Uploaded image for project: 'CernVM'
  1. CernVM
  2. CVM-992

blacklist does not block mount when repo is in the cache

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: CernVM-FS 2.2.0
    • Fix Version/s: CernVM-FS 2.4
    • Component/s: CVMFS
    • Labels:
      None
    • Platforms:
      x86_64-slc6-gcc48-opt
    • Development:

      Description

      When a certificate fingerprint is added to a blacklist, either in /etc/cvmfs or in a config repo, it does not block mounting of the repository if that repository's current catalog is already in the cache. The regression test does a wipecache, that works. It seems to me that in a situation where a repository's key is compromised and needs to be blocked that we would want to block all mounts including the current version, because it is may not be noticed until after something bad is published. Perhaps the thing to do to immediately create a new repository key and publish a new revision, but that might take some time.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                dwd Dave Dykstra
                Reporter:
                dwd Dave Dykstra
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  PlannedEnd:
                  Actual End: