Re: samba-essential upgrade or remove?

[Mike Westerhof <mike@mwester.net>]

Holger Hans Peter Freyther wrote:
> On Monday 08 March 2010 13:51:35 Holger Hans Peter Freyther wrote:
>> On Monday 08 March 2010 13:42:07 Dr. Michael Lauer wrote:
>>> While I'm not using it atm., I recall that samba-essential was the only
>>> recipe that worked relatively painless when Matthias Hentges create it
>>> back then.
>> Then please fix it. You will do a great service to our users. The following
>> CVEs are not addressed:
>> 	CVE-2009-2813, CVE-2009-2948, CVE-2009-2906, CVE-2009-1888,
>> CVE-2008-4314, CVE-2008-1105, CVE-2007-6015, CVS-2007-4572,  CVE-2007-5398,
>> CVE-2007-2444, CVE-2007-2446, CVE-2007-2447, CVE-2007-0452, CVE-2007-0453,
>> CVE-2007-0454, CAN-2006-1059..
> 
> 
> any update? Is anyone volunteering to update samba-essential or shall we 
> remove it from the tree? I think we have a responsibility to our users that if 
> we install a network daemon that we at least fix the known security issues with 
> this one or remove it from our recipe collection... Opinions?
> 
> z.

Sigh.

I really don't think this recipe is worthy of this much controversy.
It's essential (hence the name) for certain very small NAS devices.

I fail to see how its presence is impacting others -- if you don't like
it, don't use it.  Simple.

Nevertheless, the same issues I face that prevent me from having the
time to figure out how to fix this recipe right now also preclude me
from spending time discussing and arguing my case on this.

If the presence of this recipe is so loathsome and offensive to the core
OE members that they would prefer to toss a distro out of OE, then go
ahead and do so.

As an alternative, I'll be happy to commit a change to that recipe that
renders it unbuildable for all but SlugOS -- that would ensure that no
one can build and install this "vulnerable" software in error, and
should suffice to address the issue.

-Mike (mwester)