Michael, First a correction. I am a developer who has contributed work to OpenAFS(R) that I have written and funded work that has been contributed by others. I continue to serve as a Gatekeeper for the OpenAFS project. However, I would not describe myself as "the OpenAFS main developer"; I am one among a dwindling number of active contributors.
I am going to rephrase your questions as follows so I can answer them:
1. Is the OpenAFS project dead?
2. Why is Secure Endpoints(R) no longer distributing
OpenAFS for Windows?
3. Why is Your File System(TM) distributing digitally signed
installers for Microsoft Windows and OSX from its web site?
4. Is AuriStor(TM) a replacement for OpenAFS?
5. Has development of OpenAFS for Windows stopped?
1. Is the OpenAFS project dead?
OpenAFS is an open source project that is supported by the community.
Over the course of the last two years there has been a significant
decrease in the rate of contributions but OpenAFS is still under
development.
https://www.openhub.net/p/openafs/commits/summary
The second OpenAFS 1.6.12 pre-release candidate was released on 3 June
and the release team is very eager to receive feedback from the community.
http://lists.openafs.org/pipermail/openafs-announce/2015/000484.html
The next major stable series of OpenAFS, 1.8.x, continues to be
developed. Code contributors and reviewers are welcome and activity can
be observed at
http://gerrit.openafs.org/
The next AFS and Kerberos Best Practices Workshop will be held in
Pittsburgh PA USA the week of 17 August
http://workshop.openafs.org/afsbpw15/
All are encouraged to attend. Especially those with families who are
looking for some place to take a vacation.
http://workshop.openafs.org/afsbpw15/family.php
2. Why is Secure Endpoints, Inc. no longer distributing OpenAFS for Windows?
Secure Endpoints, Inc. exited the OpenAFS support business at the end of
2014. Secure Endpoints, Inc. continues to sell commercial support for
Heimdal Kerberos. Secure Endpoints is no longer listed as a support
provider on the OpenAFS web site
https://www.openafs.org/support.html
3. Why is Your File System, Inc. distributing digitally signed
installers for Microsoft Windows and OSX from its web site?
OpenAFS.org does not distribute an OSX Yosemite installer and the latest
Mavericks installer is 1.6.6. For Windows the latest installation
package is 1.7.31. It is also worth pointing out that OpenAFS.org is
not distributing RHEL7 rpms but continues to do so for RHEL5 and RHEL6.
At the European AFS and Kerberos Conference at CERN the Gatekeepers
discussed the growing difficulties associated with providing packaging
for OSX and Windows given the increasingly stringent requirements from
OS vendors for digital signatures and more modern "store friendly"
packaging formats. These requirements hit OpenAFS particularly hard
because of the kernel modules (Windows drivers and OSX extensions).
Kernel modules have access to everything on the system and OS vendors
restrict who has the ability to sign them and what commitments vendors
have to agree to in order to maintain that capability. There will be a
talk at the upcoming Pittsburgh Workshop exclusively on this topic.
In late March and April of this year I wrote to this mailing list about
the requirements that have been put in place by Microsoft for the
forthcoming Windows 10 and Server 2016 releases. To summarize, the
requirements are:
. 90 days after Windows 10 RTM all kernel drivers will have to be
signed by Microsoft and not the software vendor. These signatures
will use SHA-2 hashes that are incompatible with most older
Windows platforms.
. Microsoft will only sign drivers that are developed using VS2015
(VC19) tool chain. OpenAFS currently builds with VS2005 (VC14).
. Each release must pass agreed to certification tests. There is
no standard set of certification tests for file systems. Each
vendor must negotiate with Microsoft for an applicable set of
tests.
. For Server 2016 all configuration and command line operation must
be performed using PowerShell Cmdlets or WMI. This is required
because by default Server 2016 will be headless and for the Nano
option there will not even be a command prompt. As a result
aklog.exe, bos.exe, cmdebug.exe, fs.exe, pts.exe, rxdebug.exe,
symlink.exe, tokens.exe, udebug.exe, unlog.exe, vos.exe, etc
must be replaced.
Apple through its OSX developer program has long encouraged vendors to
sign all binaries and command scripts. Starting with Mavericks, Apple
mandated the use of a new packaging format that could also be digitally
signed. An unsigned DMG package forces users to jump through hoops to
install the product. With the release of Yosemite, Apple now requires
that all kernel extensions be signed with an Apple issued certificate
that is exclusively used for kernel extensions. Unsigned kernel
extensions can only be loaded if the OS kernel signature checks are
disabled using a boot argument. Disabling signature checks is not
advised. For the OSX El Capitan release the OS will be locked down even
further.
Your File System, Inc. has all of the necessary contracts in place with
Apple and Microsoft to sign binaries, kernel modules and installation
packages. YFSI has also developed all of the necessary packaging for
its AuriStor File System product line. As a service to its Commercial
Support Customers and the broader end user community YFSI distributes
OpenAFS using its AuriStor packaging and YFSI digital signatures.
