Re: [OpenAFS] Question for admins regarding pts membership output
On Wed, Jul 13, 2022 at 1:49 PM Jeffrey E Altman wrote: > The question for cell admins is whether anyone is aware of any internal > scripts which process the output of "pts membership" which will break as > a result of the inclusion of the implicit groups "system:anyuser" and > "system:authuser" in output. > > Your assistance is appreciated. I am no longer a cell admin, but I am sure such scripts (which process the output) exist, and will need modification. I am, however, in favor of expanding the output (although an " (implicit) " append might be useful to help humans interpret the result, and for scripts to be able to parse such). However, while out of scope, I would (long term) prefer the output of commands to be able to generate a machine parseable output (json?) so that parsing output can be more robust(*)(**). Gary (*) I presume like many others I have more than once written a script which parsee the output of a command and experienced breakage when upstream changed the format of the output. (**) And while I do not know what the json would include, an "implicit" boolean flag would seem to be desirable for each array element of the result. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] What you need to know about Windows 10
On Wed, Jul 29, 2015 at 12:28 AM, Jeffrey Altman jalt...@your-file-system.com wrote: Tomorrow(*) Thanks for the update/reminder. And thanks for your willingness to build one last time for Windows 10. It really is above and beyond what anyone has any right to expect. Personally, I have no idea if Windows 10 will be everything MS wants it to be(**), but (putting my security hat on) moving to certified drivers is the right way forward, regardless of how it impacts some projects (and those projects need to step up their game). Thanks. Gary(***) (*) The right statement to many on Wednesday really should be: and then, and then, do the smart thing, let someone else try first (**) Its tough to make predictions, especially about the future (***) Can't find a quote to steal over my sig. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Providing signed packages (was Re: any experiences with OpenAFS client ...)
On Thu, Oct 23, 2014 at 4:02 PM, Andrew Deason adea...@sinenomine.net wrote: For all of these situations where the Foundation would provide the ability to sign binaries, there are those legal considerations, then, but also other things. The Foundation needs to have a point of contact for any of these, and needs to go through the process of signing up for the relevant service and buying the relevant certificates/keys, etc. We also need to have a place or person(s) to store the secret keys; if they're not stored securely, they obviously do no good. It also needs to be clear how they will get used to sign the binary releases (who gets access to the keys for signing). And this is one place things can get interesting. Let us imagine someone is evil, and their intent is crack into a major corporation that uses OpenAFS. One might target obtaining that kext signing certificate. Because that key can be used to bypass all of the protections that Mac OS X provides. It is a key to the kingdom. Now, if that major corporation gets cracked via a kext that was signed using the OpenAFS certificate, and all their secrets get stolen, they *may* decided to go after those that allowed it to happen. That might be the OpenAFS foundation. And their board members, and whomever signed the kext. And perhaps more (remember, you are looking for the deep pockets for collection, or at least show that you took the crack seriously, and are going all out to recoup your losses). If the OpenAFS foundation cannot show that they had strong processes in place to protect that certificate and use it only in an appropriate and approved manner since this is likely going to be considered a foreseeable event their legal team would possibly be at a disadvantage. And that is why a foundation is likely to need (at least) Professional Liability Insurance, Directors and Officers Insurance, and Produce Liability Insurance (as I believe Jeff mentioned). And the costs for those are going to depend on what liabilities one is accepting, and what processes one can show are used to limit disclosure of any such certificate. It might even require the foundation to run their own signing infrastructure (as many large organizations do). All of which likely requires legal and auditor review. Welcome to some of the true costs of operating a non-profit in a litigious society. Sure, that scenario might not happen. One might even argue that it is unlikely (and it probably is). But then again, would you want to be the board member individually sued if it does, and the foundation does not provide adequate DO insurance? And that does not even get into an alternative possibility that some future (well meaning, good intentioned) change breaks in Mac OS X, and someone decides to sue the foundation for losses (in most jurisdictions, the cost to file is low; some people do it just for sport. Defending is never as cheap as the filing). Again, seek actual legal advice. Nothing said on this list is (necessarily) valid for your specific situation. Especially nothing I am saying. The board will need to accept some risks for the foundation. Signing kexts may be one of them. Or, perhaps, it is a risk too far at this time. Your lawyer can assist you in navigating this process. Choose well. Gary ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] any experiences with OpenAFS client on the upcoming MacOS 10.10 (yosemite) release?
