home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Mon, 5 Mar 2001 11:07:43 -0500 (EST) Message-Id: <200103051607.LAA27132@multics.mit.edu> To: release-team@mit.edu, op@mit.edu Cc: pismere@mit.edu From: John Hawkinson <jhawk@MIT.EDU> Hi, As some of you have no doubt seen, it appears that the latest zephyr server deployment has broken WinZephyr. There is strong suspicion (from Greg) that this is because some additional security checks were added to the zephyr servers, and WinZephyr is not sending subscription messages authentically. Garry and Greg have suggested that since WinZephyr is not officially supported, it is appropraite to not back those changes out. I would like to strongly argue against this. There are a reasonable number of WinZephyr users (I don't know how to quantify it) who will be severely inconvenienced by WinZephyr not functioning. Many WinZephyr users are not particularly technically saavy (being Windows users) and relatively ill-equipped to deal with this sort of problem. There is no currently available upgrade path (i.e. WinZephyr release that correctly sends subscription messages authentically). The counterargument seems to be twofold: a) Reverting the code re-introduces a security vulnerability with respect to forging subscriptions. But this vulnerability has been with us for many years, and there are no known exploits, and it seems not too likely that they will pop up, soon. b) Reverting the code will break interrealm zephyr with CMU again. Interrealm zephyr with CMU is a new feature that has already been the cause of much instability in our zephyr environment, and has already been broken for the past few weeks anyhow. I don't think there is any serious dependancy on it, whereas a number of users of Windows environments at MIT (in many cases support staff and faculty as well as students) will be inconvenienced by lack of WinZephyr support. It seems clear to me that reverting the zephyr servers to restore WinZephyr support is the most customer-focussed thing that can be done. I would request that this be thought about and executed expeditiously, if at all possible. It's been broken since Saturday evening and the clock only moves forward. Thanks. --jhawk p.s.: I include release-team as the relevent patches that affect this were checked into the Athena source tree. I'm not sure what would be a better place to raise this (owls?) p.p.s.: I don't use WinZephyr, I'm just trying to act as an advocate.
home | help | back | first | fref | pref | prev | next | nref | lref | last | post |