Paul Kyberd wrote:
> The first should be written into the LCG operating procedures
> "No critical test should depend on a known security vulnerability.
> Any such test should be removed from the list of critical tests as soon as
> possible."
I agree.
It would mean that I cannot be penalised as a site admin for taking my
site down because of security weaknesses in the software, and it raise
the visibility of security issues to project management -- which would
hopefully result in security bug fixes being given a greater level of
priority than they are right now.
( Note that this, coupled with the "any user can run arbitrary code on
the CE with jobmanager-fork" bug, would make job execution a
non-critical test.)
Cheers,
David
--
David McBride <[log in to unmask]>
Department of Computing, Imperial College, London
|