Hi Robie, I really appreciate the information. I totally understand your (Ubuntu developers) position on these sorts of matters. We've been using Ubuntu for at least 10 years now and have never had any issues with it until this BIND assertion failure occurred. It's been a good platform for us.
Unfortunately, when it comes to BIND, it leaves the users in a bit of a precarious position. If you run the bind9 package, you incur the ire of ISC and the members of the BIND users forum (who chastise you for "running such an old version of BIND" and just tell you to upgrade BIND) if you post issues there. If you use the ISC packages in their PPA repository, you can't get any (or only limited) assistance from the Ubuntu developers. As popular as BIND is, it seems like it would be one of the packages that you would want to update regularly from the upstream minor version releases. But perhaps BIND isn't run on Ubuntu as much as I think it might be. Anyway, I'll try to file a bug report, but apport failed to create a core dump (file size too large), and I suspect you won't be able to do much without it. Thanks again for the information. Ben -----Original Message----- From: Robie Basak <robie.ba...@ubuntu.com> Sent: Thursday, December 8, 2022 2:06 PM To: Ben Bridges <bbrid...@springnet.net> Cc: ubuntu-devel-discuss@lists.ubuntu.com Subject: Re: Bind 9.16.1 crash on Ubuntu Hi, On Thu, Dec 08, 2022 at 05:22:34PM +0000, Ben Bridges wrote: > This is bind9 1:9.16.1-0ubuntu2.11 running on Ubuntu 20.04.5 LTS (fully > patched). Has this issue been seen before? If so, has it been fixed, or is > it being fixed? Is this the right forum for this posting? This is the right place to ask, but for specific bugs, as Marc said please make sure a bug exists against the package in Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9 to check existing reports, and "Report a bug" in the top right if you need to file a new report. > More generally ... to what extent do you update the Ubuntu bind9 package? Is > it literally the 9.16.1 base source code (in focal) with no updates other > than to patch the CVE security vulnerabilities? Or are there other patches > in it as well? It varies - we'll patch as we think is appropriate, though that has a maintenance burden so we try to keep the patching minimal. You can see the full set of patches currently applied against the Ubuntu 20.04 bind9 package here (the `series` file defines what is applied, as opposed to simply the contents of the directory): https://git.launchpad.net/ubuntu/+source/bind9/tree/debian/patches?h=ubuntu/focal-devel Of course the outcome also depends on how the package is built. You can see that here: https://git.launchpad.net/ubuntu/+source/bind9/tree/debian/rules?h=ubuntu/focal-devel > For a given Ubuntu LTS version (such as focal), do you ever "start over" > with the newest minor release of that branch of BIND (9.16 for focal, 9.18 > for jammy)? Or do you just continue patching the initial release of the > branch? It depends. We'll update to the latest upstream point release on a case-by-case basis. Upstreams vary in policy and the quality of what they'll stick in there, and we don't want to regress our users, or change behaviour on them! Formally, our policy on what is acceptable to update like this is here: https://wiki.ubuntu.com/StableReleaseUpdates#New_upstream_microreleases And then for an update like this to actually happen, an Ubuntu developer needs to drive it. The Server Team does update some packages routinely, but it doesn't look like bind9 is currently in that list. > Is there a specific version of 9.16 that you can say 1:9.16.1-0ubuntu2.11 is > equivalent to in terms of patches (both security and non-security)? No - you have to study the patches. > Do you recommend for or against Ubuntu users using the BIND packages in ISC's > PPA repository instead of the bind9 package in the Ubuntu repository? You can of course do what you like on your own system. But Ubuntu can only reasonably support what it ships, so using only our packages is our recommendation. If we get a bug report about a problem caused by a third party package, then we normally have to reject that report since there's nothing we can do about that third party package! Most packaging problems our users report are caused by third party repositories breaking things, especially on future release upgrades. Fundamentally there are some breakages that even a perfect third party repository maintainer cannot avoid. The apt/dpkg system wasn't designed to work this way, even if this kind of use is really common in practice. People tend to get away with it because our policy on changing as little as possible in stable releases means that these issues don't show themselves. Until they try to upgrade to the new release, things explode and they blame us :-( So while I don't think it's Ubuntu's official position or anything, I would avoid using third party repositories as much as possible. On the other hand, we *do* maintain our own packages, and if there's an issue, it's our intention to patch it if that's possible and reasonable against our stable release policies that apply across all of our packages[1]. So please do make sure that a bug report exists :) Robie [1] https://wiki.ubuntu.com/StableReleaseUpdates [City Utilities] [SpringNet]<http://www.springnet.net> Sales 417.575.7000 | Support 417.874.8000 | springnet.net<http://www.springnet.net> -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