On Tue, Oct 21, 2014 at 4:23 PM, Stephen Joyce step...@email.unc.edu wrote: Jeffrey, I'd like to learn more about this. However since you sell a proprietary fork of OpenAFS, it's difficult to discount your possible incentive to spread FUD regarding OpenAFS. Therefore can you provide URIs with specific information to educate me (and possibly others) regarding these contractual obligations related to binary signing? Last I knew, the the Apple agreements were behind a paywall (yes, you have to pay to get to see what you are being asked to agree to, and to make a request to be able to add kext signing to your dev certificate), but it is not really relevant. Interpretation of contractual obligations is something your lawyer needs to advise you on. Much as I would agree with Jeff, he is not your lawyer or mine, and nothing he says should be considered definitive to your specific situation or environment(*). As a member of a major university, I am confident you have excellent legal counsel available to you who may also be aware of any other contracts with Apple or Microsoft that might impact that evaluation (for all I know, unc has the right to sign kexts written by their students in a an introductory CS class for use in-house). Gary (*) I do trust Jeff has had his lawyer make the evaluation(s) for his specific situation. Because that is what he does, and because he can end up being out of business or sued for a bazillion dollars if he gets it wrong, or just because someone decides they want to sue someone because they can. And, yes, he or his lawyers could be more risk adverse than some. So that is why you need your lawyers to do the evaluation for you. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Recent Fedora kmod issues
On Wed, May 7, 2014 at 5:41 AM, Jon Stanley jonstan...@gmail.com wrote:
Thinking about it though, since RPM goes off of what's in the RPM
database and not what's on the filesystem, I wouldn't think that this
would be working for *any* Fedora 17+ system, regardless of how it's
installed - there's nothing in the RPM database that provides
/sbin/depmod, even though the scripts that call it would obviously
succeed in any event. Haven't had a chance to try it out though.
While completely unresearched, in theory, if I remember what
is packaged where, one might consider changing the
Requires(post): to be kmod (the package) rather than the
depmod file itself for recent releases, and module-init-tools
for older releases.
Completely untested (and clearly only works for RHEL/Fedora)
%if 0%{?fedora} = 17 || 0{?rhel} = 7
%{Requires(post): kmod}
%{Requires(postun): kmod}
%else
%{Requires(post): module-init-tools}
%{Requires(postun): module-init-tools}
%endif
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Just curious, anyone know what this AFS might be?
On Sun, Dec 15, 2013 at 5:47 PM, Jeffrey Altman jalt...@your-file-system.com wrote: ... Its an accounting system. You mean OpenAFS is not being rewritten in Cobol in honor of Admiral Hopper :-) ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: How to remove a bogus (127.0.1.1) server entry for readonly?
On Tue, Dec 10, 2013 at 12:59 PM, Coy Hile coy.h...@coyhile.com wrote: Somewhat off-topic, but am I the only one who thinks that Linux distributions doing this is utterly brain-dead? I suppose the only good news is that in IPv6 only ::1/128 is loopback. So such interesting choices will hopefully not be propagated going forward (and there could come a time when one learns about IPv4 only in the history books, and understands some of the choices as lessons learned (to never do again)). FD: there was an IETF draft proposal to expand the IPv6 loopback space (but has already expired). Gary ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: Fstab options for AFS on SSDs
On Thu, Aug 1, 2013 at 5:17 PM, Andrew Deason adea...@sinenomine.net wrote: 'discard' I've heard may help or hurt performance depending on usage And on the particular SSD vendor (really the firmware), when it receives the (SATA) TRIM, or the (SAS) UNMAP command. Some of the firmware implementations can actually perform quite badly when told to reclaim (especially) large chunks, and they go into extended GC operations. These performance issues are more likely to manifest themselves in commodity SSDs than the enterprise ones, but, as always, YMWV. Gary ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Run file server without client?
