 
+0200
@@ -101,6 +101,11 @@
do \
rm -rf $(DESTDIR)/$$line; \
done < debian/samba4.install
+   # Remove files from the old winbind4 binary package
+   while read line; \
+   do \
+   rm -rf $(DESTDIR)/$$line; \
+   done < debian/winbind4.install
dh_install --sourcedir=$(DESTDIR) --list-missing --fail-missing
 
 override_dh_python2:

Bug#744718: pu: samba4/4.0.0~beta2+dfsg1-3.2+deb7u1

[Adam D. Barratt]

On Sun, 2014-04-13 at 23:52 +0200, Ivo De Decker wrote:
> On Sun, Apr 13, 2014 at 09:48:59PM +0100, Adam D. Barratt wrote:
> > > The samba4 package in wheezy is not suitable for usage in a production
> > > environment. It should not have been released with wheezy.
[...]
> > Other than that, please go ahead.
> 
> Uploaded.

Unfortunately, it looks like something got missed; our automagic checks
say:

  package: winbind4
  version: 4.0.0~beta2+dfsg1-3.2+deb7u1
  architecture: amd64
  essential: false
  unsat-dependency: samba4 (= 4.0.0~beta2+dfsg1-3.2+deb7u1)

It's up to you whether you'd prefer to upload a +deb7u2 to fix that, or
I can reject the current upload.

> It should probably be added to the TODO list for the point release,
> as the removal of the binary package might need manual attention.

It'll need decrufting in order to remove it from the pool, yes (although
it will no longer be in the Packages files anyway).

Depending on who the ftp-master-du-jour is, that sometimes gets checked
anyway, even when we're not expecting there to be anything to do; I'll
add it to the list just to be sure.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/1397428749.24647.62.ca...@jacala.jungle.funky-badger.org

Bug#744718: pu: samba4/4.0.0~beta2+dfsg1-3.2+deb7u1

[Ivo De Decker]

Hi Adam,

On Sun, Apr 13, 2014 at 09:48:59PM +0100, Adam D. Barratt wrote:
> > The samba4 package in wheezy is not suitable for usage in a production
> > environment. It should not have been released with wheezy.
> 
> +   To use the samba AD DC functionality, a newer version of samba is
> +   necessary. The samba packages in jessie and jessie-backports (version 4.1
> +   or later) provide this functionality.
> 
> s/jessie-backports/wheezy-backports/.

Good catch :)

> Other than that, please go ahead.

Uploaded. It should probably be added to the TODO list for the point release,
as the removal of the binary package might need manual attention.

Cheers,

Ivo


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140413215202.gb9...@ugent.be

Bug#744718: pu: samba4/4.0.0~beta2+dfsg1-3.2+deb7u1

[Ivo De Decker]

Hi Russ,

On Sun, Apr 13, 2014 at 01:18:41PM -0700, Russ Allbery wrote:
> > The samba4 package in wheezy is not suitable for usage in a production
> > environment. It should not have been released with wheezy.
> 
> It's possible that you've already done this, but if not, I recommend also
> coordinating this with the Debian security team as well.  When things like
> this have happened in the past, they've released an "end of life" security
> advisory to notify Debian stable users that a given package will not
> receive security support and should be considered insecure.

The security team is aware of the issue and of this request (via
X-Debbugs-CC). I don't know if such an advisory is planned.

Cheers,

Ivo


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140413215003.ga9...@ugent.be

Bug#744718: pu: samba4/4.0.0~beta2+dfsg1-3.2+deb7u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sun, 2014-04-13 at 22:08 +0200, Ivo De Decker wrote:
> The attached patch removes the samba4 binary package. Please accept it for
> wheezy, even though it's clear that this is not a nice option.

Indeed, it's not great, but it may well be the least bad option
available.

[...]
> There is no security support for this beta version of samba. It is vulnerable
> to a number of public issues.
> 
> The samba4 package in wheezy is not suitable for usage in a production
> environment. It should not have been released with wheezy.

+   To use the samba AD DC functionality, a newer version of samba is
+   necessary. The samba packages in jessie and jessie-backports (version 4.1
+   or later) provide this functionality.

s/jessie-backports/wheezy-backports/.

Other than that, please go ahead.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/1397422139.24647.56.ca...@jacala.jungle.funky-badger.org

Processed: Re: Bug#744718: pu: samba4/4.0.0~beta2+dfsg1-3.2+deb7u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #744718 [release.debian.org] pu: samba4/4.0.0~beta2+dfsg1-3.2+deb7u1
Added tag(s) confirmed.

-- 
744718: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744718
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/handler.s.b744718.13974221467235.transcr...@bugs.debian.org

Bug#744718: pu: samba4/4.0.0~beta2+dfsg1-3.2+deb7u1

[Russ Allbery]

Ivo De Decker  writes:

> The attached patch removes the samba4 binary package. Please accept it
> for wheezy, even though it's clear that this is not a nice option.

> The samba4 source package in wheezy contains a beta version of samba
> 4.0. Most samba functionality is disabled in this package, because it is
> provided by the samba package (version 3.6.6) in wheezy. Only the samba
> AD DC functionality is enabled, but it is severely limited.

> There is no security support for this beta version of samba. It is
> vulnerable to a number of public issues.

> The samba4 package in wheezy is not suitable for usage in a production
> environment. It should not have been released with wheezy.

It's possible that you've already done this, but if not, I recommend also
coordinating this with the Debian security team as well.  When things like
this have happened in the past, they've released an "end of life" security
advisory to notify Debian stable users that a given package will not
receive security support and should be considered insecure.

