Bug#693722: [Pkg-gridengine-devel] Bug#693722: gridengine: use recent version and updated packaging

2012-11-28 Thread Dave Love 
Michael Banck  writes:

> Hi Dave,
>
> we are currently at a squeeze bug-squashing-party, so I took a look.
>
> On Sun, Nov 18, 2012 at 11:02:49PM +, Dave Love wrote:
>> I've worked on packaging for SGE to address problems with the current
>> version and to support (pre-release) SGE 8.1.3, though it will work with
>> the 8.1.2 with minor changes.  The sge source
>>  now has simple packaging
>> for installing into /opt/sge, but this is different.
>
> Do you prefer to change the source package name from "gridengine" to
> "sge", or would keeping "gridengine" be fine?

I don't care.  I kept "gridengine" for the RPM package, following the
old Fedora one, but that might have a mistake.  The debian files in the
base version (installing into /opt) use "sge" to try to avoid confusion,
and I don't see any particular reason to change your packaging.

> It would be great if we could have a minimal changeset for the testing
> version to apply.

You can cherry pick as you like, but I don't know what you'd consider
minimal, and I'm afraid I don't have time to spend on an old version.  I
can probably identify patches from the repo corresponding to NEWS items
if they're difficult to find..

>> I've tagged this security as this version:
>> * allows installing in CSP mode;
>
> Is that a big change?

If you mean in code, it involves shipping all the relevant files.  I
don't know why they're not included.  It's an important change to
include them IMNSHO.

>> * changes the default configuration to avoid remote root without CSP,
>>   assuming a separate qmaster 
>> ;
>
> Is that something which could be backpatched easily to the version in
> testing?

There must be some misunderstanding.  It's trivial -- compare the two
configuration files.  Is the web page above not clear enough?

>> * fixes problems with sgepasswd (now included) which weren't addressed by
>>   6.2u5-7.1 changes;
>
> As sgepasswd is not yet included, this one appears not to apply.

It is in my version, but see my comments on the bug tracker on the
6.2u5-7.1 change.

>> * avoids the remote startup part of the CVE that the bogus 6.2u5-7.1
>>   change didn't get right.
>
> Can you elaborate on that and/or provide the patch/changeset needed to
> fix this up?

I wouldn't bother.  My environment sanitization (that the security
people seem to have rejected in favour of an incomplete one) is as
secure as sudo's, and it's irrelevant without at least a uidmin change
to avoid an easy remote root.  Using builtin startup avoids the issue
too, but is more important for getting tight integration.  For the
change to avoid passing the user environment, you could search for "CVE"
in the changesets under https://arc.liv.ac.uk/trac/SGE/.

There's a bunch of more-or-less important stuff in the version 8 code
apart from buffer overflows and other daemon crashes -- see NEWS.

I don't know if any of that helps...


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#693722: [Pkg-gridengine-devel] Bug#693722: gridengine: use recent version and updated packaging

2012-11-24 Thread Michael Banck 
Hi Dave,

we are currently at a squeeze bug-squashing-party, so I took a look.

On Sun, Nov 18, 2012 at 11:02:49PM +, Dave Love wrote:
> I've worked on packaging for SGE to address problems with the current
> version and to support (pre-release) SGE 8.1.3, though it will work with
> the 8.1.2 with minor changes.  The sge source
>  now has simple packaging
> for installing into /opt/sge, but this is different.

Do you prefer to change the source package name from "gridengine" to
"sge", or would keeping "gridengine" be fine?

It would be great if we could have a minimal changeset for the testing
version to apply.
 
> I've tagged this security as this version:
> * allows installing in CSP mode;

Is that a big change?

> * changes the default configuration to avoid remote root without CSP,
>   assuming a separate qmaster 
> ;

Is that something which could be backpatched easily to the version in
testing?

> * fixes problems with sgepasswd (now included) which weren't addressed by
>   6.2u5-7.1 changes;

As sgepasswd is not yet included, this one appears not to apply.

> * avoids the remote startup part of the CVE that the bogus 6.2u5-7.1
>   change didn't get right.

Can you elaborate on that and/or provide the patch/changeset needed to
fix this up?


Best regards,

Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org