These installers, 1.6.11 for OSX and 1.7.3202 for Windows are available from
https://www.your-file-system.com/openafs/client-download
and not from OpenAFS.org for two reasons:
. The digital signatures include the your-file-system.com URL which
matches the https://www.your-file-system.com/ TLS certificate.
As a result the OS can mark the download as trusted providing
that is permitted by local security policy.
. By obtaining the downloads from https://www.your-file-system.com/
it is clear which legal entity is responsible for the distribution.
The AuriStor packaging for Windows bundles the 32-bit and 64-bit
components into one MSI and includes a private Heimdal assembly and
command line tool suite.
4. Is AuriStor a replacement for OpenAFS?
AuriStor is designed to be a general purpose, platform independent,
secure, distributed file system that can be successfully deployed
internally, across the Internet, and within public cloud services.
AuriStor is an IBM AFS(R) and OpenAFS compatible file system that
permits organizations to preserve the /afs file namespace while
migrating to a faster, more scalable, highly secure cross-platform file
system.
https://www.your-file-system.com/openafs/migrate-to-auristor
But, AuriStor is not free and OpenAFS satisfies the needs of
organizations that desire a free solution and do not require:
. the level of security and privacy provided by AuriStor
. IPv6 and Microsoft Direct Access support
. the ability to deploy dozens of DB servers within a cell
. file servers that scale to the full capabilities of the hardware
(all cores, multiple 10gbit NICs, etc)
. larger name spaces (volumes, vnodes, protection ids, quotas, etc)
. OS Vendor certification
- Microsoft certification for Windows 10 and Server 2016
- Red Hat Enterprise Linux
. and more
To be very clear, AuriStor uses its own protocols and does not use
proprietary extensions to the AFS3 protocol suites. OpenAFS can and
will continue to add functionality over time. The choices the OpenAFS
community makes are likely to be different from those that YFSI makes
for AuriStor.
5. Has development of OpenAFS for Windows stopped?
Development of OpenAFS on Windows has not stopped but it has slowed
considerably. From 2007 to 2012 there was significant activity as a
result of the conversion from the SMB Gateway implementation (<= 1.6.x)
to a native Windows IFS Redirector driver (>= 1.7.x). The AFS
Redirector is stable across all of the Windows operating system releases.
YFSI continues to bring OpenAFS to the Microsoft IFS Plug Fests for
testing. It has been many years since a significant issue was uncovered
in the AFS Redirector. Although the AFS Redirector has uncovered many
bugs in drivers from other vendors.
Overall there has not been much to do that has been requested and funded
by support customers. You can view the handful of changes that I'm
working on at the moment at:
http://gerrit.openafs.org/#q,status:open+project:openafs+branch:master+topic:windows-updates,n,z
It is true that the AuriStor client is receiving much more attention.
The AuriStor protocols support enhanced functionality that can take
advantage of further integration with Windows including but not limited
to IPv6, Direct Access, UNC Hardening, Server-to-Server Copy, Cache
Bypass and on-demand token acquisition.
That being said I do not see a viable path at the moment to an OpenAFS
release for Windows 10 and Server 2016. There is simply too much work
that must be completed to obtain certification. The AuriStor Windows
client will be certified and it is compatible with IBM AFS and OpenAFS
servers. One possibility is that YFSI will permit the AuriStor
redirector to be packaged with the OpenAFS userland components. This
would permit an OpenAFS package to be deployed on Windows 10 but not
Server 2016. Whether there is demand for such an option from YFSI's
commercial support customers is yet to be seen.
I hope this response answers your questions.
Jeffrey Altman
On 6/19/2015 6:58 AM, Richter, Michael wrote:
> Hi,
>
>
>
> I noticed that there were no new releases of OpenAFS for Windows since a
> long time. So I started some research and found a info on
> https://www.secure-endpoints.com telling
>
> „2014-10-04: OpenAFS for Windows Release 1.7.32 is now available.“
>
> and
>
> „2015-02-25: OpenAFS client installers are now available
> from Your File System Inc.“
>
>
>
> On yfs I’ve found installers called
> „yfs-openafs-en_US-AMD64-1_7_3202.msi“ for example. Is it a special
> version or what is going on?
>
>
>
> I know that the OpenAFS main developer, J. Altman, is behind
> SecureEndpoints and Your-File-System.com. So I’m wondering – maybe I
> missed some announcement or so. Is OpenAFS development gone down for
> Auristor?
>
>
>
> Mit freundlichen Grüßen
>
> Michael Richter
>
>
>
> --
>
> Michael Richter
>
>
>
> Technische Universität Berlin
>
> Universitätsbibliothek
>
> IT-Service
>
>
>
> Fasanenstraße 88, 10623 Berlin
>
> Telefon: +49 (0)30 314-76310
>
> [email protected]
>
>
>
> www.ub.tu-berlin.de
>
>
>
smime.p7s
Description: S/MIME Cryptographic Signature