-- 
Russ Allbery (r...@debian.org)   


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87lhv9t23i@windlord.stanford.edu

Bug#744718: pu: samba4/4.0.0~beta2+dfsg1-3.2+deb7u1

[Ivo De Decker]

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu


Dear release team,


The attached patch removes the samba4 binary package. Please accept it for
wheezy, even though it's clear that this is not a nice option.


The samba4 source package in wheezy contains a beta version of samba 4.0. Most
samba functionality is disabled in this package, because it is provided by the
samba package (version 3.6.6) in wheezy. Only the samba AD DC functionality is
enabled, but it is severely limited.

There is no security support for this beta version of samba. It is vulnerable
to a number of public issues.

The samba4 package in wheezy is not suitable for usage in a production
environment. It should not have been released with wheezy.


With this patch, the samba4 package is removed. Removing the samba4 source
package with all associated binary packages is not really an option, as there
are some packages in wheezy that depend on the libs provided by samba4 (most
notably evolution-mapi).

The patch adds a conflict on samba4 to the samba4-common-bin binary package.
On dist-upgrade, apt-get proposes to remove the samba4 package.


Thanks in advance.

Cheers,

Ivo

diff -Nru samba4-4.0.0~beta2+dfsg1/debian/NEWS 
samba4-4.0.0~beta2+dfsg1/debian/NEWS
--- samba4-4.0.0~beta2+dfsg1/debian/NEWS1970-01-01 01:00:00.0 
+0100
+++ samba4-4.0.0~beta2+dfsg1/debian/NEWS2014-04-13 21:31:56.0 
+0200
@@ -0,0 +1,22 @@
+samba4 (4.0.0~beta2+dfsg1-3.2+deb7u1) wheezy; urgency=medium
+
+   The samba4 binary package was removed from wheezy.
+
+   The samba4 source package in wheezy contains a beta version of samba 4.0.
+   Most samba functionality is disabled in this package, because it is
+   provided by the samba package in wheezy. Only the samba AD DC functionality
+   is enabled, but it is severely limited.
+
+   There is no security support for this beta version of samba. It is
+   vulnerable to a number of public issues.
+
+   The samba4 package in wheezy is not suitable for usage in a production
+   environment. It should not have been released with wheezy.
+
+   This issue is tracked on https://bugs.debian.org/744711
+
+   To use the samba AD DC functionality, a newer version of samba is
+   necessary. The samba packages in jessie and jessie-backports (version 4.1
+   or later) provide this functionality.
+
+ -- Ivo De Decker   Sun, 13 Apr 2014 21:08:44 +0200
diff -Nru samba4-4.0.0~beta2+dfsg1/debian/changelog 
samba4-4.0.0~beta2+dfsg1/debian/changelog
--- samba4-4.0.0~beta2+dfsg1/debian/changelog   2013-03-22 02:48:13.0 
+0100
+++ samba4-4.0.0~beta2+dfsg1/debian/changelog   2014-04-13 21:45:53.0 
+0200
@@ -1,3 +1,11 @@
+samba4 (4.0.0~beta2+dfsg1-3.2+deb7u1) wheezy; urgency=medium
+
+  * Remove samba4 binary package. It has several security issues, has limited
+functionality and should not have been released with wheezy.
+Closes: #744711
+
+ -- Ivo De Decker   Sun, 13 Apr 2014 21:45:53 +0200
+
 samba4 (4.0.0~beta2+dfsg1-3.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru samba4-4.0.0~beta2+dfsg1/debian/control 
samba4-4.0.0~beta2+dfsg1/debian/control
--- samba4-4.0.0~beta2+dfsg1/debian/control 2012-08-08 22:04:53.0 
+0200
+++ samba4-4.0.0~beta2+dfsg1/debian/control 2014-04-13 21:31:56.0 
+0200
@@ -53,33 +53,6 @@
 Vcs-Bzr: http://bzr.debian.org/pkg-samba/samba4/unstable
 DM-Upload-Allowed: yes
 
-Package: samba4
-Architecture: any
-Recommends: attr, bind9 (>= 1:9.5.1), bind9utils, ldb-tools
-Suggests: phpldapadmin, samba-gtk, swat2
-Conflicts: samba (<< 2:3.3.0~rc2-5), samba-tools
-Replaces: libsamdb0 (<< 4.0.0~alpha17~)
-Depends: python,
- python-dnspython,
- python-samba,
- samba-dsdb-modules,
- samba4-common-bin (=${binary:Version}),
- tdb-tools,
- ${misc:Depends},
- ${python:Depends},
- ${shlibs:Depends}
-Description: SMB/CIFS file, NT domain and active directory server (version 4)
- Samba is an implementation of the SMB/CIFS protocol for Unix systems,
- providing support for cross-platform file sharing with Microsoft Windows, OS 
X,
- and other Unix systems.  Samba can also function as a domain controller
- or member server in both NT4-style and Active Directory domains.
- .
- These packages contain snapshot versions of Samba 4, the next-generation
- version of Samba. These should be considered _experimental_, and should
- not be used in production.
- .
- This package contains the main daemon.
-
 Package: libsamdb0
 Pre-Depends: ${misc:Pre-Depends}
 Multi-Arch: same
@@ -140,8 +113,9 @@
  samba-common (>= 2:3.4.0~pre2-1),
  ${misc:Depends},
  ${python:Depends}
-Conflicts: samba (<< 2:3.3.0~rc2-5), samba-common (<< 2:3.3.0~rc2-5)
-Replaces: samba-common (<< 2:3.4.0~pre2-1), samba4-common (<< 4.0.0~alpha7-1)
+Conflicts: samba (<< 2:3.3.0~rc2-5), samba-common (<< 2:3.3.0~rc2-5), samba4
+Replaces: