Re: [Evergreen] samba security update - badlock and friends
Hello, Am Samstag, 16. April 2016, 13:27:18 CEST schrieb Wolfgang Rosenauer: > Am 16.04.2016 um 13:11 schrieb Christian Boltz: ... > > I just submitted the update: > > https://build.opensuse.org/request/show/390298 > > For whatever reason it ended up in the openSUSE:Maintenance target > instead of openSUSE:Evergreen:Maintenance. I followed the instructions on https://en.opensuse.org/openSUSE:Package_maintenance which basically means osc branch -M -c openSUSE:13.1 apparmor followed by (after applying the changes) osc mr Now I noticed https://en.opensuse.org/evergreen#Version_11.4.2F13.1 has different instructions, so maybe that explains it. > I've just did an SR > https://build.opensuse.org/request/show/390300 > You can revoke the other one. Thanks, and done ;-) Regards, Christian Boltz -- >>Mir sind genug NT - Admins mit Gehaeltern ab 150 KDM bekannt, die >>weniger von NT wissen als ich - und das ist _sehr_ wenig. >NT-Admins werden wie Bundestagsabgeordnete bezahlt? Wo kriegt man so Angebote? Gibt es irgendwo einen MCSE-Straßenstrich? [in dasr] ___ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen
Re: [Evergreen] samba security update - badlock and friends
Am 16.04.2016 um 13:11 schrieb Christian Boltz: > Hello, > > Am Samstag, 16. April 2016, 12:40:47 CEST schrieb Michal Kubecek: >> On Sat, Apr 16, 2016 at 12:24:03AM +0200, Christian Boltz wrote: > > FYI: a quick test of the updated packages on one of my 13.1 machines > looks good. > >> But I'm not realy expert on this. So maybe >> >>> That said - I don't think having a separate update is a real problem >>> if both are released at the same time (or AppArmor first). >> >> might be the safest option after all. > > Indeed ;-) > > I just submitted the update: > https://build.opensuse.org/request/show/390298 For whatever reason it ended up in the openSUSE:Maintenance target instead of openSUSE:Evergreen:Maintenance. I've just did an SR https://build.opensuse.org/request/show/390300 You can revoke the other one. Thanks, Wolfgang ___ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen
Re: [Evergreen] samba security update - badlock and friends
Hello, Am Samstag, 16. April 2016, 12:40:47 CEST schrieb Michal Kubecek: > On Sat, Apr 16, 2016 at 12:24:03AM +0200, Christian Boltz wrote: FYI: a quick test of the updated packages on one of my 13.1 machines looks good. > But I'm not realy expert on this. So maybe > > > That said - I don't think having a separate update is a real problem > > if both are released at the same time (or AppArmor first). > > might be the safest option after all. Indeed ;-) I just submitted the update: https://build.opensuse.org/request/show/390298 BTW: I also managed to get 2.9.3 released upstream, so the update for 13.2 is one of the next things I'll do ;-) > > [1] 2.10 isn't the worst thing that can happen to you ;-) and > > probably> > > has much less bugs than 2.8.4 - but I understand that such a > > version > > update isn't the best idea for a maintenance release. > > I'll ignore the fact that we do a version update of Samba ;-) > > I'm really not happy about it either. I even tried to start rebasing > the series but after more than half of first 10 commits needed > adjusting and there were still more than 200 more, I realized that Impressive numbers... > upgrade is probably the only viable option. After all, the fact that > the same was done in SLE12 GA was a hint... Oh yes. If even SLE12 does a version update, that's a *very* clear hint ;-) Regards, Christian Boltz -- ... wenn man schon Spams und Viren nur unvollkommen filtern, wie will man dann die Windoof Experten fo^Hiltern? ;-) [Paul Foerster in suse-laptop] ___ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen
Re: [Evergreen] samba security update - badlock and friends
Am 16.04.2016 um 12:40 schrieb Michal Kubecek: > On Sat, Apr 16, 2016 at 12:24:03AM +0200, Christian Boltz wrote: >>> The samba update is submitted now to >>> openSUSE:Evergreen:Maintenance:4627 If you are going to submit the >>> AppArmor profile update, using this incident would be IMHO the best >>> option as that way both samba and profile update would be released at >>> once, preventing regressions. >> >> What is the best way to do this? >> I'd guess something like >> >> osc sr security:apparmor apparmor_2_8 \ >> openSUSE:Evergreen:Maintenance:4627 WHATEVER >> >> but I'm not sure what I should use for WHATEVER ;-) > > I assume apparmor.openSUSE_13.1_Update > > Or maybe rather > > osc mr -a Evergreen:MaintenanceProject \ > --incident-project openSUSE:Evergreen:Maintenance:4627 \ > security:apparmor apparmor_2_8 openSUSE:13.1:Update Just submit it via SR or MR without anything special (with the a Evergreen:MaintenanceProject for MR though. I can merge incoming requests afterwards. Thanks, Wolfgang ___ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen
Re: [Evergreen] samba security update - badlock and friends
