Thanks Hoss, Ah, I didn't look at the timestamps on those revisions!
Personally, I'd prefer having the default set to false rather than true because people don't always read the entire config file, but if there has been discussion for several years, and its been decided to leave it enabled in the example solrconfig.xml I'll go along with it. However, it might be good to fix the documentation for 4.10 because it contradicts the code. The current documentation 4.10 ref guide says it is " disabled by default" which apparently has not been true for several years. I just put a comment in the current ref guide to this effect. Tom On Thu, Dec 11, 2014 at 3:02 PM, Chris Hostetter <hossman_luc...@fucit.org> wrote: > > : In revision 743163 of the Solr 4.10 example solrconfig.xml file > : enableRemoteStreaming was (accidentally?) changed from "false" to true. > > yeah ... that was 5 years ago. > > I dont remember specifically if it was an accident at the time, but the > inclusion in release versions since has been intentional given the > "example" nature of the file -- which is why SOLR-2397 added a very > specific warning about it (starting with Solr 3.1) ... > > *** WARNING *** > The settings below authorize Solr to fetch remote files, You > should make sure your system has some authentication before > using enableRemoteStreaming="true" > > (i don't have any links to mailing list discussions handy, but i do recall > it was discussed repeatedly.) > > > : Should I open a JIRA? > > Given SOLR-3619, i think it would probably be a good idea to change this > to false in the new configset/data_driven_schema_configs & > cofigset/basic_configs that we ship -- so yes, please open a jira for > discussion ... but i don't really think it's a "security hole" or > something that needs attention in a 4.10.x release. > > > -Hoss > http://www.lucidworks.com/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org > For additional commands, e-mail: dev-h...@lucene.apache.org > >