On Tue, Mar 26, 2013 at 5:58 PM, Steve Simmons s...@umich.edu wrote: Without meaning to insult the average system administrator Well, since all system administrators are above average, you can not have insulted anyone (yet) :-). I agree with both what you and Russ are saying. It all depends on your organizations processes and disciplines(*). I have been said to be somewhat pedantic (I can hear the chuckles of the lurkers on this conversation :-), and do believe it is possible to make it work (and have done so in various previous lives). And Russ also has a working example. Not all organizations can (or will) implement the controls needed to make it viable. That is why making the choice of installing the client on servers needs to be made in the environment that one is running. You are probably making the correct choice for your environment. Gary (*) You could always move to a complete ITIL approved process to enforce the discipline. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Run file server without client?
On Mon, Mar 25, 2013 at 8:18 PM, Russ Allbery r...@stanford.edu wrote: ... We have AFS clients on all of our servers, including the AFS servers, and avoid unintentional dependencies on AFS (for all services) by just being careful. While I trust you to be careful (and I would trust myself to be careful :-), I have seen cases where the dependency graph is not complete (or not understood by the new guy), resulting in interesting results. That said, I would normally run the AFS client on all servers, although it is not needed. Gary ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: mtu problem
On Thu, Feb 7, 2013 at 10:39 AM, Brandon Allbery ballb...@sinenomine.net wrote: Subset of, yes. All? So many sites on the Internet can't be accessed reliably from the many OSes that do PMTUD? Somehow, I doubt. If you want to be sure, use the RFC mandated minimum MTU of 576 for IPv4 (1280 for IPv6). You want larger packets? Then get used to disappointment (at least some of the time). ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: [OpenAFS-announce] OpenAFS 1.7.18 released for Microsoft Windows - Win 8 and Server 2012
On Mon, Nov 5, 2012 at 1:32 PM, Jeffrey Altman jalt...@openafs.org wrote: OpenAFS 1.7.18 is the next a series of OpenAFS clients for the Microsoft Windows platform that is implemented as a native file system. I am not asking for it, just curious if OpenAFS will (eventually) make it to the Windows App Store(*), just as there is now an iOS client (branded by a certain vendor, of course :-) Gary (*) If I am recalling correctly, to get things into the Microsoft App Store you have to use VC2012, and there is some incompatibility with using VC2012 and XP target support, so you have to do some ugly hacks until MS updates VC2012 to include XP support (RSN). I probably have the details wrong, since I tend to compile on Windows in VC about once a year (usually for testing something). I could imagine this could delay releasing into the app store. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: [OpenAFS-devel] rxgk development has been funded
On Tue, Oct 30, 2012 at 1:30 PM, Troy Benjegerdes ho...@hozed.org wrote: What are the missing pieces needed to deploy RxK5? I am going to start with the assumption that it will not pass the standards process until after there are several people running it in production. Please read https://www.ietf.org/about/process-docs.html Standards are not I am running it in production, bless it now, it is more like a long term negotiation (with a lot of work along the way). ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] the future
On Mon, Oct 1, 2012 at 5:52 AM, Chas Williams (CONTRACTOR) c...@cmf.nrl.navy.mil wrote: we are running lustre alongside afs right now. lustre is generally much much faster than afs. the downside is that the security model is essentially nfsv3. anyone with root on a lustre client is essentially any other user on the filesystem and can read/write your files. My recollection was that if you are willing/able to run bleeding edge that there was gssapi support in Lustre. I have no idea how production ready that support is. Regardless, Lustre is no AFS (and vice versa). Different strengths and different weaknesses. Gary ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] is YFS a derived work?
On Mon, Oct 1, 2012 at 10:21 AM, Ted Creedon tcree...@easystreet.net wrote: The IP (intellectual property) in YFS seems to be derived from AFS's IP. If that case can be made, IBM or any other entity could force YFS back into the open source domain. I am confident that YFSi would have dotted and crossed the appropriate letters and worked with competent legal staff as part of their business plan (Jeff is a smart person, and he is also an ethical person). IP law is a minefield, and unless you are (or someone else on the list is) a lawyer willing to offer free legal advice on list, we should all probably refrain from the armchair lawyering. Gary ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Distro vs. @sys. Round 1: FIGHT!
On Thu, Aug 23, 2012 at 2:02 PM, Jeff Blaine jbla...@kickflop.net wrote: Due to drastic differences in OS libraries present, those (like us), who use @sys in PATH, get bitten. That is, our build of AppX for 'amd64_linux26' that was built on RHEL 5 will not work on RHEL 6, and we need to support both. In the case of system libraries (vs what you might install locally), RedHat typically provides one version compatibility. If it was built on RHEL5, it should run on RHEL6, although you may have to install various compatibility libraries. If it does not, you should open a ticket with RedHat. But the general problem remains, especially in the Linux world where libraries/interface backwards compatibility has not been a historically agreed upon requirement. (AIX, *BSD, Solaris generally support even older interfaces; I think we were running an old SunOS binary through many versions of Solaris). Iff you have a standard (and supported) distro, using that as a high level distinguisher as part of your syslist may make sense. I know that at $dayjob$ there was a very long debate regarding the syslist sequence, and trying to deal with both the known examples, and some obvious edge cases, and the end result made no one entirely happy. I think that is likely the end state for all such taxonomy attempts. Get used to disappointment. The best one can do is pick something that makes a little bit of sense, and try to consider building in the flexibility to change it (because you likely will). Gary ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS on OS X 10.8
On Fri, Feb 24, 2012 at 06:43, Ken Dreyer ktdre...@ktdreyer.com wrote: I was curious if anyone's tried OpenAFS on Apple's 10.8 developer preview yet? How did it go? If they told you, they would have to kill you :-) More seriously, Apple is very protective of their assets, (and some might call it secretive to the extreme) and access to the developer previews come with a strict NDA gag order on public comments regarding any pre-release software issues and/or features. There are certainly rumors of access to the developer program being removed (for life) for posting pre-release info. Apple takes their contracts seriously. So, if any individual just happens to be running 10.8 with OpenAFS, they will tell you OpenAFS is working with 10.8 when 10.8 is released. Sometimes, if you are very careful about watching commits of many different projects, you might just happen to notice changes that suggest future capabilities or integration for as yet unreleased or unannounced products or features. And sometimes, everything just works, so there is nothing to see (yet). Gary ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: problem installing kmod-openafs from yum repo
On Fri, Feb 17, 2012 at 09:45, Natxo Asenjo natxo.ase...@gmail.com wrote: Apparently no i386 more in rhel6 and clones. Somewhere along the line Fedora (and now RHEL) dropped i386. You have to target i686. Gary ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: 1.6 clients: rx version pings
On Mon, Dec 5, 2011 at 02:58, Harald Barth h...@kth.se wrote: ... IMHO it should be disabled completely if there are no RFC1918 interfaces on the client and enabled if there are such interfaces. A command line flag to override in either direction would help as well (for debugging, testing and strange deployments). No RFC1918 addresses does not mean no NAT (for a lot of bad reasons, some providers used what was considered, at the time, to be unused IP address ranges for their local space. 1.1.1.0 and 1.2.3.0 are common examples(*), and some people took them as canon; and some places decided to overload their internal addresses too for historical (bad?) reasons (and with IPv4 address exhaustion pending, perhaps for some pragmatic reasons), and some providers reuse their internal address space again and again in different regions with multiple NAT gateways (and there is a proposal in the IETF to formalize a shared transition space of a /10 to avoid the RFC1918 conflicts)). And no RFC1918 address does not mean no stateful firewall (with (especially) UDP timeouts) in the path between the client and the server. The rx version pings deal with more than just a simple home RFC1918 address sharing gateway... Real networks are more complex and varied than any sort of idealized view of what a network could be. There are heuristics that attempt to determine if the user is behind a stateful firewall (and for most values, although not all, NAT uses stateful firewalls as part of the common implementation; but there are 1-to-1 NATs in use), and such detection (if such code would be contributed) might be a good determiner to decide if rx version pings could be optionally turned off on a particular path, at least until the next stateful firewall probe (network paths also change over time). Gary (*) Now that 1.0.0.0/8 have been assigned by IANA, APNIC is probably going to have to reserve a few of the worst offending /24s to avoid known issues. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] CentOS 6.0 and installing kmod-openafs-1.6.0
On Tue, Nov 1, 2011 at 06:58, Coy Hile coy.h...@coyhile.com wrote: ... Does RHEL 6 have the same key too new issue as well? Yes. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Windows client network behaviour
On Wed, Sep 21, 2011 at 14:42, Anders Magnusson ra...@ltu.se wrote: ... No, state-of-the-art HP workstation. Note that this is more-or-less the behaviour of all our Win7 machines with the IFS client, all of them are really new hardware. This is a WAG, but high end workstations sometimes have network cards that enable (by default) protocol offloading (usually called TOE) to the network card. You may want to try to disable the offload functions if enabled (how to do that is card/driver dependent) to see if the results change. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] When to publish security advisories?
