Michael Banck mba...@debian.org writes:
Hi Dave,
we are currently at a squeeze bug-squashing-party, so I took a look.
On Sun, Nov 18, 2012 at 11:02:49PM +, Dave Love wrote:
I've worked on packaging for SGE to address problems with the current
version and to support (pre-release) SGE 8.1.3, though it will work with
the 8.1.2 with minor changes. The sge source
https://arc.liv.ac.uk/trac/SGE/browser/sge now has simple packaging
for installing into /opt/sge, but this is different.
Do you prefer to change the source package name from gridengine to
sge, or would keeping gridengine be fine?
I don't care. I kept gridengine for the RPM package, following the
old Fedora one, but that might have a mistake. The debian files in the
base version (installing into /opt) use sge to try to avoid confusion,
and I don't see any particular reason to change your packaging.
It would be great if we could have a minimal changeset for the testing
version to apply.
You can cherry pick as you like, but I don't know what you'd consider
minimal, and I'm afraid I don't have time to spend on an old version. I
can probably identify patches from the repo corresponding to NEWS items
if they're difficult to find..
I've tagged this security as this version:
* allows installing in CSP mode;
Is that a big change?
If you mean in code, it involves shipping all the relevant files. I
don't know why they're not included. It's an important change to
include them IMNSHO.
* changes the default configuration to avoid remote root without CSP,
assuming a separate qmaster
http://arc.liv.ac.uk/SGE/howto/sge-security.html;
Is that something which could be backpatched easily to the version in
testing?
There must be some misunderstanding. It's trivial -- compare the two
configuration files. Is the web page above not clear enough?
* fixes problems with sgepasswd (now included) which weren't addressed by
6.2u5-7.1 changes;
As sgepasswd is not yet included, this one appears not to apply.
It is in my version, but see my comments on the bug tracker on the
6.2u5-7.1 change.
* avoids the remote startup part of the CVE that the bogus 6.2u5-7.1
change didn't get right.
Can you elaborate on that and/or provide the patch/changeset needed to
fix this up?
I wouldn't bother. My environment sanitization (that the security
people seem to have rejected in favour of an incomplete one) is as
secure as sudo's, and it's irrelevant without at least a uidmin change
to avoid an easy remote root. Using builtin startup avoids the issue
too, but is more important for getting tight integration. For the
change to avoid passing the user environment, you could search for CVE
in the changesets under https://arc.liv.ac.uk/trac/SGE/.
There's a bunch of more-or-less important stuff in the version 8 code
apart from buffer overflows and other daemon crashes -- see NEWS.
I don't know if any of that helps...
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
