So, what's up with Latest vs Quarterly FreeBSD pkg repos?

[Avery Freeman]

Hi,

so I did a dumb thing - I am trying to get better about it, but I'm fairly upgrade-happy and I'm bad about taking snapshots.

You'd think having both ZFS AND ESXi for my 3 FreeBSD VMs I would stop 5 seconds to take a snapshot before upgrading.

But no, I powered right ahead, added the latest repo to a file in /etc/pkg and ran pkg upgrade -r latest without a further thought.

Then, temperamental things like Samba began acting weird, which I need for domain membership so I can access the files on these file servers. ldb database mismatches were present across all 3 VMs and one is having clock skew issues with kinit even after running down every last form of time configuration on hardware, ESXi host, ntp, date, tzsetup and domain controllers.

So what's up with the latest repository? Is it basically like the -CURRENT branch where we should expect it to be buggy and cause problems? Samba48 sure doesn't like it much.

 

[Phishfry]

I wouldn't call it like -CURRENT. -CURRENT is a testing version while ports should have portlint run against them.
That don't guarantee anything but there is some testing. -CURRENT is raw.
There is defiantly more churn on -latest. But your just seeing problems you would have to deal with on a quarterly basis anyway.
Quarterly don't mean you won't have problems, just less frequency.
I run hostapd and would like to have the newest patched version, so I use the -latest repository.
So if security is a concern then -latest is worth the hassle in my opinion.

So my question:
Have you checked the notes for SAMBA in UPDATING?
net/samba48
" New Samba 4.8 upgrades the relevant database files in the way, that doesn't
allow easy fallback to the previous versions of Samba. So, before upgrading
to the new version make a backup of the /var/db/samba4/ directory."

How about this comment:
Initial attempt to bring Samba 4.8 to FreeBSD. Still, there could be rough
edges. Don't try it in the production environment yet.

 

[Avery Freeman]

Thanks, that is really helpful, I wasn't aware of the notes, I am still kind of new to FreeBSD (mostly coming from a Linux background).

Here's the thing I don't understand, though. I was already using Samba48 - why would there be such big changes to the same package that I would end up with an ldb version mismatch just by running a basic PKG update? Wouldn't this imply that I AM going to have this issue once latest package gets moved to the quarterly repo? (and, presumably, everyone else that is currently using Samba48 for FreeBSD domain members?)

Here's one thing that might be relevant:

Affects: users of net/samba48
Author: timur@FreeBSD.org
Reason:
  New Samba 4.8 upgrades the relevant database files in the way, that doesn't
  allow easy fallback to the previous versions of Samba. So, before upgrading
  to the new version make a backup of the /var/db/samba4/ directory.

  Full list of changes, new features and upgrade procedure is available at:

        https://www.samba.org/samba/history/samba-4.8.0.html

--------------------------------------------------------------------------------



New GUID Index mode in sam.ldb for the AD DC
--------------------------------------------

Users who upgrade a Samba AD DC in-place will experience a short delay
in the first startup of Samba while the sam.ldb is re-indexed.

Unlike in previous releases a transparent downgrade is not possible.
If you wish to downgrade such a DB to a Samba 4.7 or earlier version,
please run the source4/scripting/bin/sambaundoguididx script first.

OK, so it says samba4.8.0 so presumably I am already using that version, which means I can't go back to samba47 and hope for better results. I'll try running that script, but I have a feeling I am going to have to delete all my .ldb files and start over with Samba47 because I know what's coming, and it isn't pretty.

Reading through the notes on https://www.samba.org/samba/history/samba-4.8.0.html -- it seems to suggest that these changes are already implemented, but do not appear to be compatible with my VMs, which are all using samba48. Do you think there's a chance the samba48 available in the PKG Quarterly repo is an RC?

I suppose it's a good lesson to learn early on not to jump on bleeding-edge releases for important infrastructure-related software. I should have known to go with Samba47 to begin with.

 

[ShelLuser]

Here's the thing I don't understand, though. I was already using Samba48 - why would there be such big changes to the same package that I would end up with an ldb version mismatch just by running a basic PKG update?

That's something you should probably ask the actual Samba developers. For example, just check out the release notes for the 4.8 series, you'll see what I mean. Generally speaking all which a FreeBSD port does is follow the original upstream.

On Linux you can sometimes come across package maintainers who feel the need to change or "enhance" a package on their own (like the infamous OpenSSL package maintainer on Debian who, in doing so, actually introduced a massive backdoor. That seriously opened my eyes regarding how 'professional' an average Linux distribution actually is (no sneer intended. Well... not too much )).

On FreeBSD this is much less likely. Sure, there are sometimes patches and changes, but most of them involve changes to ensure that the software complies with FreeBSD standards. You know: /usr/local for the installation, but /var/run and /var/log for the pid and log files respectfully (vs. /usr/local/var for example).

Note that I'm not saying it can never happen. But so far... Every unpopular change I experienced within the ports collection so far (the latest being the PowerDNS changes) I could fully trace back to the original developers. Each and every one of them. Trust me: sometimes I got highly upset about some and even outed my share of (constructive!) criticism from time to time. And I learned about all those thanks to FreeBSD (the massively important /usr/ports/UPDATING).

Wouldn't this imply that I AM going to have this issue once latest package gets moved to the quarterly repo? (and, presumably, everyone else that is currently using Samba48 for FreeBSD domain members?)

Absolutely.

But it's not the FreeBSD port maintainer but the Samba developer team you should address for those. Some Linux distributions try to "sugarcoat" this stuff (as I like to call it) by plain out changing the way the software works. So actually changing the software in ways unintended by the actual developers, simply to... as I said: prevent the end user from having to jump through too many hoops.

On FreeBSD you get what you came for. No more, no less.

And this is also one of the reasons I consider FreeBSD to be much more secure and reliable (once again: generally speaking, not every situation is the same) than your average Linux distribution. No sugar coating. Which also implies that if there is a nasty backdoor discovered in some software you'll know about it too. Sometimes FreeBSD will even refuse to build certain components because of that (which you can bypass of course) while the general Linux distribution from my example would simply install the whole thing as if nothing had happened.

Often making Linux an easier choice to work with, but at that same time also less reliable and less secure. Because security starts with knowing your environment and its flaws. Which some times gets totally glossed over.

But yeah, it's definitely something to get used to. Been there, done that and still recall (even if it has been quite some time ago)