Comments (7)
I don't think this is really that difficult.
There are only two ways to fix this (that make sense):
- fix
-dcpriv
so transfers fail if they are not encrypted. - make
-dcpriv
a no-op. Document that it does nothing and it only remains for backwards compatibility. Introduce a new option that enforces encryption.
The decision between 1. and 2. is choosing whether it is better to fail people who rely on -dcpriv
not working correctly (who include it by mistake), or fail people who rely on -dcpriv
working correctly (who didn't change the option).
Put another way, choosing option 1. will (possibly) result in failed transfers that should succeed; choosing option 2. will (possibly) result in successful transfers that should have failed.
From a security point-of-view, only 1. makes sense, because 2. opens a fresh security problem: people who didn't update to the new option.
from gct.
@onnozweers IIRC, you are the main (sole?) contributor to this chapter, so thanks for helping document this problem!
We now have a new document that is targeted at dCache users (rather than admins). The REST API is fairly well documented, but the rest largely contains only place-holder information. One chapter is on FTP (in general), so I think this would be a natural place to document this problem.
I've created an issue (dCache/dcache#5039) to track this, to make sure it doesn't get forgotten.
from gct.
Hi Onno,
the short answer is yes, since the gct version of globus-url-copy is currently fully backwards compatible with the globus-toolkit 6.0 version. We had a long discussion about the issue in the spring but there is no easy way to fix it in ways that will not unexpectedly break things, and furthermore, would require simultaneous changes in multiple clients (also uberftp for example) and servers. That basically where the discussion stalled... Perhaps others (such as Paul) have a good idea on how to got forward.
from gct.
Hi msalle, nice to meet you here! :-)
I'm very curious why it is so difficult to fix this. I would think, it's better to break some things than to secretly expose private data. But perhaps I'm overlooking some complications that make it more difficult than such a simple choice.
I'd like to add to the discussion that since this issue was first reported, the GDPR has become effective. So perhaps with this bug, people might be (unknowingly) violating the GDPR. But I'm not a law expert.
Kind regards,
Onno
from gct.
Nothing seems to happen. 😭
Could this have a higher urgency please?
from gct.
@onnozweers @paulmillar
As per #100 a warning was added to the guc manpage about this problem. I'd recommend to add something similar to the dCache documentation for the time being.
from gct.
Hi @fscheiner, thanks for doing something! 😺
There is a whole chapter about transport security in the dCache documentation: https://github.com/dCache/dcache/blob/master/docs/TheBook/src/main/markdown/cookbook-transport-security.md
This bug is mentioned in the first paragraph.
from gct.
Related Issues (20)
- fail to compiler gct-6.2 because of openssl HOT 3
- Can't install gct-toolkit release gct-6.2.20210826 HOT 13
- fail to globus-job-run becasue of no permission to access tmp directory on execution node
- globus-gridftp, globus-gram5 and globus-gsi not found HOT 1
- globus_gsi_cert_utils_error.c:42: possible missing "," ? HOT 5
- globus-job-run fails because the job manager failed to create an internal script argument file HOT 2
- where is MDS in GT6 HOT 2
- globus-job-run fails because of no permission to tmp directory HOT 2
- DNS error on repo.gridcf.org HOT 3
- TLSv1.3 handling incorrectly assumes exactly two tickets will be sent
- Weak GSSAPIKexAlgorithms ciphers detected HOT 5
- grid-proxy-init w/OpenSSL 3.x: Weakly encrypted PKCS#12 keystores can't be processed HOT 1
- pipeline doesn't work: ERROR: too many url strings specified HOT 6
- Typo in globus_gsi_system_config.c HOT 1
- autoreconf failure: files not found HOT 1
- Build error: undefined reference to `FIPS_mode' HOT 9
- confusion between ASN1_UTCTIME and ASN1_GENERALIZEDTIME HOT 5
- Lack of IO error checks generate incorrect file checksums HOT 4
- Unknown/unsupported OpenSSL version ("30100040 (OpenSSL 3.1.4 24 Oct 2023)") HOT 9
- RHEL9 clients and dCache on java-17 compatibility HOT 22
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gct.