fix(samba): drop winexe subpackage#17102
Open
PawelWMS wants to merge 1 commit intotomls/base/mainfrom
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the samba component configuration to stop producing the optional samba-winexe subpackage (which embeds Windows PE .exe artifacts that trip automated malware-scanning during signing), while keeping the rest of Samba shippable.
Changes:
- Disable the
winexebuild conditional forsambavia component build configuration (build.without) and switch release handling toautorelease. - Remove
samba-winexefrom the base package manifest so images/manifests don’t reference a no-longer-built RPM. - Refresh rendered artifacts for the component (rendered spec/macros/changelog) and update the lock fingerprint accordingly.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
base/comps/samba/samba.comp.toml |
Disables the winexe subpackage via build.without and switches release calculation to autorelease. |
base/packages/base.packages.toml |
Removes samba-winexe from the base package set. |
specs/s/samba/samba.spec |
Rendered spec refresh reflecting the build config (loads generated macros, Source9999, release/changelog bump). |
specs/s/samba/samba.azl.macros |
New rendered macros file defining %_without_winexe 1 to enforce the disabled subpackage. |
locks/samba.lock |
Updated input fingerprint after component config changes. |
PawelWMS
changed the title
Disables the optional `samba-winexe` subpackage so the rest of the
`samba` component can ship without rebuilding the Wine-derived
Windows `winexe.exe` cross-host process-launch tool.
Why
---
`samba-winexe` packages mingw32/mingw64-cross-compiled Windows PE
binaries shipped inside a Linux RPM. Generic .NET / Windows-PE
malware-scan heuristics consistently flag those binaries when the
RPM is run through our automated package-signing pipeline,
irrespective of source provenance. The rest of `samba` (server,
libs, client, dc, vfs modules, ctdb) signs cleanly without winexe.
Mechanism
---------
The upstream `samba.spec` already gates BuildRequires,
`%package winexe`, and `%files winexe` behind `%if %{with winexe}`.
Adding `build.without = ["winexe"]` to
`base/comps/samba/samba.comp.toml` causes `azldev` to pass
`--without winexe` to rpmbuild and unconditionally drop the
subpackage. **No spec mutation is needed** -- which means zero
overlay maintenance burden across upstream samba uplifts and full
reversibility (just delete the `build.without` line).
Dependency-impact analysis
--------------------------
Repo-wide grep of `base/comps/**/*.{toml,comp.toml}` and
`specs/**/*.spec` for `BuildRequires:.*samba-winexe`,
`Requires:.*samba-winexe`, and `winexe` (excluding the gating
`%bcond winexe` lines and the `%package winexe` declaration inside
`samba.spec` itself) returns **zero consumers**. Independently
re-confirmed by the dependency-impact verifier. `samba-winexe`
therefore has no reverse dependencies in this distro and dropping
the subpackage is safe.
Pairs with a deletion of the now-dangling `"samba-winexe"` line
from `base/packages/base.packages.toml` so the image manifest does
not reference a sub-package the build no longer produces.
Functionality lost
------------------
Only the optional `samba-winexe` sub-package containing the
Wine-derived Windows `winexe.exe` cross-host process-launch tool.
Niche use case -- modern alternatives include OpenSSH on Windows,
WinRM, and PowerShell Remoting. The rest of the `samba` component
(server, libs, client, dc, vfs modules, ctdb) is unaffected.
PawelWMS
force-pushed
the
pawelwi/samba-drop-winexe
branch
from
fe9955d to
b9bf4bf
Compare
reubeno
reviewed
May 9, 2026
| [components.samba] | ||
| # Release: %{samba_release} | ||
| release = { calculation = "manual" } | ||
| release = { calculation = "autorelease" } |
Member
There was a problem hiding this comment.
What's the reason for the change? Any context?
Collaborator
There was a problem hiding this comment.
I had the same question and @dmcilvaney did work with @PawelWMS on this.
Samba's release indirectly has Release: %autorelease (via Release: %{samba_release} and %global samba_release %autorelease), but our tools can't easily follow that, so the calculation = "autorelease" was used
christopherco
approved these changes
May 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes: AB#19863
Summary
Disables the optional
samba-winexesubpackage so the rest of thesambacomponent can ship without rebuilding the Wine-derived Windowswinexe.execross-host process-launch tool.Why
samba-winexepackages mingw32/mingw64-cross-compiled Windows PE binaries shipped inside a Linux RPM. Generic .NET / Windows-PE malware-scan heuristics consistently flag those binaries when the RPM is run through our automated package-signing pipeline, irrespective of source provenance. The rest ofsamba(server, libs, client, dc, vfs modules, ctdb) signs cleanly without winexe.Mechanism
The upstream
samba.specalready gatesBuildRequires,%package winexe, and%files winexebehind%if %{with winexe}. Addingbuild.without = ["winexe"]tobase/comps/samba/samba.comp.tomlcausesazldevto pass--without winexeto rpmbuild and unconditionally drop the subpackage. No spec mutation is needed — which means zero overlay maintenance burden across upstream samba uplifts and full reversibility (just delete thebuild.withoutline).This PR pairs the
build.withouttoggle with a deletion of the now-dangling"samba-winexe"line frombase/packages/base.packages.tomlso the image manifest does not reference a subpackage the build no longer produces.The
releasecalculation inbase/comps/samba/samba.comp.tomlis also switched from"manual"to"autorelease"soazldevcan derive the Release tag from the upstream spec'srpmautospecdirectives instead of carrying a manual override.Dependency-impact analysis
Repo-wide grep of
base/comps/**/*.{toml,comp.toml}andspecs/**/*.specforBuildRequires:.*samba-winexe,Requires:.*samba-winexe, andwinexe(excluding the gating%bcond winexelines and the%package winexedeclaration insidesamba.specitself) returns zero consumers. Independently re-confirmed by a dependency-impact reviewer pass.samba-winexetherefore has no reverse dependencies in this distro, and dropping the subpackage is safe.Functionality lost
Only the optional
samba-winexesubpackage containing the Wine-derived Windowswinexe.execross-host process-launch tool. Niche use case — modern alternatives include OpenSSH on Windows, WinRM, and PowerShell Remoting. The rest of thesambacomponent (server, libs, client, dc, vfs modules, ctdb) is unaffected.Validation
azldev-in-container comp render -p samba(rendered files refreshed underspecs/s/samba/).azldev-in-container comp update -p samba(lock file refreshed inlocks/samba.lock).