Restrict MIT KDC tests to latest Fedora (and not sn-devel)?

Andrew Bartlett abartlet at samba.org
Thu Jul 29 05:36:22 UTC 2021


I'm wondering if we might be able to, just as we do with ad_dc_fips,
restrict the MIT AD DC tests, eg samba-ad-*-mitkdc to running on the
latest Fedora image?

This would be like the samba-fips test currently.

The reason I ask is this:

https://gitlab.com/samba-team/samba/-/merge_requests/2095/diffs?diff_id=221975070&start_sha=f9988cef700dbab487cdaaab4c4875b5bb319853

This is a good, un-embargoed test for a bug - CVE-2021-36222 - fixed
upstream and included in Fedora.

However it is not included in Ubuntu releases, so if we included it in
samba our pipelines would not pass, which is why Joseph needed to back
it up. 

But medium term we want to include this test, to ensure such a bug
doesn't come back, in both MIT and Heimdal.

It would mean an sn-devel build would be a little less comprehensive
(but faster, due less duplication), but would put off for now the need
to address more complex ways to co-evolve Samba and MIT Kerberos.

(This relies on our good relationship between our Red Hat team members,
MIT Kerberos and the ability to push packages into Fedora, but as we
have that I think we should leverage it). 

What do folks think?

Andrew Bartlett
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions








More information about the samba-technical mailing list