[Gt-eos] New globus-gssapi-gsi version default to TLSv1.2

Maarten Litmaath Maarten.Litmaath at cern.ch
Thu Oct 11 12:40:05 CEST 2018


Hi Mattias, all,
thanks for the detailed reply!  I agree it would be better to have more feedback
and this time we should ensure the push to stable happens on a Monday or a
Tuesday rather than later in the week.

Is it not possible to single out globus-gssapi-gsi-14.7-2 and push it earlier?

The JGlobus project essentially is dead, AFAIK.

________________________________________
From: Mattias Ellert [mattias.ellert at physics.uu.se]
Sent: 11 October 2018 09:42
To: Maarten Litmaath; bbockelm at cse.unl.edu; End of Support of Globus Toolkit
Cc: Mischa Sallé; wlcg-middleware-officer (Group of people with WLCG MW Officer function)
Subject: Re: [Gt-eos] New globus-gssapi-gsi version default to TLSv1.2

ons 2018-10-10 klockan 19:52 +0000 skrev Maarten Litmaath:
> Hi all,
> Burt provided us with a patched JGlobus and the BeStMan SRM instances
> on EOS at CERN are fine since a week.  However, we found quite a number
> of other services that do not work with TLS v1.2, presumably due to running
> on old versions of Java and/or Globus.  We have prepared a text to be used
> in a broadcast across WLCG:
>
> https://twiki.cern.ch/twiki/bin/view/LCG/WLCGOpsMinutes181011#Important_notice_concerning_the
>
> Is anything preventing globus-gssapi-gsi-14.7-2 from being pushed to stable?

The 14 days needed to push to EPEL stable have passed, so formally
there is nothing that prevents it from being pushed.

The update is quite big in terms of number of packages. This update is
switching the source of the packages from the old globus toolkit
upstream to the new grid community toolkit (GCT). It therefore updates
every globus package.

In terms of actual code changes the changes are small. Most of the code
changes in GCT with respect to the old upstream correspond to changes
that were already applied as patches in the build of the packages based
on the old upstream.

Because of the many packages updated, I was hoping for some positive
feedback before pushing it to stable. I am aware that most people tend
to not report the absence of problems. So it is always tricky to know
if no feedback mean "it was tested an no problems were found" or "it
was not tested".

I have received one positive karma each on the EPEL6 and EPEl7 updates
from Andrea Manzi. Which is more than these updates usually get.
I was hoping for some more positive feedback. The last update did spend
the 14 days in EPEL testing and I then pushed it to stable, and the day
after problems were reported. So I was trying to not get a repeat of
that by waiting a bit longer.

Regarding JGlobus - are the changes pushed upstream to
https://github.com/jglobus/JGlobus/ ? Though the upstream is not very
active, and the last release was 4 years ago...

        Mattias

> ________________________________________
> From: Maarten Litmaath
> Sent: 25 September 2018 19:52
> To: bbockelm at cse.unl.edu; End of Support of Globus Toolkit
> Cc: Mattias Ellert; Mischa Sallé; wlcg-middleware-officer (Group of people with WLCG MW Officer function)
> Subject: Re: [Gt-eos] New globus-gssapi-gsi version default to TLSv1.2
>
> Hi Brian,
>
> > I've contacted all the OSG sites that Andrea pointed out as still
> > running bestman2.  They are all acutely aware that they need to
> > retire the service.  All three are working on the subject and, I
> > suspect, will have retired them in a month or two.
>
> Good!
>
> > For CERN's instance - please contact FNAL.  I think they may have
> > some custom patches that enables TLS v1.2 in order to pass the DOE
> > scans.  I don't have the technical details, but I believe Burt
> > Holzman might.
>
> We will follow up with FNAL, thanks!




More information about the Gt-eos mailing list