> -----Original Message-----
> From: Andrew Beresford [mailto:[log in to unmask]]
> Sent: 28 November 2005 12:55
> To: Gordon, JC (John)
> Cc: Testbed Support for GridPP member institutes
> Subject: RE: Grid Security Advisory: R-GMA used to bypass
> site firewallcontrols (fwd)
>
>
> Surely the way Alessandra described is the only sane way of
> managing security fixes.
Perhaps, but I don't think her imposing a solution is the way to go.
>
> The only argument for fixing this with a hand-crafted patch
> is that this is a one-off, and if this security fix *is*
> considered a "one-off" then that speaks volume about the
> project's approach to security as a whole.
I don't agree. We are running a production grid here and a workaround
implemented by hand in anticipation of the real patch is perfectly
acceptable to keep things running. I see many such workarounds on
security lists for all sorts of products. No-one has said 'this is the
fix' - if they did I would shout too. It is a workround until the fix is
packaged and tested properly.
John
|