[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is this the right place to discuss no-dsa choices?

Hello Andrew,

I read your message as well as
https://alioth-lists.debian.net/pipermail/pkg-samba-maint/2021-May/022771.html
and I believe I can add a few more pointers, as part of the (separate)
Debian Long Term Support (LTS) team.

(I'm a bit confused because you're listed as a Debian package
maintainer at https://packages.debian.org/sid/samba but I assume
you're asking from upstream / Samba maintainers' point of view.)

First "no-dsa" (and its sub-states ignored/postponed) is described at:
https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory
Note that no-dsa usually means fixing the issue is not urgent/critical,
needs not high-priority tracking/action from the Security Team, but
the package maintainer(s) may track and prepare a fix nonetheless,
e.g. through Debian's quarterly point releases (10.x).
Likewise, I read "Minor issue" as "non-critical".

By contrast, "unimportant" is a lesser severity state, and matching
CVEs will likely never be fixed due to inapplicability in Debian or
questionable security relevance.

Looking at the open CVEs and samba package history, it seems the
immediate limiting factor for fixing CVEs is whether the samba
branches shipped in Debian (4.5.x and 4.9.x) were maintained upstream
at CVE time, and probably packager man-power to ship a minor upgrade
and/or backport fixes.

If you're interested in the handling of samba in Debian LTS
(stretch/oldstable) specifically, which is extended support and is
usually performed by the LTS team without involving the package
maintainers, you may want to reach debian-lts@lists.debian.org.

Cheers!
Sylvain Beucler
Debian LTS Team


On Wed, May 12, 2021 at 07:34:56PM +1200, Andrew Bartlett wrote:
> On Wed, 2021-05-12 at 05:10 +0000, Paul Wise wrote:
> > On Tue, May 11, 2021 at 11:12 PM Andrew Bartlett wrote:
> > 
> > > I'm keen to discuss the thought process behind a number of the no-
> > > dsa
> > > flags on Samba security releases.  Does this list reach those
> > > involved
> > > in that, or is this more a general 'interest in security' list?
> > 
> > It tends to be more of a general security list. Probably contacting
> > the security team directly on security@debian.org or
> > team@security.debian.org is more appropriate, or if you want to
> > discuss the issues in public, the debian-security-tracker list.
> > 
> > https://security-tracker.debian.org/tracker/data/report
> > https://lists.debian.org/debian-security-tracker/
> 
> Thanks, I've mailed the security team, CCing the Debian Samba Team.
> 
> Hopefully they can help me out.
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett (he/him)       https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
> 
> Samba Development and Support, Catalyst IT - Expert Open Source
> Solutions
>
Reply to: