[Samba] Samba's security process and pre-announcements

Andrew Bartlett abartlet at samba.org
Wed Mar 17 20:26:45 UTC 2021


On Wed, 2021-03-17 at 16:34 +0100, Joachim Lindenberg via samba wrote:
> Hello Karolin,
> does this kind of announcement really make sense as essentially it
> kind of implies to take DCs down until one rebuilt samba from source
> or Louis and other repo maintainers are able to catch up?

Thanks for your inquiry.  As Louis has already hinted at, per standard
industry process we provide vendors (those who package or ship Samba)
with the patches 10 days before the release.  This is to provide them
with the opportunity to backport and package 

This is detailed here, hidden away in point 9:
https://wiki.samba.org/index.php/Samba_Security_Process#A_public_security_process_for_Samba

> I am sure a hacker will spare some time to leverage that window of
> opportunity.
> Afaik, best practice is to publish information about vulnerabilities
> after the software has been released.

Samba, as an open source project, publishes source code and an advisory
at the same time.  It would be pointless to hide details in the code
only, it would only make it harder for administrators, but not
determined attackers, to understand the issue.  The bug is opened up
soon after the release also.

The pre-announcment here is to give organisations that require the
scheduling of a maintaince window and the invocation of a change
control process a fighting chance to patch as soon as we release.

We include these minimal details to ensure folks can determine they
need to pay attention (or not), and to aid that internal organisational
process. 

I hope this clarifies things,

Andrew Bartlett
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions








More information about the samba mailing list