Hi all, I would strongly suggest not to turn on services like MQTT and HTTP per default. The reason is that people will hold the project accountable for potential security issues that might come up.
For example in the Apache Flex project we had a sub-project called BlazeDS. This is a web-connector for Flex applications. We had all features open per default and asked users to lock it down as needed. Unfortunately we had to implement 3-4 CVE security bugfix releases because of this and none of them actually affected BlazeDS code, but third party code (Mostly XML libraries ore Apache Commons deserialization issues). When I changed things to being completely locked down but making it simple for users to unlock the parts they need, we didn't have to release a single bugfix release since then. Chris Am 13.04.20, 08:15 schrieb "伍 雄" <[email protected]>: I think mqtt-server shouled be shutdown by default. As I think It's hard to guarantee that there are no security issues in the future. Usually user installed iotDB, most of user defalut configuration, if mqtt-server have security issues in the future,it will be affecting many devices if turned on by default. We should use the minimum principle to open the port. ________________________________ 发件人: Dawei Liu <[email protected]> 发送时间: 2020年4月13日 3:26 收件人: [email protected] <[email protected]> 主题: About the security issues that mqtt-server is turned on by default Hi, Xiangdong and I had an interesting discussion on github[1]. We reached an agreement that mqtt-server would be turned on by default for the user. But I think the security details still need to be discussed. Can anyone provide some advice on security? [1] https://github.com/apache/incubator-iotdb/pull/1033 Thanks --- Dawei Liu
