I can comment on this one for sure: > Samba (not really sure what to do here. CVE-2017-15275,14746,11103, list > goes on an on) we need to be on 4.5.14, but that doesn't cure all the > CVE on samba's page but switching to 4.7.2 is just switching to a list > of unknown vulnerabilities. Is it really beneficial to go from 4.5 to > 4.7? at the very least we should be 4.5.14, but beyond that I'm not sure > how we should proceed or the effort it would take to constantly hop as > samba updates at a pretty fast pace.. Looking for some insight on this > topic.
I'm keeping it in the overlay to fix automatic dependency on Ceph. It was fixed in Gentoo in a new version that is not yet stable. I don't see benefit to switch to unstable (in Gentoo terms) one, unless there is a reason to do otherwise, risking the usage of a less tested (in theory) version. Also note that in case of a security issue, Gentoo would either backport a fix to the older series, or new upstream version (in the same "series" or newer) should be stabilized soon enough. (If there is a version that has a fix on some CVE and is not listed in Gentoo bug tracker, it's a good idea to file a bug there.)
