Default DNS server for Samba 4.0

Kai Blin kai at
Fri Sep 7 18:34:40 MDT 2012

On 2012-09-08 00:17, Andrew Bartlett wrote:

> It certainly isn't the same as the stabilization we get on a released
> branch, or how we have released software before.  The philosophy is much
> more of 'continuously, proven reliable' than a black and white
> 'development' and 'stability' phase.  For users, the big difference is
> that we actively encourage users to try Samba 4.0 beta in production!

And we broke it, twice. Sure, no test system is perfect and we fixed
things quickly. But still, "add these patches to make things work or run
from git" is not 'proven reliable'.

> It is this track record that then encourages me to know we are entering
> the release candidate stage ready for the final release.
> Understanding where I'm coming from might help you understand why I
> reacted so negatively to a proposal:
>  - to change the default on the *same day* that the code, particularly
> the security-critical GSS-TSIG component was first thought to be
> finished,

Yes, because I know that discussions about patches take ages. Many
features for bind-dlz landed by "I've got commit access, I'll push", and
I decided against that. This was a feature we were waiting for, and I
wanted to announce that it worked, and kick off the discussion.

>  - and while the relevant tests of that component are yet to be
> completed.

But at least possible. You're constantly suggesting that nobody's going
to write tests. Perhaps you are extrapolating on how nobody wrote tests
for the bind-dlz stuff for over a year?

> Where I have clearly failed is in making it clear to Kai from the outset
> that just as his earlier code has tests, that the GSS-TSIG server also
> needed that (and honestly, a higher) level of scrutiny. 

No, it's perfectly clear. It's just that tests for this need support on
the side of libcli/dns, and that's not there yet. I'm very positive that
can be fixed over the coming weeks. I suggested to switch the default
name server so at the point we do release 4.0, we do have an
implementation that is covered by tests running for our users with
minimal hassle.

What you failed to make clear to me so far is why nobody gave a damn
about the things you're complaining about now when the dlz plugin was in
the same state, and why suddenly the bar is not only slightly higher but
on a different floor. I don't buy the "that was in alpha" explanation,
as we have been telling people that "even though samba4 is alpha, the AD
parts are really stable" for years now.

You mentioned on the thread about the ACL support that it's possible to
test this via smbtorture. If it's possible, why hasn't the DLZ plugin
been criticized for not having tests? If it wasn't possible, well, now
we can do this. I'm offering an option to get a lot more of this stuff
under test. But I'm constantly told my code isn't good enough. Why is
the DLZ plugin good enough to be activated and recommended without tests?

This is where I don't understand the reasoning, and judging from the
reactions on this thread, I'm not the only one.


Kai Blin
Worldforge developer
Wine developer
Samba team member

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list