Hi Chris, Thanks for your sharing! +1 for disabling these services by default. At the same time, we need to add clear instruction to let users enable these services easily.
Thanks, -- Jialin Qiao School of Software, Tsinghua University 乔嘉林 清华大学 软件学院 > -----原始邮件----- > 发件人: "Christofer Dutz" <[email protected]> > 发送时间: 2020-04-13 19:27:25 (星期一) > 收件人: "[email protected]" <[email protected]> > 抄送: > 主题: Re: 回复: About the security issues that mqtt-server is turned on by default > > Hi all, > > I would strongly suggest not to turn on services like MQTT and HTTP per > default. > The reason is that people will hold the project accountable for potential > security issues that might come up. > > For example in the Apache Flex project we had a sub-project called BlazeDS. > This is a web-connector for Flex applications. > We had all features open per default and asked users to lock it down as > needed. > Unfortunately we had to implement 3-4 CVE security bugfix releases because of > this and none of them actually affected BlazeDS code, but third party code > (Mostly XML libraries ore Apache Commons deserialization issues). > When I changed things to being completely locked down but making it simple > for users to unlock the parts they need, we didn't have to release a single > bugfix release since then. > > Chris > > > > Am 13.04.20, 08:15 schrieb "伍 雄" <[email protected]>: > > > I think mqtt-server shouled be shutdown by default. > As I think It's hard to guarantee that there are no security issues in > the future. Usually user installed iotDB, > most of user defalut configuration, if mqtt-server have security issues > in the future,it will be affecting many devices if turned on by default. > We should use the minimum principle to open the port. > ________________________________ > 发件人: Dawei Liu <[email protected]> > 发送时间: 2020年4月13日 3:26 > 收件人: [email protected] <[email protected]> > 主题: About the security issues that mqtt-server is turned on by default > > > > Hi, > > > Xiangdong and I had an interesting discussion on github[1]. > > > We reached an agreement that mqtt-server would be turned on by default > for the user. > > > But I think the security details still need to be discussed. > > > Can anyone provide some advice on security? > > > > > > > [1] https://github.com/apache/incubator-iotdb/pull/1033 > > > > > > > Thanks > --- > Dawei Liu > > > >