On Sat, Apr 16, 2016 at 12:24:03AM +0200, Christian Boltz wrote: > > The samba update is submitted now to > > openSUSE:Evergreen:Maintenance:4627 If you are going to submit the > > AppArmor profile update, using this incident would be IMHO the best > > option as that way both samba and profile update would be released at > > once, preventing regressions. > > What is the best way to do this? > I'd guess something like > > osc sr security:apparmor apparmor_2_8 \ > openSUSE:Evergreen:Maintenance:4627 WHATEVER > > but I'm not sure what I should use for WHATEVER ;-) I assume apparmor.openSUSE_13.1_Update Or maybe rather osc mr -a Evergreen:MaintenanceProject \ --incident-project openSUSE:Evergreen:Maintenance:4627 \ security:apparmor apparmor_2_8 openSUSE:13.1:Update But I'm not realy expert on this. So maybe > That said - I don't think having a separate update is a real problem if > both are released at the same time (or AppArmor first). might be the safest option after all. > [1] 2.10 isn't the worst thing that can happen to you ;-) and probably > has much less bugs than 2.8.4 - but I understand that such a version > update isn't the best idea for a maintenance release. > I'll ignore the fact that we do a version update of Samba ;-) I'm really not happy about it either. I even tried to start rebasing the series but after more than half of first 10 commits needed adjusting and there were still more than 200 more, I realized that upgrade is probably the only viable option. After all, the fact that the same was done in SLE12 GA was a hint... Michal Kubecek ___ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen
Re: [Evergreen] samba security update - badlock and friends
Hello, Am Freitag, 15. April 2016, 09:12:06 CEST schrieb Michal Kubecek: > On Thu, Apr 14, 2016 at 07:25:51AM +0200, Michal Kubecek wrote: > > On Thu, Apr 14, 2016 at 12:31:48AM +0200, Christian Boltz wrote: > > > General feedback if we want that "big" profile update patch or > > > only a > > > "small" patch to adjust the samba/nmbd profile is also welcome. > > > > As you seem to know that some of the changes are actually needed in > > 13.1 (and IIRC you mentioned one in the recent nscd thread), I > > would vote for the full patch. Packages with all the profile updates and an additional fix for libapparmor (taken from upstream 2.8 bzr branch) to support more log formats just built in security:apparmor. Note that this repo contains multiple versions and will give you AppArmor 2.10 if you just zypper dup from it [1], so you'll need to use zypper in with the exact 2.8.4 version in the zypper command line. The safer (and maybe easier) way is probably to download the packages via osc getbinaries security:apparmor apparmor_2_8 openSUSE_13.1 x86_64 (or i586, whatever you need) and install them manually. I'll test the packages on one of my servers tomorrow and submit them to Evergreen afterwards. > The samba update is submitted now to > openSUSE:Evergreen:Maintenance:4627 If you are going to submit the > AppArmor profile update, using this incident would be IMHO the best > option as that way both samba and profile update would be released at > once, preventing regressions. What is the best way to do this? I'd guess something like osc sr security:apparmor apparmor_2_8 \ openSUSE:Evergreen:Maintenance:4627 WHATEVER but I'm not sure what I should use for WHATEVER ;-) That said - I don't think having a separate update is a real problem if both are released at the same time (or AppArmor first). Regards, Christian Boltz [1] 2.10 isn't the worst thing that can happen to you ;-) and probably has much less bugs than 2.8.4 - but I understand that such a version update isn't the best idea for a maintenance release. I'll ignore the fact that we do a version update of Samba ;-) -- looks like you have some special code in yast for password "x", maybe I should use the even more secure new password "y" in the future ?! ;-) [Harald Koenig in https://bugzilla.novell.com/show_bug.cgi?id=148464] ___ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen
Re: [Evergreen] samba security update - badlock and friends
On Thu, Apr 14, 2016 at 07:25:51AM +0200, Michal Kubecek wrote: > On Thu, Apr 14, 2016 at 12:31:48AM +0200, Christian Boltz wrote: > > > General feedback if we want that "big" profile update patch or only a > > "small" patch to adjust the samba/nmbd profile is also welcome. > > As you seem to know that some of the changes are actually needed in 13.1 > (and IIRC you mentioned one in the recent nscd thread), I would vote for > the full patch. The samba update is submitted now to openSUSE:Evergreen:Maintenance:4627 If you are going to submit the AppArmor profile update, using this incident would be IMHO the best option as that way both samba and profile update would be released at once, preventing regressions. Michal Kubecek ___ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen
