[Samba] updated samba 4.18 & 4.17 packages for debian & ubuntu to address trust issue with windows 10/11 update 07/2023

Fri Jul 14 18:36:10 UTC 2023

14.07.2023 20:04, Gregory Sloop via samba wrote:
> First, thanks so much for doing this.
> I used Louis's packages previously and was in a quandary about what to do when those stopped getting updates. Having you fill that gap has been super nice.
> Thanks!

You're welcome.

> Second.
> I'm on Ubuntu (22.04)
> I'm currently using your MJT repo.
>   
> I note you list official debian repos that are part of the official debian system...
> And that would perhaps be better for me too.
> Is there a "non-MJT" repo that's appropriate for Ubuntu? (Can I use one of the Debian ones, or something else?)

I'm not sure I understand your question.

I maintain samba package in Debian.  Just by extension, since I build binaries
anyway before uploading next package to the debian infrastructure, I also build
binaries for other distributions/versions, - for 2 ubuntu and 2 debian releases
for now. It doesn't take much time or effort to make the result available.

During that process I also made the samba package to be trivially adoptable for
ubuntu, - actually there's nothing needed in there for it to be a "ubuntu
package", just build it on an ubuntu system, - all ubuntu-specific tweaks I
knew are incorporated and enabled.  So hopefully, the same source/version will
be seen in official ubuntu archives too (at least for the initial releases,
not for security updates where they have their own versions).

I continue saying my archive is not official and it is better to use official
debian or ubuntu archive *longterm*. Because this is a one-man effort so has
a single point of failure, while Debian and Ubuntu are much more robust.

I do provide ubuntu builds of these packages, which are as up to date as possible,
and you sure can use these builds on your ubuntu system, - those builds are
supposed to be used on ubuntu, they're built for ubuntu. Just keep in mind this
repository isn't forever, one day it may stop updating, - that's the only its
shortcoming.

Another possible issue is the trust level, - unlike official Ubuntu and especially
Debian archives, which you can trust, where multiple people watch each other and
a lot more people uses the software and would notice if something bad happens,
here the only your insurance is my word.  No one is watching what I'm doing,
no one can tell if I'm not embedding some trojan horse inside the binaries I
provide.  This is why Debian stopped accepting binary packages to their archives
some time ago, - only binaries built within automatic debian buildd infrastructure
are available.  My build machine might become infected by a rootkit one day,
and some evil code gets attached to the binaries I ship, without anyone noticing.
Even with my 30+ years in cyber-security field, this might happen still.

That's why it is better to use official archives with all the infrastructure in
place for better security and long-term support.

Speaking of official ubuntu archives packages, - I can't say for that.

Thanks,

/mjt