It doesn't seem that bad, yet I know some people will freak. According to the proposal, it will say this:
WARNING: A command line option has enabled the Security Manager WARNING: The Security Manager is deprecated and will be removed in a future release I think the modularization goal is great, and I feel the same way for dev and prod. Is there a ticket for dev and prod modes. I think I could schedule time to do that On Sun, Dec 19, 2021 at 3:22 PM David Smiley <dsmi...@apache.org> wrote: > What is this warning message? > Regardless, bin/solr could detect that this scenario is going to occur and > print a message of its own so that users have better context on the > situation. > > In other ways, we are investing in securing Solr. Modularization comes to > my mind first. And I really wish for a dev vs prod mode to gate better > defaults but no action there yet :-/. > > ~ David Smiley > Apache Lucene/Solr Search Developer > http://www.linkedin.com/in/davidwsmiley > > > On Fri, Dec 17, 2021 at 5:22 PM Marcus Eagan <marcusea...@gmail.com> > wrote: > >> Hi, >> >> As a part of the Log4j madness we all have dealt with, I learned of >> JEP-411(https://openjdk.java.net/jeps/411). There is a wish to deprecate >> the Security Manager in Java 17 for eventual removal. I feel it is likely >> to land. As a result, I think we should start to think about what it means >> to run SOLR without the option of a Security Manager for SOLR 10 (or >> whatever the next major version will be named). I know that people can turn >> it off today if they wish to do so. >> >> Is it premature to have this discussion? >> >> I suggest it is not too early because there is a proposed warning message >> on startup of an application with Security Manager. The message alone could >> cause problems for some organizations using SOLR and lead them to abandon >> the project. Instead, there would need to be a multi-person effort to >> ensure that other countermeasures are sufficient and/or added to protect >> SOLR users from more pernicious and pervasive threats in today's world and >> the future. Enabling the Security Manager by default in SOLR was a good >> future-proofing measure for today's reality. >> >> Thank you all for your contributions, >> >> -- >> Marcus Eagan >> >> -- Marcus Eagan
