Does anyone else have a view on the recent change in EGEE policy wrt security patching? I was suprised (to say the least) to find that there was a pakiti server somewhere out in EGEE land that was accumalating host level information about heaven only knows what but at a minimum our kernel versions across our farm. This presumably to be used to make operational decisions about which sites should be cut off from the Grid.
The inevitable outcome has been a dialogue along the lines of "please account for why you are running kernel xxx on host yyy". Am I the only one who finds this very annoying, both in principle (that sites will be expected to justify their host level configuration to third parties) and also how it has been implemented in practice _ ie I've just disovered that there is a server somewhere out there holding a lot of sensitive information about our patching status.
i don't have any problem in principle with some aspects of this work, but its a question of how it is done.
What do others think - I plan to mail the GRIDPP PMB today about this but would like to know if I am in a grumpy minority of 1 or if the feeling is more widespread.
I don't have access to the dteam list but understand this hasn't yet been discussed there. Mingchao's email is attached below - I should say that I'm not trying to shoot the messanger here - my issue is the way this has emerged from EGEE.
Regards
Andrew
=====================================================================================
Dear Security Contacts (in Bcc) and Tier2 Coordinators,
Yesterday (23 September 2009) EGEE PMB (Project Management Board) had made
following decision:
Any EGEE site that did not FULLY apply the security patches (CVE-2009-2692
and CVE-2009-2698) by 30 September 2009 will be DISCONNECTED from EGEE
infrastructure.
In order to assist GridPP PMB to make an informed decision to comply EGEE
PMB's requirement, could ALL GridPP sites please report me your current
patching status of ALL your Grid systems? If your site has not been FULLY
patched, please provide me following information:
- Full list of un-patched systems;
- Reason of not being patched;
- Any alternative way to patch your system (e.g. to compile your own
kernel/driver);
- The consequence if these up-patched systems were turned off;
- Risk if these up-patched systems were up and running;
ALL sites (including those who have reported me last week) MUST send your
report to me (copy it to your T2 coordinators please) by the end of today
(24 September 2009).
Thanks,
Mingchao
--
Scanned by iCritical.
|