My proposal, going forwards, is to not produce security advisories or releases for these local denial of service attacks. Local issues that can result in privilege escalation, or denial of service attacks that can be performed by those outside a sites infrastructure would still result in advisories. Putting my security hat on, I think that local DOS impact is in the eye's of the beholder. For single user systems, what you do to yourself is between the three of you. For sites that support communities of which you have to presume at least a few compromised credentials, even a local DOS might be significant, or require actions. As with all else, details matter (if anyone can do it with a `/bin/ls` it is much more potentially impactful to a site than if it requires a full moon, high tide, and a leap second to reproduce). So I would suggest that even local DOS deserves advisories (with any possible mitigations/workarounds), but not a software release/patch (i.e. addressed in a future release). Gary ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [Fwd: Re: [OpenAFS] OpenAFS Backups]
Not sure why anyone would want to use anything other than Teradactyl. As with all else, it depends on your requirements. Teradactyl is clearly a solution targeting the enterprise space with enterprise capability, support, overheads, and pricing. TSM and NetBackup target the same space (although AFS support varies) For those who either want, need, or are required to have solid disaster recovery and business continuity plans (demonstrable to competent auditors, not those who want a backup?, yes check mark), enterprise solutions (including their costs) are usually the only ones that provide comfort to the C level execs, and they are the ones who have to decide if they can risk the business by not having a solid plan. As with much else, it is possible for organizations to build an enterprise class solution in house. These tend to be very house specific though (because of the long term built-in presumptions). They are often better at solving the point needs of that particular house than a generic solution. At the other extreme, not everyone needs to be able to recover their data in the event of a major disaster, or even a bus event (the key system admin got run over by a bus). Gary ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] calculating memory
On Fri, Jan 28, 2011 at 15:24, Simon Wilkinson s...@inf.ed.ac.uk wrote: On 28 Jan 2011, at 20:24, Gary Gatling wrote: I am in charge of several afs servers in our college. Right now there are 5 afs servers running on 5 SPARC based servers. We are ditching Solaris since it sucks so bad and are going to move to Linux VM's running inside of VMware. Firstly, I would be cautious about running I/O intensive services like fileservers within a VM. You'll almost certainly get better performance from bare metal, especially if you end up sharing the same physical hardware between multiple fileservers. Second that. However, depending on what one means by the term VMware, it does not have to be horrendous. VMware ESXi *can* be configured to approach native speed with the appropriate hardware (where appropriate *always* means not cheap(*)). However, if one means the free VMware Server (or the Workstation or Fusion offerings), then it is conceivable one might be better off keeping the Solaris systems. As always, YMWV. Gary (*) I seem to recall that VMware did a demo setup that was capable of rather impressive I/O numbers. I also think the list price of the equipment started somewhere around $250K (and as configured for the demo was probably higher). ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] GiveUpAllCallBacks callers
