It's the old security vs accessibility/usability trade-off.  For
example, the most secure default wouldn't even allow access by other
boxes (non localhost) or even by other users on the same box.  I tend
to lean toward accessibility/usability with the option of making
things more secure if needed.

-Yonik
http://heliosearch.org - native code faceting, facet functions,
sub-facets, off-heap data


On Thu, Dec 11, 2014 at 3:43 PM, Tom Burton-West <tburt...@umich.edu> wrote:
> Thanks Hoss,
>
> Ah, I didn't look at the timestamps on those revisions!
>
> Personally, I'd prefer having the default set to false rather than true
> because people don't always read the entire config file, but if there has
> been discussion for several years, and its been decided to leave it enabled
> in the example solrconfig.xml  I'll go along with it.
>
> However, it might be good to fix the documentation for 4.10  because it
> contradicts the code.
> The current documentation 4.10 ref guide says it is " disabled by default"
> which apparently has not been true for several years.  I just put a comment
> in the current ref guide to this effect.
>
> Tom
>
>
> On Thu, Dec 11, 2014 at 3:02 PM, Chris Hostetter <hossman_luc...@fucit.org>
> wrote:
>>
>>
>> : In revision   743163 of  the Solr 4.10  example solrconfig.xml file
>> : enableRemoteStreaming was (accidentally?)  changed from "false" to true.
>>
>> yeah ... that was 5 years ago.
>>
>> I dont remember specifically if it was an accident at the time, but the
>> inclusion in release versions since has been intentional given the
>> "example" nature of the file -- which is why SOLR-2397 added a very
>> specific warning about it (starting with Solr 3.1) ...
>>
>>          *** WARNING ***
>>          The settings below authorize Solr to fetch remote files, You
>>          should make sure your system has some authentication before
>>          using enableRemoteStreaming="true"
>>
>> (i don't have any links to mailing list discussions handy, but i do recall
>> it was discussed repeatedly.)
>>
>>
>> : Should I open a JIRA?
>>
>> Given SOLR-3619, i think it would probably be a good idea to change this
>> to false in the new configset/data_driven_schema_configs &
>> cofigset/basic_configs that we ship -- so yes, please open a jira for
>> discussion ... but i don't really think it's a "security hole" or
>> something that needs attention in a 4.10.x release.
>>
>>
>> -Hoss
>> http://www.lucidworks.com/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
>> For additional commands, e-mail: dev-h...@lucene.apache.org
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to