Hey, On Thu, Jan 05, 2012 at 07:42:54PM +0100, Moritz Mühlenhoff wrote: > > Even so, Munge appears to require distributing auth tokens, keys or > > whatever before a munge-enabled cluster is operational, so this is quite a > > change for a DSA, not to mention the version bump if we went that route. > > I agree, that's too much impact. I've marked it as no-dsa in the security > tracker. > > This likely has no impact in reality anyway; anyone running a computation > cluster will keep it w/o untrusted users anyway.
Agreed. > Will you be updating to a MUNGE-enabled version of Torque before Wheezy? We should upgrade to the latest 2.5 release, however there's a note from Dominique stating there was a license change in 2.5.x so I'm not sure we we're at. The only significant change I can see in the licence is: -----8<-----8<------8<----- This license will be governed by the laws of Utah, without reference to its choice of law rules. -----8<-----8<------8<----- which swaps Virginia with Utah. If the licence was ok for main in the past, it should be ok for main now. If we are allowed to, I think we should move to Torque 2.5, and see what we want to do about 3.0. If/when we do that, I'll add CVE refs to the changelog. Jordi -- Jordi Mallach Pérez -- Debian developer http://www.debian.org/ jo...@sindominio.net jo...@debian.org http://www.sindominio.net/ GnuPG public key information available at http://oskuro.net/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