On Tue, Dec 14, 2010 at 07:47, Derrick Brashear sha...@gmail.com wrote: c) Just state that 1.4.5 is too old to bother possibly that being today. While I tend to be of the opinion that at some point you just have to throw away the bath water (regardless of the baby squid that has been living in it for a few years, and has now grown into a full fledged unmanaged monster). The problem for this case is that use of the RPC will crash the server. And it seems likely that if a site is still running older servers it means that site is not actively managing (and by that I mean managing at all) their infrastructure. An OpenAFS server that crashes (repeatedly) may be an excuse for someone to just blame OpenAFS for being a POS, remove it from their environment, and bad mouth it. I do not think we want that, even though I would be tempted to just have calamari and call it a day. I think the only pragmatic solution is to hold ones nose and use the implied capability by checking for the other (GetStatistics64) RPC. And vow that this is the absolute last time (until the next time :-). And, for this type of problem, we actually have a plan for the future with the capabilities RPC. Gary ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Proposed changes for server log rotation
On Sun, Dec 5, 2010 at 22:52, Christopher D. Clausen cclau...@acm.org wrote: Are we attempting to solve a problem that no one actually has? I am sure someone has encountered it. Someone has encountered every problem. Whether someone reports it is another issue. I am a proponent of delivering solutions which default to be the safe and the natural way to operate. It results in least astonishment. That would include: 0) Using syslog (eventlog on Windows) as a default (it is the Unix way). Every administrator already has to deal with syslog files filling up, and managing any archives they want to provide. 1) Services that run as root should not provide remote execution. That said, I have absolutely no problem with allowing people to chose different paths, including shooting themselves in both feet if that is what they choose to do knowingly. There are always good reasons to do things differently in specific environments, including bypassing all the safeties (google battleshort). However, the configurations as delivered should not default to them. Gary ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] End of life for Windows 2000?
XP does have the same problem that 2000 does in that it is no longer supported by Microsoft without an extremely expensive support contract. Given the fact that so many sites still have XP and Server 2003 systems in production, I can't imagine deprecating support for XP for at least another two years. Well, there is support, and then there is support. W2K is no longer receiving even security updates from Microsoft (without an expensive contract). For some values of risk, it is now risky to run W2K on a network (your network will vary), or plug a USB stick into the computer (your USB stick will vary; Siemens engineers are exempt from this concern :-). There are known vulnerabilities that are not going to get patched. You have what you have, and I would suggest that the limited developer resources for OpenAFS should default to a support lifetime similar to the vendor time lines. Just as with Microsoft, those that need special support should expect to negotiate and fund custom support contracts. XP, on the other hand, is still (under the Microsoft extended support policy) receiving security updates until early 2014, although no new functionality, nor any corrective patches not security related (without that expensive contract). That Microsoft continues to provide essential security updates (and because of the Vista issues) means many enterprises continue to run XP, and will continue to do so until their Win7 migrations are complete, which often means their desktop life cycle replacement period has run its course. Some enterprises will likely be running XP close to the 2014 date. I suspect that there will still be community interest in having OpenAFS supported on XP until close to that drop dead date of 2014, which is more towards a minimum of three years than two. Microsoft even supports Office 2010 on XP(*) (although, as I remember it, IE9 will finally cut the XP cord). However, I would suggest that for organizations planning purposes, OpenAFS should consider announcing that the end of OpenAFS XP support is currently targeted to align with the Microsoft date(s). While the dates may change, it is a target, and it lets people plan. Gary (*) To be fair, Office 14 (aka Office 2010) was originally targeted to be released before (or right around) the XP end of mainstream support date, so support for Office 14 would have been expected. Office 14 slipped. Who would have been able to predict a slipped Microsoft release date? ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] End of life for Windows 2000?
