It's the old security vs accessibility/usability trade-off. For example, the most secure default wouldn't even allow access by other boxes (non localhost) or even by other users on the same box. I tend to lean toward accessibility/usability with the option of making things more secure if needed.
-Yonik http://heliosearch.org - native code faceting, facet functions, sub-facets, off-heap data On Thu, Dec 11, 2014 at 3:43 PM, Tom Burton-West <tburt...@umich.edu> wrote: > Thanks Hoss, > > Ah, I didn't look at the timestamps on those revisions! > > Personally, I'd prefer having the default set to false rather than true > because people don't always read the entire config file, but if there has > been discussion for several years, and its been decided to leave it enabled > in the example solrconfig.xml I'll go along with it. > > However, it might be good to fix the documentation for 4.10 because it > contradicts the code. > The current documentation 4.10 ref guide says it is " disabled by default" > which apparently has not been true for several years. I just put a comment > in the current ref guide to this effect. > > Tom > > > On Thu, Dec 11, 2014 at 3:02 PM, Chris Hostetter <hossman_luc...@fucit.org> > wrote: >> >> >> : In revision 743163 of the Solr 4.10 example solrconfig.xml file >> : enableRemoteStreaming was (accidentally?) changed from "false" to true. >> >> yeah ... that was 5 years ago. >> >> I dont remember specifically if it was an accident at the time, but the >> inclusion in release versions since has been intentional given the >> "example" nature of the file -- which is why SOLR-2397 added a very >> specific warning about it (starting with Solr 3.1) ... >> >> *** WARNING *** >> The settings below authorize Solr to fetch remote files, You >> should make sure your system has some authentication before >> using enableRemoteStreaming="true" >> >> (i don't have any links to mailing list discussions handy, but i do recall >> it was discussed repeatedly.) >> >> >> : Should I open a JIRA? >> >> Given SOLR-3619, i think it would probably be a good idea to change this >> to false in the new configset/data_driven_schema_configs & >> cofigset/basic_configs that we ship -- so yes, please open a jira for >> discussion ... but i don't really think it's a "security hole" or >> something that needs attention in a 4.10.x release. >> >> >> -Hoss >> http://www.lucidworks.com/ >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org >> For additional commands, e-mail: dev-h...@lucene.apache.org >> > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org