Windows 2000 is now more than ten years old. If your organization would be significantly impacted by removing support for Windows 2000, please let us know. My personal opinion is that it is time to declare Windows 2000 unsupported. I would have to look at the official dates, but my recollection is that Microsoft ended the last support for W2K earlier this year. Any further support required an extended support (i.e. an expensive) contract. Those organizations for which W2K (and OpenAFS for W2K) are absolutely required should already be budgeting (and contracting) for expensive TM support. OpenAFS for W2K should be declared dead. Gary ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Overview? Linux filesystem choices
On Thu, Sep 30, 2010 at 20:51, Booker Bense bbe...@slac.stanford.edu wrote: [1]- But I can get a 2 TB disk at fry's for $150... Then one overpaid. The current Fry's flyer shows 2TB for $99 :-) ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Overview? Linux filesystem choices
On Thu, Sep 30, 2010 at 20:09, Robert Milkowski mi...@task.gda.pl wrote: ... btw: according to the leaked memo Oracle will provide source code for Solaris, including ZFS, everytime they produce a new Solaris release. This would mean that it will still be open source, but development wouldn't happen in open. I read the same leaked memo, and what I took from it is that it implies no interim feature updates (which for ZFS have been occurring during the current Solaris release), and no bug fixes (when needed). Just a code drop every major release (24 months or so?). As to whether that is what will actually happen is unclear (leaked memos are not policy). ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Overview? Linux filesystem choices
On Thu, Sep 30, 2010 at 22:56, Robert Milkowski mi...@task.gda.pl wrote: On 30/09/2010 22:42, Gary Buhrmaster wrote: On Thu, Sep 30, 2010 at 20:09, Robert Milkowskimi...@task.gda.pl wrote: ... btw: according to the leaked memo Oracle will provide source code for Solaris, including ZFS, everytime they produce a new Solaris release. This would mean that it will still be open source, but development wouldn't happen in open. I read the same leaked memo, and what I took from it is that it implies no interim feature updates (which for ZFS have been occurring during the current Solaris release), and no bug fixes (when needed). Just a code drop every major release (24 months or so?). As to whether that is what will actually happen is unclear (leaked memos are not policy). Well, they've just releases S10 U9 with ZFS updates. Then they are about to publish Solaris 11 Express with even more new ZFS features. Have they published the source code? That is what I talking about, source code that others could use to update their implementations. I have no doubt Oracle will continue to release updates for their closed source releases. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Overview? Linux filesystem choices
On Wed, Sep 29, 2010 at 00:04, Vincent Fox vb...@ucdavis.edu wrote: On 09/28/2010 04:13 PM, Rich Sudlow wrote: that being said we're also looking for fileserver alternatives due to Oracle takeover. What's your reasoning here? If anything I'd expect them to put effort into optimizing it which Sun was letting languish recently. Oracle has suggested that they want to move up the stack to selling solutions (entire boxes/racks to do [something]; I think someone called it a Stack-in-a-box) and not selling commodity hardware to run your own apps on. There is more profit to be found there(*). I believe ZFS is part of those solutions, and I would expect Oracle to continue to invest there. But if/how that will end up being a separable purchasable box to run as an OpenAFS file server is simply not clear (and I doubt Oracle has a product plan for selling an OpenAFS file server solution today; maybe tommorow if enough people ask for it?) Gary (*) And Oracle has done the same before on the software side. Databases were being commoditized,, and Oracle moved up to application solutions. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] govenen laptop encryption requiements
ted creedon wrote: Have openafs users been affected by http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf ? Anyone who is a Fed (or a Fed contractor) has had to deal with that memo, and address the issues (quite some time ago, actually). Primarily, the point is to insure there is not another VA incident (loss of PII). If your agency has to deal with this, there are a number of interesting interpretations available via your favorite beltway bandit regarding the actual steps needed to fully comply(*). I do not recall that OpenAFS had any special advantages or disadvantages in addressing the compliance issues for this memorandum, but your agency compliance officers may have a different point of view, and are the officials to ask for definitive answers. Gary (*) For those that are not conversant in Fed-speak (and for those who try to avoid it), Fed memos do not always say what you think they say. Common English interpretations of the words written do not always result in the correct (in Fed-speak) interpretations. You often need one of the consultant firms to provide the guidance as to how they will actually be interpreted and measured against. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
